This story is from the category Services and the dossier CloudInfrastructure services

Virtual Private Cloud: acid test passed

The VPC work package is integrating virtual machines into universities’ networks. Initial tests have yielded positive results.

Text: Patrik Schnellmann, published on 24.11.2016

SWITCHengines is a SWITCH service that provides universities with IT resources on demand. These resources can be used, for example, to perform calculations for research projects or cope with peak loads such as when lots of students are signing up for the next semester. At the same time, SWITCHengines is also independent from universities’ data centres, so it offers additional redundancy. The Virtual Private Cloud (VPC) work package is geared to these two needs of university IT departments, as we have reported in a previous article. Instead of investing in another computing centre, FHS St. Gallen wanted to replicate some of its services using SWITCHengines.

Examples include:

  • a website (on Wordpress)
  • a CRM system (Domino Application Server)
  • a directory service and DNS (Active Directory Server)
  • a monitoring service (PRTG)

Services like these typically run in a "demilitarised zone" (DMZ) and are thus protected from the outside world by a firewall. This is the case at FHS St. Gallen: the services access internal systems and synchronise their data for redundant operation in a cluster. The idea is for the systems on SWITCHengines to run virtually on the FHS St. Gallen network with their own IPv4 addresses.

Various possible solutions

How could some of the resources on SWITCHengines be used as a virtual cloud so that it appears to users as if they are running on the university’s own network? The SWITCH engineers working on the project looked at various possible solutions:

  1. "Virtual Private Network (VPN) as a Service" using OpenStack cloud software
  2. Deployment of a VPN node in a SWITCHengines virtual machine (VM)
  3. Specific hardware for the tunnel between the campus network and the SWITCHengines site

We ended up choosing the third option. A key element of this variant is a PC with an Intel CPU (ALX box, see box), which can be installed in the network rack. There were three main reasons behind this decision: it offers a simple means of integrating several VMs into the campus network; the ALX box can be run as an appliance, meaning that SWITCH can take care of its maintenance if required; and it offers the best network performance.

Constructing the VPC solution

We installed one ALX box at FHS St. Gallen and another at the SWITCHengines site in Zurich. Network traffic between the customer site and SWITCHengines is handled by an Internet Protocol (IP) Layer 2 tunnel. This traffic has to be forwarded to the correct VMs on the SWITCHengines side, which required some modifications to the OpenStack infrastructure. The virtual networks on this side were constructed and configured such that FHS St. Gallen can set up IP addresses from its chosen subnet on its SWITCHengines VMs. This subnet is only available to FHS St. Gallen’s VMs in its own "tenant network" (see diagram). The solution currently offers a Layer 3 connection, which requires a corresponding zone to be configured on the customer side for routing and on the firewall. At FHS St. Gallen, the ALX box was connected to the SWITCHlan border router and the internal network (DMZ).

Initial acid test passed

Once constructed, the solution had to prove itself in productive operation. A machine was initiated from the existing Domino Web Server cluster, set up as a VM on SWITCHengines and run with an FHS St. Gallen IP address. The first results were positive. It was possible to connect to the system as desired using the FHS St. Gallen address.

Outlook for 2017

Further development of the current solution will focus on stability and performance, which need to be improved. As regards functionality, the restriction to Layer 3 will be removed, reducing the number of configuration steps on the customer side. At SWITCH, we are intending to implement additional use cases together with customers next year with a view to extending the SWITCHengines service offering in 2018.

About the author
Patrik   Schnellmann

Patrik Schnellmann

Patrik Schnellmann is Cloud Project Manager at SWITCH. He holds an MSc in Computer Science and a Master of Advanced Studies in Management, Technology and Economics from the Federal Institute of Technology in Zurich. Before joining SWITCH in 2004, he acquired experience in the finance industry and the Swiss government.

E-mail

About SCALE-UP, VPC und SWITCHengines

Virtual Private Cloud (VPC) is a work package in the SCALE-UP project, which is being carried out as part of the swissuniversities SUC P-2 programme. VPC is lead by Tom Schönenberger, Head of IT at FHS St. Gallen. The aim of SCALE-UP is to provide academic cloud services. The SWITCH academic cloud is based on the SWITCHengines service, which offers virtual machines and storage.

The ALX box solution

ALX stands for Agile LAN eXtender

Hardware
  • Several 1-gigabit Ethernet (GE) interfaces
  • Typically one 1-GE interface for IPMI and access
  • Dual 10-GE
  • Single CPU socket: Intel Xeon quad-core
  • Redundant power supply
Software
  • NixOS: lightweight Linux distribution
  • Snabb: toolkit for fast networking in user space (Lua)
  • l2vpn: Layer 2 VPN (Snabb application)
  • ALX (Agile LAN eXtender), written by Alexander Gall, SWITCH
Requirements for using an ALX box

The following conditions must be met to install the tunnel node at the university:

  • IPv6 connectivity must be available (given by the SWITCH border router).
  • The maximum transmission unit on the router is >> 1,500 bytes.
Other articles