vCD Cross VDC with Cross VC NSX design Failure & High Availability Scenarios Deep Dive

2ndd

 

In this blog I will be deep diving into the vCD NSX design that Daniel and I are proposing focusing on the packet life during Failures showcasing the High Availability that we will get.

This is a continuation of the blog post  where we deep dived into the use cases and the high level design of cross VC NSX and cross VDC vCloud Director instances.

 

Scenario 1: All components are up and running

 

Pepsi workloads will have their respective Tenant_Pepsi UDLR as their Default gateway.

 

East/West Traffic:

Pepsi workloads that are communicating L2 East/West whether in the same Site or across Sites will use the stretched L2 logical switch and communicate successfully via Host VTEP encapsulation. If its an L3 communication between Workloads, then Tenant UDLR will do the routing on the source host and encapsulate the packet again via the VTEP to the destined workload via its host VTEP.

North/South Traffic:

Traffic originating from Pepsi Workloads whether they live on ORGVDC site 1 and/or ORGVDC site 2 will have to egress from the Active ORGVDC-A_Pepsi Edge Services Gateway. Tenant UDLR has a BGP neighbor-ship with both the Active Tenant ESG and the standby ESG with higher weight for the Active Tenant-ESG.

From the Active Tenant-ESG, traffic will egress to the Provider ECMP ESGs (E1 to E4 Green)  Due to the fact that the Provider UDLR has local egress (Active/Active) being configured in the  Provider NSX layer.

The Provider Primary UDLR Control VM is peering BGP with ECMP E1 to E4 Green on site 1 with weight 60 whereas with BGP weight 30 with ECMP E5 to E8 Green on site 2.

The Provider Secondary UDLR Control VM is peering BGP with ECMP E1 to E4 Blue on site 2 with weight 60 whereas with BGP weight 30 with ECMP E5 to E8 Blue on site 1.

This is shown demonstrated in the diagram below for Tenant Pepsi that has an active Tenant-ESG  on site 1 and passive Tenant-ESG on Site 2.

scenario1a

 

Where as for Coke, It has an active Tenant ESG on site 2 and a passive Tenant ESG on site-1. Hence traffic will egress from Site 2 Provider ESGs ( E1 to E4 Blue) again due to the fact of local Egress being configured at the Provider NSX layer.

Scenario1b

 

Note that due to the active/passive mode on the Tenant Layer, we maintained the state-full services that the Tenant ESG provisions such as NATing/Fwing/LB/DHCP etc..

Always remember that UDLR control VM is not in the data path as the UDLR is an instance present on every host.

Moreover, notice how we distributed traffic on both sites leveraging maximum resources.

Scenario 2 : We lose the Tenant’s Active ESG

We lose the Active ESG on site 1 for Pepsi.

Scenario2

 

BGP weight kicks in as now the Previously “Standby” ESG will become active and hence traffic will egress from the Tenant-ESG on Site 2 (OrgVDC-B-Pepsi) and hence traffic will Egress from E1 to E4 Blue.

The same above scenario will happen with Tenant-Coke if Coke loses its Active ESG on Site 2.

Scenario2b

 

Scenario 3 : We lose the upstream Physical Switches on Site-1

 

Scenario 3a

 

If I lose my physical switches upstream, or technically the default originate, Traffic will will still egress from Active Tenant ESG on Site 1 and the Provider UDLR will send the traffic to egress from E5 to E8 Green on site 2 as now and due to BGP weights kicking in, default originate is coming from those Edges on site 2. Hence all internet traffic will be accessible from site 2.

Coke traffic (who has their active Tenant-ESG on site 2) are egressing normally from on E1 to E4 Blue on site 2(Refer to Scenario 1).

 

Same case will happen if I lose Internet on site 2 where now traffic for active Tenant-ESGs on site 2 will egress from the E5 to E8 Blue while Active Tenant ESGs on site 1 will still egress from E1 to E4 green.

Scenario3b

 

 

In Summary, this design is an optional design that a Cloud Provider can adopt.

It does showcase the resiliency and High availability while leveraging ECMP to egress north to the physical infrastructure. Its also a great way to detect failure northbound and traffic engineer a workaround this failure to egress from the healthy site.

 

 

vCloud Director Cross-VDC Design with Cross VC NSX

 

With the release of VMware vCloud Director 9.5, which is packed with a lot of great new features, one of the significant additions is the introduction of Cross-VDC networking.

In prior vCD releases, Cloud Providers couldn’t use the universal constructs that NSX introduced in the NSX cross VC architecture and could not benefit from the use cases that cross VC NSX targets and solve.

Compatibility with Cross VC NSX is finally there starting vCD 9.5+ as vCD  now supports the universal constructs that NSX creates. This is great news for Cloud Providers who are looking to target those use cases.

In this blog I will address the use cases of leveraging cross-VC NSX inside a vCD Virtual Data Center (VDC) and what design We are proposing to integrate with NSX.

This blog was a joint activity between my SE peer Daniel Paluszek and vCD engineering staff  Abhinav Mishra.

 

What are the use cases of stretching the network across VCs/Sites?

