Virtual Network and Web ServicesAn Update

Thomas Finnern (DESY IT / Systems and Operations)

Thorsten Witt (DESY IT / Communication Networks)

HEPiX Spring 2010 @ Lisbon, Portugal

Thomas Finnern | Virtual Network and Web Services | Page 2

Application Delivery Networking

> Secure

Network Security Policies

Filtering

> Fast

Proxy

Server Farms

> Available

Server cluster

Load Distribution

> Since 2003

The Solution ApplicationsUsers

Mobile Phone

PDA

Laptop

Desktop

Co-location

CRM

Database

Siebel

BEA

Legacy

.NET

SAP

PeopleSoft

IBM

ERP

SFA

Custom

Application Delivery Network

Thomas Finnern | Virtual Network and Web Services | Page 3

Cross Functional Collaboration

> Networking

> Application Architect

> Operations

> Security Stakeholders

Operations

Security

NetworkGuy

ApplicationArchitecture

Thomas Finnern | Virtual Network and Web Services | Page 4

Outline of Talk

> Intro:

Application Delivery Networking

Cross Functional Collaboration

> Part I: Load Balancer

Work Done

Technical Features

Modes of Operation

> Part II: Application Examples

Active Services

DESY WEB Page

IT Status Monitor

> Outlook and Conclusions

Part I: The Load BalancerF5 Viprion Blade Cluster

Things Done Since 2008

The Architecture

Thomas Finnern | Virtual Network and Web Services | Page 6

Work Done, Planned and In Progress

> Updates 9.x -> 10.0 -> 10.1

Live Upgrade

Still Unix System with GUI and CLI

ssh login, crontab, ...

> Migration Old -> New

> Redesign Services

ProxyPassSite with Remote Editable Config Table

Integration of Content Management System

100 % Monitoring with „Dynamic Out Of Service Page“

Thomas Finnern | Virtual Network and Web Services | Page 7

Version 10 Software

> New Evaluation Licensing

Virtual Machine with F5 Functionality

> Application Templates

> Administrative/GUI Enhancements

> CMP Extensions

> TMSH for LTM/GTM

> Multiple Routing Domains

Overlapping IP-Ranges

“Machine readable“ qkview

> Passive (In-Band) Monitoring

> Live Installation

> IPv6 internal Communication

> IPv6 external Gateway !

> Dash Board

> Logical Volume Manager

> FastHTTP Profile Extensions

> iRule Extensions

Fast syslog

Geo-IP Locator

> Module Provisioning

> Various GUI Extensions:

• Login-Page

• Reboot/Logout/Timeout/Disclaimer

• Forced Offline

Thomas Finnern | Virtual Network and Web Services | Page 8

Overall Connection Block Diagram

Network Infrastructure Server-PoolsClients

Mobile Phone

PDA

Laptop

Desktop

Co-Location

Load-BalancerApplication Server

Office-Switches

10-100 Mbit/s

Core-Router

10 Gbit/s

CC-Switches

1 Gbit/s

10 Gbit/s

Thomas Finnern | Virtual Network and Web Services | Page 9

Technical Features

> Hardware

ASIC for Layer 3 + 4

> Software

TMOS

> TMOS traffic plug-ins

> High-performance networking microkernel

> Powerful application protocol support

> iControl – External monitoring and control

> iRules – Network programming language

SS

L

Co

mp

ress

ion

ClientSide

ServerSide

TC

P E

xpre

ss

ServerTC

P E

xpre

ss

Ca

chin

g

Microkernel

High Performance Hardware

iRules

Client

iControl API

TCP Proxy

On

eC

on

ne

ct

XM

L

Ra

te S

ha

pin

g Tra

ffic

Sh

ield

We

bA

cce

lera

tor

3 rd P

art

y

Unique TMOS Architecture

Thomas Finnern | Virtual Network and Web Services | Page 10

ServerSystem

ServerSystem

Operation Mode “Dumb Service”

> F5 Secure Network Address Translation SNAT = on

Server sees F5 Switch as Client

> No Server Change

> All Service Traffic handled by F5 Switch

> HTTP header insert

E.g. Client Address

As X-Forwarded-For

StandardRouter

ServerSystem

ClientSystem

GWSNAT

NAT

OtherSystem

OtherSystem

Thomas Finnern | Virtual Network and Web Services | Page 11

StandardRouter

ClientSystem

ServerSystem

ServerSystem

OtherSystem

ServerSystem

ServerSystem

Operation Mode “Smart Service”

> F5 Network Address Translation NAT = on

> Server Changes:

Default Route to F5 Switch

F5 Relaxed IP Binding on GW-Proxy

> Limitations

Server must be on F5 connected network (GW)

