Private cloud computing virtualization service oriented 3234 pdf

include advanced IP services, network management solutions,MPLS applications, L2/L3 VPN implementations,next-generation data center technologies, and storagenetworking.Nam-Kee is current

About the Authors

Chapter 1 Next-Generation IT Trends

Chapter 2 Next-Generation Data Center Architectures andTechnologies

Chapter 3 Next-Generation WAN and Service IntegrationChapter 4 Branch Consolidation and WAN OptimizationChapter 5 Session Interception Design and DeploymentChapter 6 WAN Optimization in the Private Cloud

Chapter 7 SAN Extensions and IP Storage

Chapter 8 Cloud Infrastructure as a Service

Chapter 9 Case Studies

Appendix A Acronyms and Abbreviations

References

Index

Front matter

Private Cloud Computing

Private Cloud Computing

Consolidation, Virtualization, and Service-Oriented Infrastructure

Stephen R Smoot

Nam K Tan

AMSTERDAM • BOSTON • HEIDELBERG •LONDON NEW YORK • OXFORD • PARIS • SAN DIEGOSAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO

Morgan Kaufmann is an imprint of Elsevier

Acquiring Editor: Todd Green

Development Editor: Robyn Day

Project Manager: Danielle S Miller

Designer: Kristen Davis

Morgan Kaufmann is an imprint of Elsevier

225 Wyman Street, Waltham, MA 02451, USA

© 2012 Elsevier, Inc All rights reserved

No part of this publication may be reproduced or transmitted

in any form or by any means, electronic or mechanical,including photocopying, recording, or any informationstorage and retrieval system, without permission in writingfrom the publisher Details on how to seek permission, furtherinformation about the Publisher's permissions policies and ourarrangements with organizations such as the CopyrightClearance Center and the Copyright Licensing Agency, can

be found at our website:www.elsevier.com/permissions.Designations used by companies to distinguish their productsare often claimed as trademarks or registered trademarks Inall instances in which Morgan Kaufmann Publishers is aware

of the claim, the product names appear in initial capital or allcapital letters All trademarks that appear or are otherwisereferred to in this work belong to their respective owners.Neither Morgan Kaufmann Publishers nor the authors andother contributors of this work have any relationship or

affiliation with such trademark owners nor do such trademarkowners confirm, endorse or approve the contents of this work.Readers, however, should contact the appropriate companiesfor more information regarding trademarks and any relatedregistrations.

This book and the individual contributions contained in it areprotected under copyright by the Publisher (other than as may

be noted herein)

Notices

Knowledge and best practice in this field areconstantly changing As new research and experiencebroaden our understanding, changes in researchmethods or professional practices, may becomenecessary Practitioners and researchers must alwaysrely on their own experience and knowledge inevaluating and using any information or methodsdescribed herein In using such information ormethods they should be mindful of their own safetyand the safety of others, including parties for whomthey have a professional responsibility

To the fullest extent of the law, neither the Publishernor the authors, contributors, or editors, assume anyliability for any injury and/or damage to persons orproperty as a matter of products liability, negligence

or otherwise, or from any use or operation of anymethods, products, instructions, or ideas contained inthe material herein

Library of Congress Cataloging-in-Publication Data

Application submitted

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the BritishLibrary

To our wives Marcia Smith and Priscilla Lim Chai Tee, for their love and support

On numerous occasions, we thought, “Wouldn't it be great if

we had something to point people to as they start to get realwith the cloud?” After smacking our heads into this wallenough times, we realized that we should write it We haverelied on a large cast of helpers whom we'd like to take thetime to acknowledge Any errors or omissions are theresponsibility of the authors alone, given how quicklytechnology changes we recommend verifying content with up

to date manuals from the vendors

First and foremost, we thank Dr Mark Day, Alan Saldich,and Dr Steve McCanne, who provided some of the text weuse to lay out the arguments in Chapters 1 and 4 Theirperspective and insights dramatically clarified the points that

we were trying to make Karyn Goldstein worked tirelessly toedit the book, helping us express our thoughts, and giving itunity; the book is much better for her work