 

  1. Resource Pooling: ResourcePoolLogical networking and security across multiple vCenters allow for the ability to access and pool resources form multiple vCenter domains. Resources are no longer isolated based on vCenter and/or vCD boundaries which hence allows the ability to access and pool resources form multiple vCenter domains achieving better utilization and less idle hosts.
  2. Workload Mobility

 

workload mobility

 

Since logical networking can span multiple vCenter domains and multiple sites:

  • Cross-VC NSX allows for enhanced workload mobility across Active-Active data centers
  • Workloads can now be moved between vCenter domains/sites/Org VDCs on demand. A practical use case example would be when there is a data center migration/upgrade activity.

 

3. Disaster Recovery

 

 

Blog1st

 

Cross VDC will help tenants and providers to continue operations in case of a partial or complete network failure. Workloads on Site-A can leverage the Tenant-X-Org-VDC edge on Site-B in the case where the Tenant-X-Org-VDC Edge fails on Site-A.

Moreover, during Internet failure on Site-A, All tenants workloads on site-A will use the Provider Edges on Site-B to exit to internet provided on site-B.

 

 

High Level Design Architecture for vCD 9.5+ and NSX

 

2ndd

 

The goal of this high-level design is to provide optimal availability of network services from the Provider and Tenant layer. We must adhere to Cross-vCenter NSX best practices, so do note that we are presuming you are aware with these guidance parameters stated here: NSX Cross VC Design Guide

In this suggested design, we have two layers of NSX:

  1. Tenant layer within vCloud Director (auto provisioned by vCD)
  2. Provider Managed layer ( provisioned natively in NSX)

 

The goal is to provide high availability between the two sites while meeting the stated requirements of Cross-VDC networking.

 

First NSX layer (Tenant Layer): This layer is the one that is controlled and provisioned by vCD . vCD will extend the tenant networks across sites via stretching their respective logical switches (Universal Logical Switches).The Tenant Universal Distributed Logical Router (UDLR) will be auto provisioned by vCD and will do the required routing for the tenant’s workloads residing on different L2 domains. The tenant’s Active Edge Services Gateway (ESG) or Tenant-<X>-OrgVDC-Site-A will terminate all tenant services such as NAT/FW/DHCP/VPN/LB and will essentially be the North/South entry/exit point for workloads residing in the tenant’s respective OrgVDC on each site.

 

Tenant layer

 

We are suggesting that we deploy the Tenant UDLR in Active/Standby(passive) mode where all Tenant A workload traffic whether they are on Site-A or Site-B will egress from
Tenant-A-OrgVDC-Site-A  Edge.

The rationale behind Active/Standby mode is to maintain stateful services that are running on the tenant’s ESG and explicit control of the ingress traffic which will also assist in any failure considerations. (More details on fail-over scenarios in my next blog)

 

Tenant-B will have a flipped A/S design, where I will have Site A as the passive/(standby) while Site B will be Active for Tenant B workloads.

 

tenant2

 

Tenant B workload traffic whether they are on Site-A or Site-B will egress from
Tenant-B-OrgVDC-Site-B  Edge.

Making different tenants active on different sites will help us distribute network traffic across sites and thus benefit from resource pooling and utilization from the available Data Centers.

 

 

2nd NSX Layer (Provider Layer):  This layer is the Provider Controlled NSX Layer and will be configured/managed by native NSX outside/North of vCD.

 

3rddd

 

Each Tenant ESGs (Tenant-X-Org-VDC-Edge) will peer externally on a ULS with the       pre-Provisioned provider UDLR. This transit interface will be on VXLAN or in other words nothing but another pre-provisioned Universal Logical Switch/tenant. That way we can scale up to 1000 tenants as UDLR supports up to 1000 Logical interfaces (Lifs).

In this high-level design, we will be utilizing an Active/Active state with local egress mode at the Provider Layer (Provider UDLR). Therefore, local traffic will egress at its respective local site. With this configuration, a UDLR Control VM will be deployed on each site.

We are also suggesting that we enable ECMP on the Provider UDLR and Peer with up to 8 ESGs spread equally across sites.

Site-A Provider Primary Control VM will peer with ESG 1-4 Green on site 1 with higher BGP weight along with ESGs 5 to 8 Green on site 2 having lower BGP weights. This will be an achievable step as E1-E8 Green will connect to the same stretched Universal Logical Switch.

Similarly, Provider Secondary Control VM on Site 2 will peer with up to 8 ESGs. ESGs 1 to 4 Blue on site 2 will have higher BGP weight when peering with the Secondary Control VM while ESGs 5 to 8 Blue on site 1 will peer with lower BGP weight.

 

Provider UDLR will reach the Tenant’s ESGs uplinks via directly connected routes.This is where Public IPs will be floating. No need to have any kind of static/dynamic routes between the Provider UDLR  and the Tenant ESGs. Reason is that Provider UDLR will advertise directly connected routes to the Provider Edges upstream via the BGP adjacency that has been already formed while Tenant ESG will simply NAT the public IPs to the workloads that need to be published.

 

Note: For high availability, the default originate would be advertised to the Provider ESGs from the upstream physical network. This will help in the fail-over to the secondary site when upstream internet switches are down.

 

Big thank you to my peer Yannick Meillier who inspired me on peering the Provider UDLR control VMs with a set of Provider ESGs spread across sites to achieve high availability in case of upstream failure in any given site.

 

In my next blog, I discussed in depth the packet life of the above design along with failure and fail-over scenarios.