LAN SDN technology hard core insider 13 II from LAN to Internet

Mentioned earlier , Inside the data center , Through hierarchical port binding and EVPN, Cloud platform can teach virtual machines to be encapsulated by hardware switches VXLAN, Realize the interconnection of the same network segment and different network segments .

however , Whether it's a server , Or virtual machines , Ultimately, it is necessary to provide services outside the data center . Let's review the picture we saw at the beginning ——

In the picture , Every VPC Need to pass through vLB Provide external load balancing , adopt vFW Control the mutual access strategy of internal and external networks . about Neutron For native implementations ,vFW Use Linux Of iptables,vLB Using open source nginx or haproxy. just as OVS Forwarding efficiency of is affected by x86 The limitations of the architecture are the same ,iptables,nginx and haproxy Throughput 、 New connection rate and other key indicators , It is also easy to become a bottleneck in large-scale deployment .

On a large scale VPC In the scene of , Dedicated hardware firewall and LB The advantages of the equipment are reflected . generally speaking , They are dedicated FPGA, Or multi-core processor with network and security acceleration hardware , The maximum throughput of a single device can reach 2TB above , Support 2 More than 100 million concurrent connections .

So how to use dedicated hardware firewall and LB equipment , Instead of Neutron Born in the Central Plains vFW and vLB, Realization VPC Providing services to others ？

Neutron In order to use other software and hardware firewalls and LB equipment , Provides FWaaS and LBaaS These two characteristics . They are Firewall-as-a-Service and LoadBalance-as-a-Service Abbreviation , That is, the firewall and LB Features are provided to tenants in the form of services (VPC).

FWaaS Is in Neutron Of Router Implemented in , Default driver by iptables. Firewall manufacturers will this driver Replace it with its own plug-in , You can use hardware firewall as Neutron Provide FWaaS Yes .

Similarly ,LBaaS It can also be realized through hardware devices .

There's a problem ：

We know , In the cloud platform , There may be multiple tenants , Theoretically, every tenant needs to call FWaaS and LBaaS Realize firewall and load balancing . that , Obviously, cloud platform investors cannot buy a set of hardware firewall and load balancing equipment for each tenant . Is there a way to put a firewall /LB The equipment is used by multiple tenants ？

We call this method device virtualization .

Virtualization can be implemented in two ways , One is called VS(Virtual System), In management , Put a firewall /LB Virtual multiple , various VS You can only see physical resources such as your own network interfaces , And enjoy the throughput bandwidth allocated to itself 、 Performance resources such as concurrent connections . For firewalls /LB The master of CPU The demand is higher , Therefore, the number of virtualization is generally limited .

Another virtualization implementation is called VRF（Virtual Routing & Forwarding). Yes , And router VRF equally . A firewall /LB Logically, it is still a device , Just for each VRF The instance maintains a routing forwarding table , each VRF Instances can use overlapping IP Address . This method can achieve a large number of virtualization , General equipment can support 1K To 4K individual .

With FWaaS and LBaaS drive , It can be realized by hardware VPC Network edge processing , Realize the external release of business from LAN to Internet .

In the following content , We will also have more wonderful presentations , Reveal more SDN Technology insider ！