networking 3.3 spec - sangmin/architecture GitHub Wiki
β’ The next generation of networking must β preserve support for the existing AWS network semantics β accommodate expansion to other AWS semantics β β’ Pending AWS semantics β Security Groups β’ VM participation in multiple security groups (membership vs. firewall groups) β VPC β’ Dynamic definition of private subnets β’ Dynamic configuration of DHCP per private subnet β’ Static private address control for private subnets β IPv6
β’ Current Semantics β Security Groups β Private addressing for participating VMs β Network level isolation of security groups β Internet traffic ingress/egress firewalling β Cross-group ingress/egress firewalling β Dynamic reconfiguration of the above types of rules β Elastic IPs β’ Pending AWS semantics β Security Groups β’ VM participation in multiple security groups (membership vs. firewall groups) β VPC β’ Dynamic definition of private subnets β’ Dynamic configuration of DHCP per private subnet β’ Static private address control for private subnets β IPv6
β’ Overview β Logically isolated environment β Your private IP range β Internet or Hardware VPN connectivity options β’ Capabilities β User-defined address space up to /16 β Up to 20* user-defined, per AZ subnets up to /16 β User-defined: β’ Virtual Routing, DHCP options, and NAT instances β’ Internet Gateways, Private/Customer Gateways, and VPN tunnels β Private IPs stable once assigned β Elastic Network Interfaces β’ Enhanced Security Capabilities β Network topology, routing, and subnet ACLs β Security group enhancements β’ Egress control β’ dynamic (re)assignment β’ richer protocol support β Multiple network interfaces per instance β Completely private networking via VPN β Support for dedicated instances
β’ Mixing public and private resources β E.g., web-facing hosts with DMZ subnets, control plane subnets β’ Workloads that expect fixed IPs and/or multiple NICs β’ AWS cloud as private extension of on- premises network β Accessible from on-premises hosts β No change to addressing β No change to Internet threat/risk posture
β’ 5 VPCs per Region β’ 20 Subnets per VPC β’ 10 Network ACLs per VPC β’ 20 rules/ACL β’ 10 Route Tables per VPC β’ 20 entries/Route Table β’ 50 Security Groups per VPC β’ 50 rules/Security Group β’ http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html
β’ Gateways require unique public IP addresses β’ Non-overlapping IP Ranges w/ internal networks β’ Inability to change CIDR/Subnet address ranges β’ Canβt move instances from one subnet to another β Relaunch for different VPC or AZ
https://eucalyptus.atlassian.net/secure/IssueNavigator.jspa?requestId=12211&mode=hide
- true edge networking
- turn node controller into the router
- split CC into CC and NS
- extensibility ==> SDN
- ipsets/ebtables ==> ovs
- NC/edge networking ==> customer delight
- convolution w/ network architecture
- cloudstack virtual router situation
- even fewer network configuration dependencies to get full AWS functionality
- refactorization analysis
- what about public address routing
- ELB/multi-warlus implications
tag:rls-3.3