We've all been there. A lab environment was set up, but its completely isolated for one reason or another. Getting access to it requires you to get some VPN access (that maybe takes weeks to set up) or you need to use a jump box (ssh to one server, from there you can ssh to the environment). It usually looks a little bit like this.
And we struggle with this environment for a variety of reasons:
- No direct access to the VMs.
- The VMs can't directly download software; it all needs to be staged through the jump box. Circumventing the operating system's ability to gather updates itself.
- Do you need core features like a Domain Name Server, Network Time Server, or any of those standard features? Well, it's on you to set it up yourself.
- Usually the environments are single tenant, meaning that there aren't enough users to justify making it better.
- A single IP Address space for both the hypervisors and the VMs.
And there are plenty more struggles beyond these. So why do we get ourselves into this situation? Well, because it's really easy to stand up, but then it's painful to use.
Never fear, there's a way out.
Swap out the Jump Server with a Network Node
Some PowerVC customers are turning to SDN as a way out of these environments. The SDN features allow us to replicate the easy stand up of this environment, but make it far more functional than before.
You simply replace your jump server with a
PowerVC network node. The PowerVC network node will host
virtual routers on it that allow each VM to access the broader company network, or even the internet, through dynamic Network Address Translation (NAT). Each virtual machine will be able to use your standard NAT and DNS servers. Operating system and software updates are easier because the VMs can download directly to the boxes themselves.
This environment lends itself well to multiple tenants as well - through the use of
VXLAN micro-segmentation. Each tenant gets its own IP address space, which potentially overlaps with the other tenants. But it doesn't matter that the IP addresses overlap because they're each in their own micro-segment.
An SDN environment with a network node looks very similar to your jump box, but has in more capabilities.
So this sounds all well and good for when you're in the VM and you need to interact with the wider network. But how exactly do you get from your laptop into that VM? That is where the PowerVC
External IP Addresses (also known as Floating IPs) comes in. You can dynamically add or remove an external IP address to your VMs so that you can directly access them. And don't forget about PowerVC's VM console either, which allows you a direct terminal into the VM.
With these features, you can easily get direct access to your VMs. No need to jump through a server, just assign an external IP address and get into the VMs. Much easier.
But what if your lab team is worried about security? Then work with the team to define a set of
security groups (currently tech preview) for the network. The security groups define what type of traffic can flow to the VMs. For example, you can turn off the telnet, http, and ping ports if you want. You can even go so far as to limit which IP addresses a VM can talk to. Generally, you set some high level security groups and then apply them dynamically to the VMs. Don't worry, if you don't get them quite right the first time, they can be dynamically changed.
Now that you've got security locked down, you've got easier access into the environment, and you've got multiple tenants...the environment should take off like wildfire. Does that network node start to look like a bottleneck / single point of failure? Again, fear not. You can have
multiple network nodes. The routers will be distributed across the network nodes to increase bandwidth. And if a network node fails for some reason, it will automatically fail over the routers to a working network node. You can even set
rate limits for certain networks or VMs (currently in Tech Preview).
Wrap Up
SDN has lots of applications, but sometimes it's hard to see how it would work for your environment. This is one of those examples that most of us have been through and can relate to. We've seen users implementing this who are much happier and able to focus on real work instead of being slowed down by unnecessary gate keepers.
Try it out when you get some time. If you need some servers to try it out with, keep in mind that PowerVC can manage the
IBM Cloud Power8 systems (thanks to our SDI support for KVM and iSCSI LUNs).
Let us know if you have any comments, and don't forget to follow us on
Facebook,
LinkedIn, and
Twitter. We'd love to hear from you!
#SDI