We appreciate the technical and other comments we receivedfrom our coworkers and friends who looked at the project inits varying stages We thank Dr Larry Rowe, Lance Berc, andKand Ly for their comments on the proposal Ricky Lin,Joshua Tseng, and Nick Amato were kind enough to look atchapters multiple times for feedback Finally, we appreciatethe technical once-over from Dr Michel Demmer, BillQuigley, Bruno Raimondo, Chiping Hwang, Paul Griffiths,Tandra De, Kand Ly, and Phil Rzewski A special thanks toEmilio Casco for assistance with the figures in Chapter 4and

to Claire Mosher for editing and guidance The authors

appreciate the support from their respective bosses for thetime to pull all of this together.

There are no rules of architecture for a

castle in the clouds.

We are at the start of a decade where network designers willuse infrastructure consolidation and virtualization to createnext-generation cloud services Network virtualization is thebedrock for this solution because it can consolidate diversenetworks into a single virtual entity, the first step in creating aservice-oriented infrastructure On this foundation, ITresources can be scaled up and down virtually to provisionon-demand services (a.k.a private cloud services) without theaddition of new physical devices or entities through servervirtualization From a business perspective, this enables costsavings and increases the ability to rapidly react and adjust tothe volatile business climate This enables more agilebalancing of expense reduction with business growthinitiatives

Data centers are the current focus of virtualization becausethey currently host the largest number of services To fullyrealize the cloud vision, one must also look outward toregional and branch offices to find more services eligible forconsolidation and to ensure that cloud performance isacceptable to the enterprise Challenges can come fromneglecting the wide area network (WAN) that interconnectsthe users and services, with inherent delay, packet loss,congestion, and bandwidth limitations The WAN can be theweakest link in implementing the cloud vision Broadenterprise cloud computing adoption moves users' computingand storage distant from them; the ensuing latency andbandwidth limitations threaten to reduce performance andthus productivity WAN optimization is the solution toovercome this obstacle With WAN optimization, theseperformance constraints are alleviated, enhancing theperformance of a WAN to be nearly that of a local areanetwork.

While there is abundant technical documentation dedicatedsolely to WAN optimization, next-generation data centers,and virtualization, this book is the first look at all threeconjoined as a topic under the mega-trend of cloudcomputing This book examines the path toward building aservice-oriented infrastructure (SOI) for cloud computingservices It investigates how data center consolidationtechniques, and WAN optimization and virtualization (ofservers, storage, and networks) enable new structures withincreased productivity Another key factor in data centerconsolidation is requirements for redundancy to supportbusiness availability goals, and we explore the challenges andsolutions in data replication for disaster recovery

Essential to any enterprise cloud is security We explore it ingeneral for the cloud context and specifically how it applies tothe Cisco Unified Computing System Tying it all together,

we provide case studies and examples to demonstrate howenterprises are moving toward a service-orientedinfrastructure

Who Should Read This Book

One's destination is never a place but

rather a new way of looking at things.

—Henry Miller

This book is intended for network engineers, solutionarchitects, internetworking professionals, IT managers, CIOs,service providers, and everyone else who is interested inbuilding or managing a state-of-art solution for private cloudservices The information in this book enables you toconsolidate services from data centers and remote branchoffices, leverage WAN optimization to keep performancehigh, and build a routing and switching platform to provide afoundation for cloud computing services In general, it isassumed that the reader is familiar with basic TCP/IPnetworking As we progress from simple to more complextopics, the book addresses hard-to-understand concepts anddifficult areas through each chapter and provides case studiesand configuration examples to guide comprehension If youlike really knowing how things work, this is a book for you

Who Shouldn't Read This Book

“Beware of the man who works hard to

learn something, learns it, and finds

himself no wiser than before,” Bokonon

tells us “He is full of murderous

resentment of people who are ignorant

without having come by their ignorance

the hard way.”

