1、2數據中心的處理器 演進與挑戰數據中心的變革 以數據為中心21st Century Unit of ComputingDPUGPUCPU3Accelerated Disaggregated Infrastructure (ADI)數據中心變成了新的計算單元NVIDIA NetworkingSoftware defined, Hardware-accelerated DPU (data processing unit)DPU essential to disaggregate resources & make composable ADIAccelerated ComputingGPU: AI

2、& machine learningGPU critical for AI & machine learning Every workload will become AI Accelerated4軟件定義和硬件加速成為數據中心的核心Software Defined SecurityDistributed IDS/IPS NG FirewallSoftware Defined StoragevRoutervSwitchVMs & ContainersSoftware Defined NetworkingNVMe-oFData Storage Direct EncryptionMicroDDOS

3、 Segmentation PreventionTelco/NFVElastic StorageRoot of TrustCompression DeDupNAT/Load Balancer5DPU 成為大勢所趨Software Defined Data Center Infrastructure-on-a-Chip軟件定義的數據中心架構級芯片To Software Defined Infrastructure on CPUTo Software Defined Infrastructure on DPUFrom Hardware AppliancesManagementStorageSecu

4、rityNetworkingNVIDIA NICSoftware-defined SecuritySoftware-defined NetworkingSoftware-defined StorageInfrastructure ManagementAcceleration EnginesNVIDIA DPU with Arm Cores & AcceleratorsSoftware-defined NetworkingSoftware-defined SecuritySoftware-defined StorageInfrastructure ManagementAcceleration E

5、ngines67NVIDIA DPU數據中心級處理器架構總覽8BLUEFIELD-2 DPU數據處理單元Data Center Infrastructure-on-a-Chip數據中心架構級芯片69 億 Transistors8 個 64-bit Arm CPUs Cores 雙 16-way VLIW Engine 100 Gbps 的 IPsec 性能50 Gbps 的 RegEx 性能 100 Gbps Video Streaming 5 百萬 NVMe IOPs相當于 125 個 x86 CPU Cores 的工作BLUEFIELD-2 DPU 功能示意圖200 Gbps Ethern

6、et & InfiniBand, NRZ & PAM4 modulationPowered by ConnectX-6 Dx8 ARM A72 CPUs subsystem in a Tile architecture8MB L2 cache, 6MB L3 cache in 4 TilesARM Frequency up-to 2.5GHzFully integrated PCIe switch, 16 bi-furcated Gen4.0Root Complex or End Point modes1GbE Out-of-Band management port16 lanes PCIe

7、Gen3/49BLUEFIELD-2 全面提升應用效率單一 DPU 硬件加速和 CPU 軟件執行效率對照一覽10X15X30X50XMALWARE PATTERN MATCHINGVIDEO STREAMINGIPSEC ENCRYPTIONELASTIC BLOCK STORAGE2.5XCLOUD OVERLAY NETWORKING150X10NG STATEFUL FIREWALL11DPU 在安全、存儲和云 場景的應用12SECURED HARDWARESecure FW upgrade Root-of-Trust Arm trust zoneDPU 數據中心的安全保障Integra

8、ted Security for modern data center needsADVANCED L4-L7 SECURITYCRYPTO ACCELERATIONPROGRAMMABILTY & ISOLATIONNG stateful firewall Deep Packet Inspection Host introspectionData-in-motion enc.Data-at-rest enc.Public Key AccelerationHardened Isolation Micro-Segmentation Programmable algo.13數據中心的安全防護正在由

9、外圍向內部轉移Software Defined Networking (SDN)Encryption (Software)L4-L7 InspectionWorkloadSoftwaredefinedStorage (SDS)WorkloadFirewall / Micro-segmentationNICOptionalDPUL4-L7 InspectionU-SegmentationNGFW / CryptoSDN & SDSIDSNGFWAnti- Malware核心數據中心邊緣 IsolationIT OpsCloud ServerCloud ServerDevOpsWITHOUT DP

10、UWITH DPUIT OpsDevOpsWorkloadWorkloadWorkloadWorkloadWorkloadWorkload最安全的 DPU - BLUEFIELD-2Trust Shifts to the DPURoot-of-TrustStateful FirewallInline Crypto AcceleratorsDeep Packet InspectionIsolated Security Control PlaneFull Isolation from the HostCPUGPUNetwork TrafficDistributed NG FirewallIDS/I

