Field of the Invention
The present application relates to data center networks. In particular, but not exclusively, the present application relates to connectivity and security in data center networks.
Description of the Related Technology
Data center deployments, including cloud computing environments, typically provide a computational resource in the form of a number of servers, which can be utilized for various computational tasks, such as data processing, file serving, application hosting and provision telecommunications services. Such servers are typically comprised within a data center network which interconnects the various servers in the data center deployment and facilitates communication between them. Commonly, the data center network will take the form of a local area network (or LAN), which is deployed at a data center facility which houses the various servers and other necessary hardware required for the data center deployment.
More recently, particularly in cloud computing environments, a data center deployment may include servers at different geographic locations. Such deployments may be referred to as distributed data centers. A distributed data center network may provide geographical redundancy to the data center deployment, such that a disruption or failure at a particular data center facility does not result in a loss of service, as the required computation can be provided by servers at other data center facilities in the data center network.
The computational resource provided by a data center may be utilized in various ways. In one variety of architecture, each server in a data center may have a dedicated function or set of functions to perform. However, this can result in poor scalability and inefficient hardware-resource utilization because some functions in the data center network may not utilize all of the hardware resources that have been allocated. To address this, virtualization techniques have been developed which allow a virtual system (or ‘guest’) to be created and deployed on a real, physical machine (or ‘host’) such as a server. Varieties of known guest virtual systems include virtual machines, as well as virtual environments (such as Linux Containers; LXC). The virtual system then behaves as if it were an independent machine or environment with a defined function or set of functions to perform.
One of the advantages that use of virtualization can provide in data center networks is that multiple guests can be deployed on a single host, with each guest sharing the available hardware resources of the host machine, but operating potentially independently of each other. If the guests running on a particular host are not making efficient use of the computational resource of the host machine (i.e. there is a significant amount of spare capacity available on the host), then an extra guest can be added to the host. Similarly, if the guests running on a particular machine require more combined computational resource than the host machine can provide, then one or more of the guests can be moved to a different host machine in the data center network. Additionally, if the overall demand on the data center network (or on a particular function in the data center network) increases, this demand can be met by setting up additional guests (either by utilizing spare capacity on one of the host machines in the data center network or by adding extra hosts to the data center network).
The guest virtual systems in a data center deployment may be virtualized as separate communication endpoints in the data center network (which may be configured as a local area network, or LAN, for example). In such deployments, each host server may act as a switch to pass data packets to and from the guests that it hosts. Typically, data center networks operate according to the Internet Protocol (IP) suite. According to the internet protocol, such switching within a particular network (e.g. a LAN) is performed on the basis of a destination media access control (MAC) address specified in the data packet. In terms of the open systems interconnection (OSI) model, such MAC addressed based switching is considered to take place at “Layer 2”. In this way, all of the guests in the data center network are conceptually located in the same network.
In some data center deployments, all of the guests may belong to the same enterprise (or ‘tenant’). Such deployments are known as single tenant data centers. Alternatively, so called multi-tenant data centers may include guests belonging to several different tenants. In order to provide segregation between the virtual systems of different tenants, e.g. for information security or conflict avoidance reasons, a number of virtual LANs may be configured in the network which provide connectivity between the various virtual systems associated with a given tenant, but not to virtual systems associated with different tenants.