CHAPTER 8
Cloud Computing and Virtualization
This chapter covers the following official Network+ objectives:
Summarize cloud concepts and their purposes.
Explain the purposes of virtualization and network storage technologies.
This chapter covers CompTIA Network+ objectives 1.7 and 2.4. For more information on the official Network+ exam topics, see the “About the Network+ Exam” section in the Introduction.
The term cloud computing is used everywhere these days, even by those who have no idea what it means. Being a Network+ candidate, it is important to be versed in the definitions of cloud computing, and virtualization, and able to discuss it with others using a common vernacular.
This chapter focuses on the definitions of cloud computing and virtualization at the level you need to know them for the Network+ exam. If you want to go further with the technology, consider the newly created Cloud+ certification from CompTIA.
Cloud Concepts
Summarize cloud concepts and their purposes.
CramSaver
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. In which cloud delivery model are resources owned by the organization, and that organization acts as both the provider and the consumer?
2. With which cloud service model can consumers deploy, but not manage or control, any of the underlying cloud infrastructure (but they can have control over the deployed applications)?
3. What are some of the characteristics of cloud computing?
Answers
1. In a private cloud model, the cloud is owned by the organization and it acts as both the provider and the consumer.
2. With the Platform as a Service (PaaS) cloud service model, consumers can deploy, but not manage or control, any of the underlying cloud infrastructure (but they can have control over the deployed applications).
3. Regardless of the service model used, the characteristics include on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.
The best way to think about this chapter is as an introduction to cloud computing and an agreement on the definition of what the terms associated with it really mean. The National Institute of Standards and Technology (NIST) defines three service models in Special Publication 800-145: Software as a Service (SaaS); Platform as a Service (PaaS); and Infrastructure as a Service (IaaS). It also defines four possible delivery models: private, public, community, and hybrid.
This chapter looks at each of these seven terms and what they mean as defined by the NIST and agreed upon by the computing community. Know that it is possible to mix and match the service models with the platform models so that you can have public IaaS, or private PaaS, and so on and that you utilize a Cloud Access Security Broker (CASB)—a software program—to sit between the cloud service users and cloud applications to monitor activity and enforce established security policies.
Note
The CASB can offer services beyond just monitoring users’ actions, but must always be able to enforce compliance with security policies.
Software as a Service
According to the NIST, Software as a Service (SaaS) is defined as follows: “The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.”
The words used are significant and the ones to focus on in this definition are that consumers can use the provider’s applications and that they do not manage or control any of the underlying cloud infrastructure. Figure 8.1 depicts the responsibility of each party in the SaaS model.
FIGURE 8.1 The SaaS service model
Platform as a Service
According to the NIST, Platform as a Service (PaaS) is defined as follows: “The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possible configuration settings for the application-hosting environment.”
The important words to focus on in this definition are that consumers can deploy, that they do not manage or control any of the underlying cloud infrastructure, but they can have control over the deployed applications. Figure 8.2 depicts the responsibility of each party in the PaaS model.
FIGURE 8.2 The PaaS service model
Infrastructure as a Service
According to the NIST, Infrastructure as a Service (IaaS) is defined as follows: “The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possible limited control of select networking components (e.g., host firewalls).”
The words to focus on are that the consumer can provision, is able to deploy and run, but still does not manage or control the underlying cloud infrastructure, but now can be responsible for some aspects. Figure 8.3 depicts the responsibility of each party in the IaaS model.
FIGURE 8.3 The IaaS service model
Note
Regardless of the service model used, the characteristics of each of them are that they include on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.
After you have a service model selected, both CompTIA and the NIST recognize the different delivery models, which are discussed next.
ExamAlert
For the exam, know that there are three possible cloud service models: IaaS, PaaS, and SaaS.
Other Types of Services
The CompTIA objectives specifically list IaaS, PaaS, and SaaS as the three they test on. These are the most popular models in use today, but virtually anything can have “aaS” tacked to the end of it and its subscription referenced “as a Service.” This is important because three models appear in the official acronym list that do not appear in the objectives. For that reason, be sure you know what the acronyms stand for and a brief definition. The three are as follows:
CaaS: Communication as a Service is outsourced communications leased from a vendor(s) such
as Voice over IP (VoIP), videoconferencing apps, and so on.
DaaS: Desktop as a Service is an implementation of desktop virtualization that does not
require you to build and manage your own infrastructure.
MaaS: Mobility as a Service is much different from the other service models and is also
known as Transportation as a Service (TaaS). It is the use of other forms of transportation—on
an as-needed basis—than company-owned vehicles.
Private Cloud
A private cloud is defined as follows: “The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.”