—Kurt Vonnegut

This book is not intended for people who just want to knowhow to use EC2; it is geared for people who want to learn theunderlying concepts required to build their own private cloudinfrastructure Also be warned: we spend the vast majority ofour time focused on the technology and marketleaders—Cisco for routing/switching, VMware forvirtualization, and Riverbed for WAN optimization Othervendors have relevant products in some cases, but space doesnot permit more than a nod in their direction Finally, it isessential to understand automation in building a cloud; thatsaid, it is barely touched upon here

About the Authors

Stephen R Smoot, Ph.D., helped start up Riverbed

Technology in February 2003, and currently serves as seniorvice president of technical operations, running the technicalsupport, technical publications, technical marketing, advancednetwork engineering, and global consulting engineeringgroups He spends his time thinking about where technology

is going and helping customers to solve their problems

Smoot previously worked on acceleration and video atInktomi Corporation (now a part of Yahoo) He joinedInktomi, following its acquisition of FastForward Networks,which designed overlay network technology for streamingvideo with millions of viewers over the Internet Smootpreviously worked at Imedia (Motorola), Honeywell, andIBM

Smoot received his doctorate in computer science from theUniversity of California at Berkeley, working with Lawrence

Rowe His dissertation, Maximizing Perceived Quality Given Bit-rates Constraints in MPEG Encoding through Content-daptivity,1 describes various aspects of creatingMPEG video from its original video source He also holds amaster's degree in computer science from the University ofCalifornia, Berkeley His undergraduate education was atMIT where he received bachelor's degrees in computerscience and in mathematics

Nam-Kee Tan, CCIE #4307, has been in the networking

industry for more than 17 years He is dual CCIE in routingand switching and service provider and has been an activeCCIE for more than 10 years His areas of specialization

include advanced IP services, network management solutions,MPLS applications, L2/L3 VPN implementations,next-generation data center technologies, and storagenetworking.

Nam-Kee is currently the lead network architect in theRiverbed advanced network engineering team where hedesigns and deploys cloud computing service infrastructuresand virtual data center solutions for Riverbed enterprise andservice provider customers Nam-Kee also advises internalRiverbed engineers in the area of next-generation serviceprovider technologies

Nam-Kee is the author of Configuring Cisco Routers for Bridging, DLSw+, and Desktop Protocols2; Building VPNs with IPSec and MPLS3; MPLS for Metropolitan Area Networks4; and is co-author of Building Scalable Cisco Networks.5 He holds a master's degree in datacommunications from the University of Essex, UK, and anMBA from the University of Adelaide, Australia

Chapter 1 Next-Generation IT Trends

Architecture is the reaching out for the

truth.

—Louis Kahn

Information in this chapter:

• Layers of Function: The Service-Oriented InfrastructureFramework

• Blocks of Function: The Cloud Modules

• Cloud Computing Characteristics

• Cloud Computing Taxonomy

• Summary

Chapter 1 defines the service-oriented infrastructure (SOI) framework for private cloud computing It describes the functions of the various cloud modules that make up the SOI framework Fundamental cloud computing characteristics and taxonomy are described

Keywords: Cloud services; service-oriented infrastructure;

server virtualization; virtual machine; hypervisor;consolidation; SAN; FCIP; FCoE; unified fabric; WANoptimization; network virtualization; VRF; iSCSI; rapidelasticity; private cloud; IaaS; PaaS; SaaS

Introduction

This book is about building a next-generation ITinfrastructure To understand what that means, one needs tostart by looking at what constitutes current-generation ITinfrastructure But how did we arrive at the currentinfrastructure? To get a sensible perspective on that, it helps

to back up and look at where computing started

In the early days of computing, there was a tight connectionamong users, computers, and applications A user wouldtypically have to be in the same building as the computer, ifnot in the very same room There would be little or noambiguity about which computer the application was running

on This description holds up when one thinks about the

“early days” as referring to an ENIAC, an IBM 360, or anApple II

Since those days, enterprise IT organizations haveincreasingly used networking technologies to allow variouskinds of separation One set of technologies that goes by the

name of storage networking allows computers and the storage

underpinning applications to be separated from each other toimprove operational efficiency and flexibility Another set of

technologies called local-area networking allows users to be

separated from computing resources over small (campus-size)distances Finally, another set of technologies called

wide-area networking allows users to be separated from

computing resources by many miles, perhaps even on theother side of the world Sometimes practitioners refer to these

kinds of networks or technologies by the shorthand SAN, LAN, and WAN (storage-area network, local-area network,

wide-area network, respectively) The most familiar example

of a WAN is the Internet, although it has enough uniquecharacteristics that many people prefer to consider it a specialcase, distinct from a corporate WAN or a service providerbackbone that might constitute one of its elements

