Many enterprises are leveraging cloud computing and virtualization technologies for enhanced flexibility, agility, and cost-effectiveness. However, the multi-tenancy in the cloud introduces new challenges to data security, urging enterprises to reinforce network isolation between different applications or tenants.

As the software-defined network and security component of SmartX Enterprise Cloud Platform (ECP), Everoute 3.0 introduces Virtual Private Cloud (VPC) networking, which provides secure and isolated network space for virtual machines (VMs) in SmartX enterprise cloud environments. In conjunction with the existing functionalities such as distributed firewall, network load balancer, network traffic visualization, and container network, Everoute provides a unified network and security solution that can be integrated and collaboratively managed with SmartX clusters.

Why Do Cloud-Era Enterprises Need VPC Networking

Many enterprises have upgraded their data center IT infrastructure through virtualization and hyperconvergence. In virtualization, communication between virtual machines (VMs) and hypervisors is facilitated by virtual distributed switches. Typically, users employ VLANs to isolate VMs within the Layer 2 (L2) virtual network. VLANs allow logical segmentation of the L2 network into multiple virtual LANs, enabling users to assign unique VLAN IDs to different VM services. This method helps minimize interference between services and improves overall network security.

However, VLAN-based virtual distributed switches are still part of the underlying network (Underlay), which limits their ability to provide application-oriented network isolation, flexibility, and robust support for IT infrastructure high availability.

  • Difficult to achieve application-based network isolation: While VLAN can provide virtual network isolation at L2, applications are still interconnected through the L3 network. Furthermore, if two VMs are assigned the same VLAN ID, they can communicate at L2, preventing full isolation.
  • Inflexible network configuration and modification: Virtual distributed switches remain tightly coupled with the physical network. Combined with the inherent limitations of VLANs, this creates significant challenges for network operations and maintenance (O&M).
    • The maximum number of VLAN IDs to be assigned is 4,094. Therefore, network administrators have to carefully distribute and manage VLAN IDs to avoid user conflicts. This job, however, may take a large amount of time and effort.
    • As a virtual network’s topology and functionality depend largely on its hardware network devices, modifying network configurations may require replacing hardware or upgrading licenses. This hinders the agility of virtualized clusters.
  • Incapable of supporting disaster recovery (DR) scenarios: If a VM is restored to a different location due to high availability (HA) or DR strategies, it may not function normally due to differences in hardware or network configurations. In such instances, the administrator may need to reconfigure the VM network or physical network, potentially extending the recovery time and adversely affecting business continuity.

To address these issues, enterprise users should build an Overlay network on top of the Underlay network, achieving a complete decoupling between virtual and physical networks, and a securely isolated network space for VMs.

VPC Networking in SmartX ECP

SmartX ECP’s VPC networking is a virtualized network product that provides secure and isolated network space for virtual machines in SmartX enterprise cloud environments. Building on the GENEVE protocol, an advanced version of VXLAN, VPC networking is fully decoupled from the underlying physical network. It enables secure interconnections inside and outside the virtual network through virtualized network functions (VNFs), allowing users to quickly and flexibly deploy unified enterprise cloud networks across multiple data centers.

Features

Customized Logically Isolated Space

Enables customizing logically isolated VPCs, allowing you to create dedicated VPC resources, manage subnets, allocate IP addresses, and autonomously control network traffic with gateway services and security services.

Rich Gateway Services

Supports configuring floating IP gateways, NAT gateways, Layer 3 routing gateways, Layer 2 bridging gateways, etc., enabling flexible interconnection between virtual machines and external networks to meet the requirements of different applications.

Open Cloud Network Collaboration Mode

Seamlessly connects with various cloud platforms through open APIs, providing enterprises with automated and flexible network configuration options to better support agile cloud applications.

Advantages

  • Broad compatibility: Implement virtualized networks on a wide range of standard servers and network hardware. Different clusters can use different CPU architectures.
  • Fast network readiness: There’s no need to configure hardware network devices from the ground up. Users can rapidly create diverse virtualized network topologies and network services to accelerate network readiness and meet application agility requirements. O&M personnel only need to maintain the communication between the Overlay and Underlay networks. Any changes to network resources and configurations within the VPC do not require modifications to hardware devices or the physical network, significantly reducing the O&M complexity.
  • High Availability Between Sites: Cloud servers can be replicated and migrated to other data centers or sites to achieve lower RTO in disaster recovery scenarios. When migrating VMs across different clusters, there’s no need to reconfigure network mapping. This simplifies the migration process by retaining the original IP address, routing, and other network configurations.
  • Unified Cloud Network Management: By connecting a cluster to VPC networking, the VMs within the cluster can use VPC’s NIC and benefit from various gateways and security features provided by VPC. Users can manage, configure, monitor, and operate both VMs and the cloud network through an intuitive GUI, thereby improving management efficiency.