Under most circumstances, a private cloud is owned by the organization, and it acts as both the provider and the consumer. It has a security-related advantage in not needing to put its data on the Internet.
Public Cloud
A public cloud is defined as follows: “The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.”
Under most circumstances, a public cloud is owned by the cloud provider, and it uses a pay-as-you-go model. A good example of a public cloud is webmail or online document sharing/collaboration.
Hybrid Cloud
A hybrid cloud is defined as follows: “The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).”
A hybrid can be any combination of other delivery models. Not only are public and private listed in the definition, but also community. CompTIA no longer includes the community cloud delivery model on the Network+ exam (but does require you to know it for its cloud-focused certifications). For real-world purposes, you should know that the key to distinguishing between a community cloud and other types of cloud delivery is that it serves a similar group. There must be joint interests and limited enrollment.
Note
A common reason for using cloud computing is to be able to offload traffic to resources from a cloud provider if your own servers become too busy. This is known as cloud bursting, and it requires load-balancing/prioritizing technologies such as quality of service (QoS) protocols to make it possible.
ExamAlert
For the exam, you should know that the most deployed cloud delivery models are private, public, and hybrid.
Connectivity Methods
Most cloud providers offer a number of methods that clients can employ to connect to them. It is important, before making an investment in infrastructure, to check with your provider and see what methods it recommends and supports. One of the most common is to use an IPsec, hardware VPN connection between your network(s) and the cloud providers. This method offers the capability to have a managed VPN endpoint that includes automated multidata center redundancy and failover.
A dedicated direct connection is another, simpler, method. You can combine the dedicated network connection(s) with the hardware VPN to create a combination that offers an IPsec-encrypted private connection while also reducing network costs.
Amazon Web Services (AWS) is one of the most popular cloud providers on the market. They allow the two connectivity methods discussed (calling the dedicated connection “AWS Direct Connect”) and a number of others that are variations, or combinations, of these two.
Security Implications and Considerations
Security is one of the most important issues to discuss with your cloud provider. Cloud computing holds great promise when it comes to scalability, cost savings, rapid deployment, and empowerment. As with any technology where so much is removed from your control, though, risks are involved. Each risk should be considered carefully to identify ways to help mitigate it. Naturally, the responsibilities of both the organization and the cloud provider vary depending on the service model chosen, but ultimately the organization is accountable for the security and privacy of the outsourced service.
Software and services not necessary for the implementation should be removed or at least disabled. Patches and firmware updates should be kept current, and log files should be carefully monitored. You should find the vulnerabilities in the implementation before others do and work with your service provider(s) to close any holes.
When it comes to data storage on the cloud, encryption is one of the best ways to protect it (keeping it from being of value to unauthorized parties), and VPN routing and forwarding can help. Backups should be performed regularly (and encrypted and stored in safe locations), and access control should be a priority.
Note
For a good discussion of cloud computing and data protection, visit http://whoswholegal.com/news/features/article/18246/cloud-computing-data-protection.
The Relationship Between Resources
Just as the cloud holds such promise for running applications, balancing loads, and a plethora of other options, it also offers the ability to store more and more data on it and to let a provider worry about scaling issues instead of local administrators. From an economic perspective, this can be a blessing. From an administrative point, though, it can present some issues. Redundancy that occurs from having data in more than one location (local and remote) can be wonderful when you need to recover data, but problematic when you want to make sure you are always working with the most recent version. To minimize problems, be sure that files are kept current, and synchronization between local and remote files is always running.
Cram Quiz
1. With which cloud service model can consumers use the provider’s applications but not manage or control any of the underlying cloud infrastructure?
A. SaaS
B. PaaS
C. IaaS
D. GaaS
2. Which of the following involves offloading traffic to resources from a cloud provider if your own servers become too busy?
A. Ballooning
B. Cloud bursting
C. Bridging
D. Harvesting
3. Which of the following does the NIST define as a composition of two or more distinct cloud infrastructures?
A. Private cloud
B. Public cloud
C. Community cloud
D. Hybrid cloud
Cram Quiz Answers
1. A. With the SaaS cloud service model, consumers are able to use the provider’s applications, but they do not manage or control any of the underlying cloud infrastructure.
2. B. A common reason for using cloud computing is to be able to offload traffic to resources from a cloud provider if your own servers become too busy. This is known as cloud bursting.
3. D. The hybrid cloud delivery model is a composition of two or more distinct cloud infrastructures (public, private, and so on).
Virtualization and Storage-Area Networks
Explain the purposes of virtualization and network storage technologies.
CramSaver
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. What technology sends very large Ethernet frames that are less processor intensive?
