The VPC work package is integrating virtual machines into universities’ networks. Initial tests have yielded positive results.
SWITCHengines is a SWITCH service that provides universities with IT resources on demand. These resources can be used, for example, to perform calculations for research projects or cope with peak loads such as when lots of students are signing up for the next semester. At the same time, SWITCHengines is also independent from universities’ data centres, so it offers additional redundancy. The Virtual Private Cloud (VPC) work package is geared to these two needs of university IT departments, as we have reported in a previous article. Instead of investing in another computing centre, FHS St. Gallen wanted to replicate some of its services using SWITCHengines.
Services like these typically run in a "demilitarised zone" (DMZ) and are thus protected from the outside world by a firewall. This is the case at FHS St. Gallen: the services access internal systems and synchronise their data for redundant operation in a cluster. The idea is for the systems on SWITCHengines to run virtually on the FHS St. Gallen network with their own IPv4 addresses.
How could some of the resources on SWITCHengines be used as a virtual cloud so that it appears to users as if they are running on the university’s own network? The SWITCH engineers working on the project looked at various possible solutions:
We ended up choosing the third option. A key element of this variant is a PC with an Intel CPU (ALX box, see box), which can be installed in the network rack. There were three main reasons behind this decision: it offers a simple means of integrating several VMs into the campus network; the ALX box can be run as an appliance, meaning that SWITCH can take care of its maintenance if required; and it offers the best network performance.
We installed one ALX box at FHS St. Gallen and another at the SWITCHengines site in Zurich. Network traffic between the customer site and SWITCHengines is handled by an Internet Protocol (IP) Layer 2 tunnel. This traffic has to be forwarded to the correct VMs on the SWITCHengines side, which required some modifications to the OpenStack infrastructure. The virtual networks on this side were constructed and configured such that FHS St. Gallen can set up IP addresses from its chosen subnet on its SWITCHengines VMs. This subnet is only available to FHS St. Gallen’s VMs in its own "tenant network" (see diagram). The solution currently offers a Layer 3 connection, which requires a corresponding zone to be configured on the customer side for routing and on the firewall. At FHS St. Gallen, the ALX box was connected to the SWITCHlan border router and the internal network (DMZ).
Once constructed, the solution had to prove itself in productive operation. A machine was initiated from the existing Domino Web Server cluster, set up as a VM on SWITCHengines and run with an FHS St. Gallen IP address. The first results were positive. It was possible to connect to the system as desired using the FHS St. Gallen address.
Further development of the current solution will focus on stability and performance, which need to be improved. As regards functionality, the restriction to Layer 3 will be removed, reducing the number of configuration steps on the customer side. At SWITCH, we are intending to implement additional use cases together with customers next year with a view to extending the SWITCHengines service offering in 2018.