Use Cases

Application Security Guarantee: Application-based Network Isolation

To reduce potential security threats, users need to achieve isolation between different applications or tenants in the cloud while ensuring smooth business access and the solution’s flexibility, agility, and cost-efficiency. 

For example, a company has two software development teams, with Team A responsible for developing an online shopping platform and Team B responsible for developing an enterprise resource planning system. In this case, an independent VPC can be created for each development team to deploy the VMs, databases, and other resources needed for their respective projects. The network between these two VPCs is not connected, so Team A members cannot access any resources within Team B’s VPC, and vice versa. In this approach, it forms a business-centric isolation of full-stack resources. 

In terms of O&M, VPC significantly simplifies the planning process of VLAN and IP addresses. Traditionally, users need to allocate VLANs and IP address ranges separately for each development team and perform complex configurations. However, with VPCs, each VPC functions as an independent network that can use overlapping IP address ranges and eliminate the need to assign VLANs. Besides, each VPC’s network configuration and management can be handled by its owner, which greatly reduces the complexity of network management and improves O&M efficiency. Additionally, VPC can divide its network into smaller subnets, with each subnet and VM/VM group acting as an independent security zone where users can implement fine-grained security policies.

Improve network flexibility: Decoupling from hardware

Leveraging GENEVE-based Overlay network technology, VPC networking can be completely decoupled from the Underlay physical network. All network functions are presented in a virtualized form and managed uniformly through a software-defined approach. This allows users to quickly create various virtual network topologies and services, such as virtual switches, virtual routers, and distributed firewalls, avoiding complex changes to hardware network configuration. As a result, network agility is greatly enhanced, and the time to launch business operations is significantly reduced.

For example, a company uses network devices with different ages and brands across various data centers. These devices can be difficult to be uniformly managed due to significant differences in network architecture and configuration. By using Everoute VPC, the company can create virtual private cloud networks with the same logical topology and functionality across multiple SmartX ELF clusters, even on different network devices. The configuration and management of the virtualized network are entirely independent from the underlying physical network’s topology and functionality, eliminating compatibility issues. 

In this scenario, users can flexibly create and adjust VPC network configurations to meet the frequently changing business needs. In contrast, the modification of traditional physical networks can be more complex and time-consuming.

Efficiently supports cross-site high availability and load balancing

As enterprises expand their business and raise expectations for business continuity, enterprise users often need to deploy applications across multiple geographically dispersed data centers to achieve load balancing, disaster recovery, and wider service coverage. Everoute VPC provides a powerful cross-datacenter network virtualization solution, helping businesses seamlessly expand applications to different clusters, racks, server rooms, or data centers while achieving unified management across geographic locations. Users can associate clusters from primary and backup sites through a single VPC network, consolidating resources and simplifying O&M.

The cross-datacenter virtualization network built with Everoute VPC can help enterprises with:

  • Flexible Business Expansion: Users can deploy applications flexibly across different data centers according to their needs while ensuring network interconnection and resource scheduling between data centers for rapid business growth.
  • Efficient Load Balancing: VPC networking, combined with cross-data-center load balancing, can distribute data traffic to different data centers according to predefined policies, thereby improving resource utilization and application performance.
  • Reliable Disaster Recovery: In the event of a data center failure, due to the high availability mechanism of SmartX ECP, VMs can be quickly migrated to other available data centers and leverage VPC to rapidly restore business operations without additional network adjustments. This helps to minimize business interruption time (RTO) and ensures business continuity.

To learn more about Everoute features, please visit our website, and read our previous blogs:

Software-defined Load Balancing in Everoute 2.0: Improving Virtual Network Performance and Availability

Eliminate Virtual Network Blind Spots with SmartX Network Visualization

SmartX Releases Network and Security Component of HCI, to Support “Zero Trust” Cloud Infrastructure

Shield Your Business from Ransomware with SmartX HCI: Detect, Isolate, Recover

Continue Reading