2. True or false: Virtual NICs have MAC addresses assigned to them.
Answers
1. The goal of jumbo frames is to send very large Ethernet frames that are less processor intensive.
2. True. Virtual NICs (VNICs) have MAC addresses assigned to them.
Cloud computing and virtualization are two items that go together like ketchup and mustard on a hot dog; it is possible to use one without the other, but they are often used together. In the first half of this chapter, you learned the definitions for cloud computing; now you learn the principles of virtualization and storage-area networks.
Virtualization
Cloud computing is built on virtualization; it is the foundation on which cloud computing stands. At the core of virtualization is the hypervisor (the software/hardware combination that makes it possible). There are two methods of implementation: Type I (known as bare metal) and Type II (known as hosted). Type I is independent of the operating system and boots before the OS, whereas Type II is dependent on the operating system and cannot boot until the OS is up; it needs the OS to stay up so that it can operate. Figure 8.4 depicts the Type I model while Figure 8.5 depicts the Type II model. From a performance and scalability standpoint, Type I is considered superior to Type II.
FIGURE 8.5 The Type II hypervisor model
Tip
The machine on which virtualization software is running is known as a host, and the virtual machines are known as guests.
Note
Whereas once it was the case that hypervisors were the only way to have virtualization, containers are now thought by most to be their successor. These are not tested on in this iteration of the Network+ exam, but you should know for the real world that the use of containers (a piece of software bundled with everything that it needs to run—code, runtime, system tools, system libraries, and so on) are becoming more common.
Cloud computing holds great promise when it comes to scalability, cost saving, rapid deployment, and empowerment. As with any technology where so much is removed from your control, however, risks are involved. Each risk should be considered and thought through to identify ways to help mitigate them. Data segregation, for example, can help reduce some of the risks associated with multitenancy. Common virtual network components include virtual network interface cards (VNICs), virtual routers and switches, shared memory, virtual CPUs, and storage (shared or clustered).
In the following sections, we look at some of these components used to create the virtual environment.
Virtual Routers and Switches
Just as physical routers establish communication by maintaining tables about destinations and local connections, a virtual router works similarly but is software only. Remember that a router contains information about the systems connected to it and where to send requests if the destination is not known. These routing tables grow as connections are made through the router. Routing can occur within the network (interior) or outside it (exterior). The routes, themselves, can be configured as static or dynamic.
A virtual switch, similarly, is a software program that allows one virtual machine (VM) to communicate with another. The virtual switch allows the VM to use the hardware of the host OS (the NIC) to connect to the Internet.
Switches are multiport devices that improve network efficiency. A switch typically contains a small amount of information about systems in a network— a table of MAC addresses as opposed to IP addresses. Switches improve network efficiency over routers because of the virtual circuit capability. Switches also improve network security because the virtual circuits are more difficult to examine with network monitors. The switch maintains limited routing information about nodes in the internal network, and it allows connections to systems such as a hub or a router.
Virtual Firewall
A virtual firewall (VF) is either a network firewall service or an appliance running entirely within the virtualized environment. Regardless of which implementation, a VF serves the same purpose as a physical one: packet filtering and monitoring. The firewall can also run in a guest OS VM.
One key to a VF is to not overlook the contribution from Network Address Translation (NAT). This allows an organization to present a single address (or set of addresses) to the Internet for all computer connections—it acts as a proxy between the local-area network (which can be using private IP addresses) and the Internet. NAT effectively hides your network from the world, making it much harder to determine what systems exist on the other side of the router.
Not only can NAT save IP addresses, but it can also act as a firewall.
Tip
Not only can NAT save IP addresses, but it can also act as a firewall.
Virtual Versus Physical NICs
A NIC card within a machine can be either virtual or physical and will be configured the same. Existing on the virtual network, it must have an IP address, a MAC address, a default gateway, a subnet mask value, and can have a connection that is bridged or not. A VNIC is software only but allows interaction with other devices on network. (The VLAN makes it possible for VNICs to communicate with other network devices.)
ExamAlert
For the exam, you should be able to differentiate between the various virtualization components: switches, routers, firewalls, and NICs.
When talking about virtual networking, it is important to note that so much of what is discussed is software based. Never forget that the goal of virtualization is to emulate physical environments and devices without actually having those physical elements.
Storage-Area Networks
When it comes to data storage in the cloud, encryption is one of the best ways to protect it (keeping it from being of value to unauthorized parties), and VPN routing and forwarding can help. Backups should be performed regularly (and encrypted and stored in safe locations), and access control should be a priority.