It is worth considering in a little more detail why these forms

of separation are valuable Networking delivers obvious valuewhen it enables communication that is otherwise impossible,for example, when a person in location A must use a

computer in location B, and it is not practical to move eitherthe person or the computer to the other location However,that kind of communication over distance is clearly not themotivation for storage networking, where typically all of thecommunicating entities are within a single data center.Instead, storage networking involves the decomposition ofserver/storage systems into aggregates of servers talking toaggregates of storage.

New efficiencies are possible with separation andconsolidation Here's an example: suppose that anorganization has five servers and each uses only 20% of itsdisk It turns out that it's typically not economical to buysmaller disks, but it is economical to buy only two or threedisks instead of five, and share those among the five servers

In fact, the shared disks can be arranged into a redundantarray of independent disks (RAID)1 configuration that willallow the shared disks to handle a single disk failure withoutaffecting data availability—all five servers can stay up despite

a disk failure, something that was not possible with thedisk-per-server configuration Although the details vary, thesekinds of cost savings and performance improvements aretypical for what happens when resources can be aggregatedand consolidated, which in turn typically requires some kind

of separation from other kinds of resources

Although these forms of networking (SAN, LAN, WAN)grew up more or less independently and evolved separately,all forms of networking are broadly equivalent in offering theability to transport bit patterns from some origin point tosome destination point It is perhaps not surprising that overtime they have borrowed ideas from each other and started tooverlap or converge Vendors offering “converged” or

“unified” data center networking are effectively blurring theline between LAN and SAN, while vendors offering “WANoptimization” or “virtual private LAN services” areencouraging reconsideration of the separation between LANand WAN.

Independently of the evolution of networking technologies, ITorganizations have increasingly used virtualizationtechnologies to create a different kind of separation.Virtualization creates the illusion that the entire computer isavailable to execute a progam while the physical hardwaremight actually be shared by multiple such programs.Virtualization allows the logical server (executing program)

to be separated cleanly from the physical server (computerhardware) Virtualization dramatically increases the flexibility

of an IT organization, by allowing multiple logicalservers—possibly with radically incompatible operatingsystems—to share a single physical server, or to migrateamong different servers as their loads change

Partly as a consequence of the rise of the Internet, and partly

as a consequence of the rise of virtualization, there is yet athird kind of technology that is relevant for our analysis.Cloud services offer computing and storage accessed overInternet protocols in a style that is separated not only from theend-users but also from the enterprise data center

A cloud service must be both elastic and automatic in itsprovisioning—that is, an additional instance of the servicecan be simply arranged online without requiring manualintervention Naturally, this also leads to requirements ofautomation with respect to both billing for and terminatingservice, or else those areas would become operationalbottlenecks for the service The need for elastic automatic

provisioning, billing, and termination in turn demand thegreatest possible agility and flexibility from the infrastructure.

If we want to build a cloud service—whether public orprivate, application focused or infrastructure focused—wehave to combine the best available ideas about scaling,separation of concerns, and consolidating shared functions.Presenting those ideas and how they come together to support

a working cloud is the subject of this book

There are two styles of organization for the informationpresented in the rest of the book The first is a layeredorganization and the other is a modular organization The nexttwo sections explain these two perspectives

Layers of function: the service-oriented infrastructure framework

There are so many different problems to be solved in building

a next-generation infrastructure that it's useful to organize theapproach into layers The top layer supplies various kinds offantastically powerful, incredibly flexible services toend-users The bottom layer is a collection of off-the-shelfhardware of various kinds—servers, storage, networkingrouters and switches, and long-distance telecom services Theintervening layers use the relatively crude facilities of thelower layers to build a new set of more sophisticatedfacilities

This particular layered model is called a service-orientedinfrastructure (SOI) framework and is illustrated in Figure1.1 The layer immediately above the physical hardware is

concerned with virtualization—reducing or eliminating thelimitations associated with using particular models ofcomputers, particular sizes of disks, and so on The layerabove that is concerned with management andprovisioning—associating the idealized resources with thedemands that are being placed A layer above managementand provisioning exports these automatic capabilities inuseful combinations through a variety of network interfaces,allowing the resources to be used equally well for a high-levelcloud software as a service (SaaS) and a lower-level cloudinfrastructure as a service (IaaS).

