WS2012 Hyper-V 构建服务器虚拟化的多租户环境

黄鑫TSPSECTIONHEADER云的演变云公有云私有云混合云弹性销售财务研发ContosoBankWoodgroveBank多个客户共享的基础设施财务销售多个业务单位共用的基础设施多租户数据中心•物理限制决定IP地址•IP地址拓扑限制虚拟机放置受限的负载迁移•整合负载以有效的利用资源(CPU\内存\网络）•受限的虚拟机放置导致基础架构超载资源利用率•部署虚拟机需要跨服务器、网络管理员紧密合作•跨平台协作提高了复杂性降低了敏捷性运维效率低下•VLANs不适合动态的云拓扑•重新配置生产网络的交换机存在风险可扩展的多租户•虚拟机IP地址影响访问和安全策略•需要修改应用IP地址会影响用户向云过渡云落地VLAN标签VMs网络拓扑限制了虚拟机的放置同时需要重新配置生产环境中的交换机BlueVMRedVMVirtualization物理服务器BlueNetworkRedNetwork物理网络对业务所有者•平滑的迁移到云•将多层复杂的拓扑移动到云上•保留策略，虚拟机配置和IP地址对大型企业•私有云数据中心整合和效率•将数据中心扩展到混合云•Incrementalintegrationofacquiredcompanynetworkinfrastructure对托管用户•BringYourownIP•BringYournetworktopology•可扩展的多租户对私有/公有云数据中心管理员•无需重新配置的虚拟机平滑放置•弱化服务器管理员和网络管理员角色提高敏捷性虚拟化策略SystemCenter用户地址空间(CA)Red2Blue210.0.0.5Red1Blue110.0.0.510.0.0.710.0.0.7Blue10.0.0.5192.168.4.1110.0.0.7192.168.4.22Red10.0.0.5192.168.4.1110.0.0.7192.168.4.22Blue10.0.0.510.0.0.7BlueCorpRedCorpRed10.0.0.510.0.0.7数据中心网络Host1Host2供应商地址空间(PA)192.168.4.22192.168.4.11Blue10.0.0.5192.168.4.1110.0.0.7192.168.4.22Red10.0.0.5192.168.4.1110.0.0.7192.168.4.22Blue10.0.0.5192.168.4.1110.0.0.7192.168.4.22Red10.0.0.5192.168.4.1110.0.0.7192.168.4.22BlueCorpRedCorpBlueSubnet1BlueSubnet3BlueSubnet2BlueSubnet5BlueSubnet4RedSubnet2RedSubnet1Blue研发NetBlue销售NetRedHRNet托管数据中心用户网络虚拟子网10.0.0.510.0.0.510.0.0.710.0.0.7192.168.2.22192.168.5.55192.168.2.22192.168.5.5510.0.0.510.0.0.7GREKey5001MAC10.0.0.510.0.0.7GREKey6001MAC192.168.2.22192.168.5.5510.0.0.510.0.0.710.0.0.510.0.0.710.0.0.510.0.0.710.0.0.510.0.0.7PAYCAY数据中心Host1VM2VMYHost2CA2PA2CA1AA1PA1VM1CAXAAXPAXVMXSystemCenterBlue•VM1:MAC1,CA1,PA1•VM2:MAC2,CA2,PA3•VM3:MAC3,CA3,PA5•…Red•VM1:MACX,CA1,PA2•VM2:MACY,CA2,PA4•VM3:MACZ,CA3,PA6•…DataCenterPolicyNICManagementClusterStorageLiveMigrationNICHyper-VSwitchVSIDACLIsolationSwitchExtensionsHostNetworkStackPA1NetworkvirtualizationVM1VM1SystemCenterHostAgentWindowsServer2012CA1CA1IPVirtualizationPolicyEnforcementRouting192.168.4.11NICHyper-VSwitchIPVirtualizationPolicyEnforcementRoutingVSIDACLEnforcementBlue1Red1Networkvirtualization10.0.0.510.0.0.5MACPA1VSID5001VSID6001whereis10.0.0.7?ARPfor10.0.0.7192.168.4.22NICIPVirtualizationPolicyEnforcementRoutingNetworkvirtualizationMACPA2Hyper-VSwitchVSIDACLEnforcementBlue2Red210.0.0.710.0.0.7VSID5001VSID6001Hyper-VSwitchbroadcastsARPto:1.AlllocalVMsonVSID50012.NetworkvirtualizationfilterOOB:VSID:5001NetworkvirtualizationfilterrespondstoARPforIP10.0.0.7onVSID5001withBlue2MACARPfor10.0.0.7192.168.4.11NICHyper-