The consumer retains the ultimate responsibility for compliance. Per NIST SP 800-144, “The main issue centers on the risks associated with moving important applications or data from within the confines of the organization’s computing center to that of another organization (i.e., a public cloud), which is readily available for use by the general public. The responsibilities of both the organization and the cloud provider vary depending on the service model. Reducing cost and increasing efficiency are primary motivations for moving towards a public cloud, but relinquishing responsibility for security should not be. Ultimately, the organization is accountable for the choice of public cloud and the security and privacy of the outsourced service.” For more information, see http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf.
Shared storage can be done on storage-area networks (SANs), network-attached storage (NAS), and so on; the virtual machine sees only a “physical disk.” With clustered storage, you can use multiple devices to increase performance. A handful of technologies exist in this realm, and the following are those that you need to know for the Network+ exam.
Tip
Look to CompTIA’s Cloud+ certification for more specialization in cloud and virtualization technologies.
iSCSI
The Small Computer System Interface (SCSI) standard has long been the language of storage. Internet Small Computer System Interface (iSCSI) expands this through Ethernet, allowing IP to be used to send SCSI commands.
Logical unit numbers (LUNs) came from the SCSI world and carry over, acting as unique identifiers for devices. Both NAS and SAN use “targets” that hold up to eight devices.
Using iSCSI for a virtual environment gives users the benefits of a file system without the difficulty of setting up Fibre Channel. Because iSCSI works both at the hypervisor level and in the guest operating system, the rules that govern the size of the partition in the OS are used rather than those of the virtual OS (which are usually more restrictive).
The disadvantage of iSCSI is that users can run into IP-related problems if configuration is not carefully monitored.
Jumbo Frames
One of the biggest issues with networking is that data of various sizes is crammed into packets and sent across the medium. Each time this is done, headers are created (more data to process), along with any filler needed, creating additional overhead. To get around this, the concept of jumbo frames is used to allow for very large Ethernet frames; by sending a lot of data at once, the number of packets is reduced, and the data sent is less processor intensive.
Fibre Channel and FCoE
Instead of using an older technology and trying to adhere to legacy standards, Fibre Channel (FC) is an option providing a higher level of performance than anything else. It utilizes FCP, the Fiber Channel Protocol, to do what needs to be done, and Fiber Channel over Ethernet (FCoE) can be used in high-speed (10 GB and higher) implementations.
The big advantage of Fibre Channel is its scalability. FCoE encapsulates FC over the Ethernet portions of connectivity, making it easy to add into an existing network. As such, FCoE is an extension to FC intended to extend the scalability and efficiency associated with Fibre Channel.
Network-Attached Storage
Storage is always a big issue, and the best answer is always a SAN. Unfortunately, a SAN can be costly and difficult to implement and maintain. That is where network-attached storage (NAS) comes in. NAS is easier than SAN and uses TCP/IP. It offers file level access, and a client sees the shared storage as a file server.
Note
On a VLAN, multipathing creates multiple paths to the storage resources and can be used to increase availability and add fault tolerance.
ExamAlert
For the exam, you should know the difference between NAS and SAN technologies and how to apply them.
InfiniBand
One high-speed technology on the market, and supported by the InfiniBand Trade Association, is InfiniBand (IB). This standard promises high throughput and low latency, making it ideal for use in high-performance computing connections (both within the computer and between computers). Both Mellanox and Intel manufacture InfiniBand host bus adapters and network switches, and Oracle Corporation has introduced a line of products as well.
Note
InfiniBand is designed to be scalable and uses a switched fabric network topology.
ExamAlert
For the exam, you should know that InfiniBand competes with Fibre Channel and a number of proprietary technologies.
Cram Quiz
1. Logical unit numbers (LUNs) came from the SCSI world and use “targets” that hold up to how many devices?
A. 4
B. 6
C. 8
D. 128
2. Which of the following technologies creates multiple paths to the storage resource?
A. Multilisting
B. Multihoming
C. Multitenancy
D. Multipathing
3. Which of the following types of virtualization is known as bare metal?
A. Type 0
B. Type I
C. Type II
D. Type III
1. C. LUNs came from the SCSI world and carry over, acting as unique identifiers for devices. Both NAS and SAN use “targets” that hold up to eight devices.
2. D. On a VLAN, multipathing creates multiple paths to the storage resources and can be used to increase availability and add fault tolerance.
3. B. There are two methods of implementation: Type I (known as bare metal) and Type II (known as hosted). Type I is independent of the operating system and boots before the OS, whereas Type II is dependent on the operating system and cannot boot until the OS is up, and it needs the OS to stay up.
What’s Next?
Chapter 9, “Network Operations,” focuses on two important topics: network management and network optimization technologies and techniques.