Figure 1.1

The SOI framework

In the course of discussing choices and trade-offs to be made,there will be references to these layers

Blocks of function: the cloud modules

Throughout the book, while keeping in mind the SOIstructure, the chapters are organized around a differentparadigm: consider a cloud computer to be made of variousmodules roughly similar to the central processing unit (CPU),RAM, bus, disk, and so on that are familiar elements of a

conventional computer As illustrated in Figure 1.2, there areseveral modules making up this functional layout:

• End-user type I—branch office

• End-user type II—mobile

Server module

The server module is analogous to the CPU of the cloudcomputer The physical servers or server farm within thismodule form the core processors It is “sandwiched” between

a data center network and a storage area network

As previously noted, server virtualization supports multiplelogical servers or virtual machines (VMs) on a single physicalserver A VM behaves exactly like a standalone server, but itshares the hardware resources (e.g., processors, disks,

network interface cards, and memory) of the physical serverwith the other VMs A virtual machine monitor (VMM), oftenreferred to as a hypervisor, makes this possible Thehypervisor issues guest operating systems (OSs) with a VMand monitors the execution of these guest OSs In thismanner, different OSs, as well as multiple instances of thesame OS, can share the same hardware resources on thephysical server Figure 1.3 illustrates the simplifiedarchitecture of VMs.

Figure 1.3

Simplified architecture of virtual machines

Server virtualization reduces and consolidates the number ofphysical server units required in the data center, while at thesame time increasing the average utilization of these servers.For more details on server consolidation and virtualization,see Chapter 2, Next-Generation Data Center Architecturesand Technologies

Storage module

The storage module provides data storage for the cloudcomputer It comprises the SAN and the storage subsystemthat connects storage devices such as just a bunch of disks(JBOD), disk arrays, and RAID to the SAN For more details

on SAN-based virtualization, seeChapter 2

SAN extension

SAN extension is required when there is one or more storagemodules (see Figure 1.2) across the “cloud” (WAN module)for remote data replication, backup, and migration purposes.SAN extension solutions include Wave-DivisionMultiplexing (WDM) networks, Time-Division Multiplexing(TDM) networks, and Fibre Channel over IP (FCIP) Formore details on SAN extension solutions, seeChapter 7, SANExtensions and IP Storage

Fabric module

The fabric module functions somewhat like a cloud computerbus system that transfers data between the various cloudcomputing modules In Figure 1.2, the server farm in theserver module is sandwiched between a data center network(typically Ethernet) and an SAN, which is really a FibreChannel (FC) The SAN is referred to as an isolated fabrictopology FC SANs are also known as SAN islands because

FC uses a wholly different protocol stack from TCP/IP.The main impetus of the fabric module is to transform thisisolated fabric topology (IFT) to a unified fabric topology(UFT) How to achieve this UFT? The short answer is toextend or more precisely, to encapsulate the Fibre Channelover Ethernet (FCoE) The previous deterrent to usingEthernet as the basis for a unified fabric was its limited

bandwidth With the advent of 10-gigabit Ethernet, theavailable bandwidth now offers the feasibility to consolidatevarious traffic types over the same link For more information

on FCoE, seeChapter 2

WAN module

The WAN module is the enterprise's intranet (internal access),extranet (business-to-business access), Internet (publicaccess) over a WAN, and metropolitan-area network (MAN).From the cloud computing user's perspective, the WANmodule provides access to the cloud The main purpose of theWAN module is to extend the cloud computer access to local

or remote campuses, branches or remote offices, teleworkers

or home offices, and mobile users or road warriors The actualconnectivity provided by the WAN module is accomplishedusing a variety of network technologies, including long-haulfiber networks and mobile technologies such as 802.11wireless Ethernet