VSwitchIPVirtualizationPolicyEnforcementRoutingVSIDACLEnforcementBlue1Red1Networkvirtualization10.0.0.510.0.0.5MACPA1VSID5001VSID6001192.168.4.22NICIPVirtualizationPolicyEnforcementRoutingNetworkvirtualizationMACPA2Hyper-VSwitchVSIDACLEnforcementBlue2Red210.0.0.710.0.0.7VSID5001VSID6001OOB:VSID:5001UseMACB2for10.0.0.7UseMACB2for10.0.0.7Blue1learnsMACofBlue2192.168.4.11NICHyper-VSwitchIPVirtualizationPolicyEnforcementRoutingVSIDACLEnforcementBlue1Red1Networkvirtualization10.0.0.510.0.0.5MACPA1VSID5001VSID6001sentfromBlue1MACB1MACB210.0.0.510.0.0.7192.168.4.22NICIPVirtualizationPolicyEnforcementRoutingNetworkvirtualizationMACPA2Hyper-VSwitchVSIDACLEnforcementBlue2Red210.0.0.710.0.0.7VSID5001VSID6001OOB:VSID:5001inHyper-VswitchMACB1MACB210.0.0.510.0.0.7inNetworkvirtualizationfilterOOB:VSID:5001MACB1MACB210.0.0.510.0.0.7NVGREonthewireMACPA1MACPA2192.168.4.11192.168.4.225001MACB1MACB210.0.0.510.0.0.7192.168.4.11NICHyper-VSwitchIPVirtualizationPolicyEnforcementRoutingVSIDACLEnforcementBlue1Red1Networkvirtualization10.0.0.510.0.0.5MACPA1VSID5001VSID6001receivedbyBlue2MACB1MACB210.0.0.510.0.0.7192.168.4.22NICIPVirtualizationPolicyEnforcementRoutingNetworkvirtualizationMACPA2Hyper-VSwitchVSIDACLEnforcementBlue2Red210.0.0.710.0.0.7VSID5001VSID6001OOB:VSID:5001inHyper-VswitchMACB1MACB210.0.0.510.0.0.7NVGREonthewireinNetworkvirtualizationfilterOOB:VSID:5001MACB1MACB210.0.0.510.0.0.7MACPA1MACPA2192.168.4.11192.168.4.225001MACB1MACB210.0.0.510.0.0.7192.168.4.11NICHyper-VSwitchIPVirtualizationPolicyEnforcementRoutingVSIDACLEnforcementBlue1Red1Networkvirtualization10.0.0.510.0.0.5MACPA1VSID5001VSID6001receivedbyBlue2MACB1MACB210.0.0.510.0.0.7192.168.4.22NICIPVirtualizationPolicyEnforcementRoutingNetworkvirtualizationMACPA2Hyper-VSwitchVSIDACLEnforcementBlue2Red210.0.0.710.0.0.7VSID5001VSID6001OOB:VSID:5001inHyper-VswitchMACB1MACB210.0.0.510.0.0.7NVGREonthewireinNetworkvirtualizationfilterOOB:VSID:5001MACB1MACB210.0.0.510.0.0.7MACPA1MACPA2192.168.4.11192.168.4.225001MACB1MACB210.0.0.510.0.0.7Hyper-V网络虚拟化网关DCSQLDNSCorpNetsubnet10.229.200.15subnet10.229.200.16subnet10.229.200.231subnet10.229.200.0R1R2B1B2B3R3R4Y1Y210.60.xConsolidated数据中心Hyper-V网络虚拟化Host1Host2Host3BlueCorpS2SVPNHostHost托管数据中心网络虚拟化基础架构Web2R2R1Web3Web1Hyper-V网络虚拟化网关DCSQLDNSRedCorpS2SVPN•能够在数据中心的任何位置部署VM灵活负载迁移•跨子网在线迁移虚拟机能够更好的利用数据中心的资源资源利用率•服务器管理员部署不受网络管理员管理的网络通讯影响运维效率•多租户的隔离不依赖(但是兼容)VLAN技术可扩展多租户•用户能够保留他们的IP地址以及网络拓扑云落地敏捷性可扩展性简化敏捷性可扩展性简化