> Multiple Services Possible

> For DMZ and Extra F5 Subnet

> (Almost) All Traffic handled by F5 Switch

> Our new favoriteServerSystem

NAT

OtherSystem

GW

OtherSystem

OtherSystem

Part II: Application ExamplesOverview

DESY WEB Page (DESY IT / Information Fabrics)

DESY State Info System (DESY IT / Systems and Operations)

Thomas Finnern | Virtual Network and Web Services | Page 13

Virtual Server, Performance and Network Map

Thomas Finnern | Virtual Network and Web Services | Page 14

Top Statistics Over One Month

| bits since | bits in prior | current

| Mar 9 16:01:44 | 5 seconds | time

BIG-IP ACTIVE |---In----Out---Conn-|---In----Out---Conn-| 14:25:59

lb-198-220.desy.de 647.6G 566.8G 4.290M 8.452M 27.20M 138

VIRTUAL ip:port |---In----Out---Conn-|---In----Out---Conn-|-Nodes Up--

none:any 470.8G 8.496M 91376 272448 0 0 1

infoscreen.desy.de:ht 7.265G 302.0G 3404 245904 10.98M 0 2

www.desy.de:http 7.416G 137.1G 256425 351680 15.66M 5 1

none:any 51.87G 215040 183153 7.098M 0 10 1

wof-hasylab.desy.de:h 4.646G 37.77G 148096 856472 4.353M 13 2

none:any 37.05G 30.13M 244119 508808 640 3 1

indico.desy.de:https 1.132G 30.56G 41830 8944 7264 0 2

it-news.desy.de:http 28.41G 2.876G 443636 938664 168552 24 3

ip-console-vs.desy.de 10.36G 10.68G 10 0 0 0 2

ics.desy.de:http 3.905G 3.247G 3064 202152 169104 0 2

wof-xfel-eu.desy.de:h 257.6M 6.424G 20313 320 320 0 2

NODE ip:port |---In----Out---Conn-|---In----Out---Conn-|--State----

rt-248-16.desy.de:any 470.8G 0 91376 264008 0 0 UP

it-news02.desy.de:htt 4.188G 152.2G 385006 70016 1.934M 9 UP

it-news01.desy.de:htt 4.236G 152.1G 396351 75880 1.600M 8 UP

web2.desy.de:http 1.988G 72.26G 100105 346712 15.40M 2 UP

wofzeoc7.desy.de:http 2.622G 69.56G 150929 27952 781408 4 UP

rt-40-16.desy.de:any 51.86G 0 179544 4.247M 0 9 UP

FW-5-15.desy.de:any 37.06G 14.14M 241541 509448 0 3 UP

it-indico1.desy.de:ht 1.110G 31.43G 41540 58936 484080 0 UP

wofdb.desy.de:http 2.069G 26.58G 103313 281736 2.202M 7 UP

ip-console3.desy.de:a 10.39G 10.71G 10 0 0 0 UP

wof2.desy.de:http 970.4M 17.54G 61640 373360 3.303M 6 UP

Thomas Finnern | Virtual Network and Web Services | Page 15

Virtual Services and Pooling

> Virtual Service

Proxy with IP-Number + Port

Certificate

Scripting

RedirectEditing (stream)Mapping…

Persistence to Pool Members

SSL Offloading

RAM-Caching

Optimizing

http-Protocol (OneConnect)