Network virtualization

As each end-user requires some level of isolation from eachother and from each other's computing resources, one of thecore requirements for the cloud computing environment is thecreation of independent or isolated logical traffic paths over ashared physical network infrastructure and, for that matter,across the WAN

Virtualization at Layer 3 (IP layer) provides the requiredend-to-end network segmentation and isolated connectivitybetween different end-users Layer 3 virtualization is alsoknown as network virtualization, and can be implementedwith virtual routing and forwarding (VRF) and MultiprotocolLabel Switching (MPLS) Network virtualization refers to the

creation of logically isolated network partitions overlaid upon

a common enterprise physical network infrastructure, asillustrated in Figure 1.4 To the end-users, these logicalnetwork partitions are no different from the original physicalnetwork For more details on network virtualization, see

“cloud” (WAN module) to the remote end-users Moreover,given the resource limitations on the WAN, such as latencyand constrained bandwidth, end-user quality of experienceneeds to be upheld Remote access to a cloud computershould not result in lower productivity due to slower responsetime This is why WAN optimization is a critical component

of the architecture Since WAN optimization “consolidates”data (using a more efficient data representation scheme andprotocol) when it traverses the WAN, it can be used to extendconstrained bandwidth resources and reduce round-trip

delays The WAN optimization function is typicallyimplemented between the fabric and WAN modules, as well

as between the end-user and WAN modules For details onWAN optimization, seeChapter 4,Chapter 5andChapter 6

End-user Type I—branch office

The locations for Type I end-users are usually fixed—local orremote campuses, branches or remote offices, and homeoffices The network access can either be wired or wireless(or occasionally 3G/4G mobile)

During the distributed computing era, it was common forremote branch offices (RBOs) to have their own local file andapplication servers, as well as local storage devices However,the cloud computing centralization model implies that thesebranch-based computing resources will have to be relocated

to a centralized data center (comprising the fabric, server, andstorage modules) WAN optimization can be used to maintainthe same quality of user experience after the RBOconsolidation process With local storage also migrated to thedata center, the hosts (initiator) at the RBO can use iSCSI toaccess the storage subsystem (target) in the storage module

In terms of cloud computing end-users, the Type I category isthe main focus of this book For details on WANoptimization, see Chapter 4,Chapter 5and Chapter 6and fordetails on iSCSI, seeChapter 7

End-user Type II—mobile

Type II end-users are mobile workers with no fixed locations.Mobile devices with wireless access are the norm in thiscategory The next-generation mobile broadband network(outside the scope of this book) will play an important role inthis aspect In general, the mobile device is not required to be

as high-powered as a traditional PC and may act more as athin client.

Cloud computing characteristics

The main objective of consolidating and virtualizing thevarious cloud computing building blocks in Figure 1.32 is toattain an SOI with the following characteristics:

• On-demand self-service: An end-user can unilaterally

provision computing capabilities, such as server settingsand network storage when needed, without any interactionfrom the provider's IT administrator

• Universal network access: Capabilities are available

over the network and accessed through standardmechanisms that promote use by heterogeneous thin orthick client platforms, such as mobile phones, laptops,netbooks, tablet computers, personal digital assistants(PDAs), and so on

• Resource pooling: The provider's computing resources

are pooled to serve multiple end-users using a multitenantmodel, with different physical and virtual resourcesdynamically assigned and reassigned according to theend-user needs Examples of such resources includestorage, processing, memory, network bandwidth, andvirtual machines There is a degree of location freedom (orindependence) in that the end-user generally has no notion

of the exact location of the provided resources but will beable to access these resources from an intranet if theend-user is an internal staff member or access from theextranet/Internet if the end-user is an external party

• Rapid elasticity: Capabilities can be rapidly and

elastically provisioned (in some cases automatically) toquickly scale out and rapidly released to quickly scale in

To the end-user, the capabilities available for provisioningoften appear to be unlimited (or boundless) and acquirable.With these essential characteristics defined, it is time to delveinto the various cloud computing deployment and servicemodels