11、PSDDOSPreventionMicro SegmentationRoot of Trust14Better SecuritySmaller attack surfaceReal-time reaction to threats Security in every host & workload Transparent cryptography在云上提升安全性能 讓云更安全Shifting the trust to NVIDIA DPUBetter TCOOpex savings Capex savingsBetter PerformanceHardware acceleratedInlin

12、e networking & storage acceleration Seamless integrative securityFull visibility15UNPARALLELED PERFORMANCESTORAGE SECURITYSECRET SAUCEDual 100Gbps or single 200Gbps Up to 5.4M IOPs 4KBLowest latency NVMe-oF accelerationDPU 讓存儲更安全高效Storage Agility Meets Best-in-Class Hardware AccelerationData-at-rest

13、 AES-XTS encryption Authentication services Protection between usersNVMe SNAP / Virtio-blk SNAP Integrated data & control planes Data (De)Compression Deduplication16BLUEFIELD 面向彈性塊存儲的 SNAP 技術支持各種存儲應用場景 : DAS, Scale-UP, Scale-OUT, Hyperconverged 等Remote Storage Access NVMe-oF & RDMA offload iSCSI, iS

14、ER, NFS, CEPHHyperconverged Local Storage Access Direct/IndirectIndirectDirectNVME SNAPEmulated Interfaces on PCIeNVMe SNAP / virtio-blk SNAP1718DPU 讓存儲更靈活、易重構Emulates remote storage to appear as local to the host OSDynamically assigned storage, not bound by physical capacityVirtualized or Bare Meta

15、l CloudOver-provisioning, scaled to rack/cluster Inbox standard driversOS agnostic - supports legacy OSs重塑企業云的效益Compute PlatformsHOST OSRemote StorageVirtio-blkDPU SNAP FrameworkNVMe19越來越多的應用需要更先進的網絡技術Kubernetes typically runs modern workloads: data-driven, real-time and highly distributedMicroservi

16、ces run on multiple, arbitrary serversEach microservice runs multiple timesMicroservices generate intensive east-west data movements High-throughput, low-latency is imperativeMonolithic ArchitectureMicroservice ArchitectureLimited CommunicationUIData Access Layer Business LogicUIMicroserviceMicroser

17、viceMicroserviceMicroserviceMassive Communication20Accelerating all pod-to-pod, ClusterIP service communicationFull upstream solution, integrated into Linux kernel, OVS and OVN communitiesFlexible solution for accelerating the primary network (Kubernetes API) or secondary network with meta CNI (Mult

18、us)Leverage advanced offloads including overlay network encap/decap, connection tracking and NATDPU 賦能 OVN SDNOVS 操作和 OVN 控制被卸載到 BlueField-2 DPUsHostHostPodPodOVS PipelineOVN ControllerOVN K8S CNINICOVN K8S CNIDPUOVN ControllerOVS Pipeline從數據平面和控制平面加速 GPUDIRECT RDMAAccelerating GPU-to-GPU communicat

19、ions by employing RDMA to offload the CPU and host memory Highest throughput and lowest communication latency for GPUs commsGPUMemoryPCIeNode 1NetworkCPUGPUCPUMemoryGPUMemoryPCIeNode 2CPUGPUCPUMemoryDPUDPU21將管理云一樣管理 BARE-METAL 系統Software-defined NetworkingBare-Metal Cloud SecurityStorage-Defined Sto

20、rageFull-featured SDN capabilitiesFull orchestration through upstream OpenStack Neutron APIsComplete host isolation for the tenants workloadNo security agents running on servers with impact on performanceVirtualized storage flexibility with local storage performance Dynamically allocates cloud stora

21、ge and back-ups in the storage cloud22Limited to network security with ACLsNo visibility to the hosts workloads, failing to implement effective security strategiesIncreased surface for east-west attacksSecurity Policy in TOR SwitchTenants DomainProviders DomainNICBare-Metal HostSecurity Policy BlueF

22、ield-2 DPUComplete isolation of the security enforcement from the tenants workloadEnabling diverse cyber security solutions, enhancing data-center securityNo need to install agents on serversNo impact on server performanceBLUEFIELD 保障 BARE-METAL KUBERNETES 的安全Applying Security Policies on BlueField-

23、2 Arm, Fully Isolated from the Hosts CPU and OSTOR SwitchApplying Security Policies on TOR SwitchCPUGPUTOR SwitchCPUBare-Metal Host23Limited to no SDN capabilitiesOrchestration through proprietary TOR switch vendor pluginsMandates proprietary network driver installation in bare-metal hostNetworking