> Pooling

Multiple Machines/Ports

Monitoring

PingService Monitoring

Opt. Remote Control By Remote Flag Files

Port Mapping

Load Balancing

In Band LoadRound RobinNumber Connections…

Thomas Finnern | Virtual Network and Web Services | Page 16

Example Configuration

> www.desy.de with ProxyPassSite

> CLI Configuration:virtual web-http-service {

pool wofzms-http-pool

destination 131.169.40.41:http

ip protocol tcp

rules ProxyPassDESY

profiles {

http {}

stream {}

tcp {}

}

}

virtual web-https-service {

pool wofzms-https-pool

destination 131.169.40.41:https

ip protocol tcp

rules ProxyPassDESY

profiles {

http {}

serverssl_desy {

serverside

}

stream {}

tcp {}

www-desy-client {

clientside

}

}

}

> infoscreen.desy.de with Fast HTTP Profile

> CLI Configuration:virtual it-infoscreen-http-service {

snat automap

pool it-infoscreen-pool

destination 131.169.5.220:http

ip protocol tcp

profiles fasthttp_snat {}

}

pool it-infoscreen-pool {

lb method member least conn

min active members 1

monitor all http_80_desy

members {

131.169.5.76:http {

priority 5

}

131.169.5.130:http {

priority 5

}

}

Thomas Finnern | Virtual Network and Web Services | Page 17

Example 1 : Redesign of www.desy.de

> Remove Single Points of Failure Single Machines

Provide Offline WEB Site Status Info

> Enable Mixed WWW/WOF-Environments Common ProxyPassSite Configuration

Import External ProxyPassTable

> Enhance Load Balancing and Speed Caching

Protocol Optimizing

CMS: Separate Read/Write Pools

Cookie Dependent Routing CMS: Direct Zope Interface

Offload SSL

> Other Features Get rid of old F5 Switches

No Source Network Address Translation

Intern/Extern-Routing

Intern/Extern Handling

http/https-Redirections

Thomas Finnern | Virtual Network and Web Services | Page 18

StandardRouter

Servicehttp

Before / Now

ServerSystem

ServerSystemServerSystem

ServerSystem

ZopeCMS

Proxy

Persist: ZopeId OtherSystem

OtherSystemOther

System

Apache

Servicehttps

Content Management

Service

Loadbalance

CMS-Interface

Pooling

StandardRouterwww

desy.dehttp

wwwdesy.dehttps

StandardRouter

NClientsAt

DESYSite

NClientsAt

OtherSites

otherdesy.dehttp

otherdesy.dehttps

StandardRouter

Various WEB Services

Thomas Finnern | Virtual Network and Web Services | Page 19

StandardRouter

Servicehttp

After / Now

ServerSystem

ServerSystemServerSystem

ServerSystem

ZopeCMSProxy

Persist: ZopeId, __ac

Servicehttps

Content Management

Service

Loadbalance

CMS-Interface

Pooling

wwwdesy.dehttp

wwwdesy.dehttps

ServerSystem

ServerSystemServerSystem

ServerSystem

WebService

WEB Management

Separat Read/Write

Pools

NClientsAt

DESYSite

NClientsAt

OtherSites

Migration Old/New Pools

ProxyPassTable

Thomas Finnern | Virtual Network and Web Services | Page 20

ProxyPassSite Features

> Config Load from AFS

“clientside" := "CMD[+Option] serverside“

“clientside" := "CMD serverside poolname[/https-pool]"

> Feature Redirect

"www.host.com/clientdir" := "Redirect internal.company.com/serverdir"

> Feature Alias

"/clientdir" := "Alias+HostMap /serverdir”

“host.desy.de/" := "Alias+Protomap+ZopeMap /serverdir wof-read-pool”

> Option +Cssl

> Option +Intern

> Option +Hostmap

> Option +Pathmap

> Option +ProtoMap

> Option +Zopemap

> Option +Slash

> Option +Log[0-2]

> Option +Snat

"/" := "Alias+HostMap+Snat zms.desy.de/",

"/dgs" := "Redirect http://guest-services.desy.de","hasylab.desy.de/" := "Alias+Snat / wof-http-pool/wof-https-pool",

"chor.desy.de/" := "Alias+ZopeMap+ProtoMap /VirtualHostBase/ <proto>/<host>.desy.de:<port>/sites2009/site_<host>/content/ wof-ro-pool/wof-rw-pool",

"www.desy.de/~" := "Alias web2.desy.de/~ web2-http-pool/web2-https-pool",

"/cgi-bin" := "Alias /cgi-bin web-http-pool/web-https-pool","/dgo" := "Alias+Intern /dgo web2-http-pool/web2-https-pool","/favicon.ico" := "Alias /favicon.ico web2-http-pool/web2-https-pool",

Thomas Finnern | Virtual Network and Web Services | Page 21

StandardRouter

IT-Monitorhttp

Example 2 : DESY State Information System

ServerSystem

ServerSystemServerSystem

ServerSystem

AcceleratorStatusProxy

Infoscreenhttp

Accelerator Management

Service

Loadbalance

ASIC-Interface

Pooling

IT-Newsdesy.dehttp

IT-Newsdesy.dehttps

ServerSystem

ServerSystemServerSystem

ServerSystem

IT-InfoPool

DB, Maintenance,

Timing

50Permanent

ThinClientsAtSitehttp

NRandomThickClientsAtUserhttp

ServerSystem

ServerSystemServerSystem

ServerSystem

ComputingStatus

IT Manageme

nt

Thomas Finnern | Virtual Network and Web Services | Page 22

State Information System (IT-Monitor)

Thomas Finnern | Virtual Network and Web Services | Page 23

State Information System (Infoscreen)

Thomas Finnern | Virtual Network and Web Services | Page 24

Outlook and Conclusions

> Rather Simple To Use

Nice Operating Model

Easy High Availability

Replaces Host and Cluster Solutions

> Has Become a Standard Feature

People trust virtual services

Last minute Application Safety Support

> Getting Better

Customer Invisible Service Switching

Enhanced Load Distribution

Only One Virtual Hostname Per Service

Enhancing Fault Tolerance and Security

> SSO, Certificates, Login, …

Thomas Finnern | Virtual Network and Web Services | Page 25

Thank you for listening

> Questions ?

> Answers !

Thomas Finnern | Virtual Network and Web Services | Page 26

Notes