Cloud Computing Taxonomy

Cloud computing is not a wholly new concept It isworthwhile to mention that the first cloud evolved aroundTCP/IP abstraction, with the most significant being theInternet With the entry of HyperText Transfer Protocol(HTTP), World Wide Web (WWW) data abstraction createdthe second cloud on top of the first one The emerging cloudinitiative abstracts infrastructure complexities of servers,applications, data, and heterogeneous platforms It isestablished beneath the previous two

Based on cloud computing taxonomy defined by the NationalInstitute of Standards and Technology (NIST),3there are fourdeployment models and three service models that collectivelyencompass all of the various cloud approaches

Deployment models

The four common deployment models are as follows:

• Public cloud: This cloud infrastructure is made available

to the general public or a large industry group and is owned

by an organization selling cloud services Resources are

typically provisioned on a dynamic and on-demand basisover the Internet Small and medium enterprises (SMEs)benefit from using public clouds to minimize growth ofdata centers.

• Community cloud: This cloud infrastructure is shared by

several organizations and supports a specific communitythat has shared concerns (e.g., mission, securityrequirements, policy, and compliance considerations) Itcan be managed by the organizations or a third party andcan exist on premises or off premises

• Private cloud: This cloud infrastructure is operated

solely for an organization It can be managed by theorganization or a third party and can exist on premises oroff premises In short, the private cloud is an emulation ofthe public cloud, typically on a private network, and exists

to support the goals of the organization, rather than togenerically support resources for multiple organizations

• Hybrid cloud: This cloud infrastructure is a composition

of two or more clouds (private, community, or public) thatremain unique entities but are bound together bystandardized or proprietary technology that enables dataand application portability (e.g., cloud bursting for loadbalancing between clouds)

There is a fine line between public and private clouds becausethis is determined by who controls the cloud and who theend-users are, not necessarily the technologies used inbuilding the cloud This book covers cloud computing that isoperated solely for an organization, that is, private cloudcomputing In this context, the organization is typically alarge enterprise

Organizations have more control over the securityarchitecture of private clouds as compared to community andpublic clouds In other words, private clouds can have lessthreat exposure than community and public clouds and bettermeet emerging regulatory requirements Public clouds raisemany more security concerns This is an additional reasonwhy this book focuses on private cloud computing.

The confidentiality, integrity, and availability (CIA) triad4 isapplicable to the cloud infrastructure except that it should bemultitenant-based to provide secure separation andavailability among computing resources and end-users alike.For more details on cloud security, seeChapter 8

Service models

The three service models defined by NIST include:

• Cloud software as a service (SaaS): The consumer can

use the provider's applications running on a cloudinfrastructure The applications are accessible from variousclient devices through a thin client interface such as a webbrowser The consumer does not manage or control theunderlying cloud infrastructure, including the network,servers, operating systems, storage, or even individualapplication capabilities Possible exceptions are limited touser-specific application configuration settings Web-basedemail is a good example of SaaS

• Cloud platform as a service (PaaS): The consumer can

deploy onto the cloud infrastructure consumer-created or-acquired applications created using programminglanguages and tools supported by the consumer Theconsumer does not manage or control the underlying cloudinfrastructure, including the network, servers, operating

systems, or storage, but has control over the deployedapplications and possibly application hosting environmentconfigurations A hosting provider that allows customers topurchase server space for web pages is an example of PaaS.

• Cloud infrastructure as a service (IaaS): The consumer

can provision processing, storage, networks, and otherfundamental computing resources.The consumer is able todeploy and run arbitrary software, which can includeoperating systems and applications The consumer does notmanage or control the underlying cloud infrastructure buthas control over operating systems, storage, and deployedapplications, and possibly limited control of selectednetworking components (e.g., firewalls andload-balancers) Providing organization-wide IaaS over theprivate cloud architecture is the main theme of this book

Figure 1.5 illustrates the three different cloud computingservices models Each service model can be run directly andindependently on top of the cloud infrastructure They canalso be overlaid on top of each other, acting as sandboxes.5For instance, SaaS overlays PaaS, which in turn overlaysIaaS

Figure 1.5