24、in TOR SwitchTenants DomainProviders DomainNICBare-Metal HostSDN Integration with BlueField-2 DPUFull-featured SDN hardware-accelerated capabilitiesFull orchestration through upstream OpenStackNo installation of network driver in bare-metal hostBLUEFIELD 在 BARE-METAL 云上實現了 SDNApplying Neutron OVS L2

25、 Agent on BlueField-2 ArmTOR SwitchOpenStack Policies on TOR SwitchCPUGPUTOR SwitchCPUBare-Metal Host24Bound by physical storage capacityNo backup service or limited local RAID No option to manage storage resources No migration of resourcesLocal Physical Drive in BM HostTenants DomainProviders Domai

26、nNICBare-Metal HostNVMe SNAP on BlueField-2 DPUSame flexibility as virtualized storageBacked-up in the storage cloudDynamically allocated cloud storageOS agnostic, only NVMe driver neededTOR SwitchBare-Metal HostBLUEFIELD 在 BARE-METAL 云上實現了 SDSRemote StorageTOR SwitchOpenStack Policies on TOR Switch

27、CPUCPU2526DPU 的應用案例分享27云 ：NVIDIA & VMWARE 在混合云上強強聯手Run Modern Workloads Efficiently Over New Composable, Disaggregated InfrastructureBare Metal Linux &WindowsIsolationNetwork and Security: NSX SvcsCompute HypervisorStorage: VSAN DataESXiHost ManagementDPUProject Monterey28Todays EnvironmentNetwork &

28、 Security: NSX SvcsCompute HypervisorStorage: VSAN DataESXiHost Management新一代的 VMware cloud foundation 架構Bare Metal Linux & WindowsIsolation LayerCompute HypervisorESXiToPdraoyjescEt nMvoirnotnemreeyntORNICDPUNetwork & Security NSXStorage VSAN DataHost Management云：構建新一代的 VMWARE CLOUD FOUNDATION 架構存儲

29、：全自動運維、橫向可擴展的 NVME-OF 存儲Automated provisioning of networked storage to servers without using any host resourcesData analytics, ML/AI on any OS or hypervisor can now take advantage of scale-out NVMe storageInstantly attach/detach data sets and storage, and replace failed components in secondsHigh per

30、formance, continuously adaptable infrastructure for data-intensive applicationsDriveScale Blog29安全：主機無需安全代理的 (AGENTLESS) SEGMENTATIONGuardicore introduces complete network level visibility. Tracks connections and reports network events and their verdictGuardicore enforcement policy is accelerate by

31、the DPU hardware by offloading the segmentation rulesGuardicore agents running on BlueField cores in a separated trusted domain, enforce policies even on a compromised hostGuardicore CentraBlueField-2 DPULINUX OSGUARDICORE AGENTBare-Metal HostOVSBare-Metal ServerGuardicore Blog30安全： DPU 加速 CHECK POI

32、NT INFINITY CLOUDCheck Point Infinity Nano-agents are deployed on the NVIDIA DPU to protect, isolate and accelerate the cloud and edgeThe DPU & the Nano-agents enforce the distributed security policy created by the Infinity centralized managementCheckPoint Tech & Nvidia are working together to accel

33、erate security services with AI on every compute nodeProtect, isolate and accelerate the cloud and edgeHostWorkloadWorkloadNano-Agent31WorkloadDPUCheckPoint Blog32基于 DOCA SDK 的應用 開發指南33SDK for BlueField DPUsOpen source APIs DPDK, SPDK, P4Certified reference apps & 3rd party solutionsSupport for mult

34、iple OSNVIDIA DOCA 介紹Data Center Infrastructure-on-a-Chip Architecture 數據中心級架構芯片的 軟件架構StorageSPDKSecurityDPDKNetworkingDPDK / P4DOCA SDKINFRASTRUCTURE APPLICATIONSASAP2CRYPTORoTRDMASNAPManagementTelemetryInfrastructure ManagementSoftware-defined StorageSoftware-defined SecuritySoftware-defined Netwo

35、rking一個 DPU 方案滿足所有客戶的需求Open PlatformVMWare based SolutionFull Solution & EcosystemToday20212021BlueField-2 DPUDOCA SDKCustomer AppsVMwareDOCA SDK3rd Party AppsBlueField-2 DPUBlueField-2 DPU34與合作伙伴共建 DPU 生態系統Storage ISVs | Security ISVs | Infrastructure35完善的 NVIDIA 認證體系Servers Designed and Optimized for Accelerated ComputingPerformance OptimizedAccelerated Compute and I/O