© 2014 IBM Corporation
Neutron Networking: Service Groups, Policies and Chains OpenStack Meetup - IBM OpenStack Lightning Talks John M. Tracey for Mohammad Banikazemi October 7, 2014
IBM T. J. Watson Research Center
© 2013 IBM Corporation
Agenda
§ Current Neutron application programming interface
§ Example multi tier application with current API
§ Application centric abstraction
§ Group based policy constructs
§ Example multi tier application with policy extension
§ For more information
2
© 2013 IBM Corporation
Abstract
§ Neutron is OpenStack’s networking service. It defines an API, but allows different implementations to be plugged in.
§ The current OpenStack Neutron API provides constructs that are closely tied to physical network entities.
§ To better support application developers and allow better separation of application and infrastructure concerns, a Neutron blueprint is well underway that adds a set of higher-level abstractions to Neutron, known as group-based policy.
3
© 2013 IBM Corporation 4
Neutron application programming interface
• Current Neutron API is somewhat low-level
• Neutron constructs mirror physical devices
• Network: layer-2 broadcast domain; private/shared
• Port: virtual switch port on a network; has MAC and IP address properties
• Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers
• Router: provides IP routing among networks, supports source NAT
© 2013 IBM Corporation 5
Web Application
Database
Firewall Load Balancer
External Network (Internet)
Example multi tier application
© 2013 IBM Corporation 6
Q
Network/ subnet
Network/ subnet
Network/ subnet Router
External Network
Port
Q
Example multi tier application with current neutron CLI
neutron net-create web_tier neutron subnet-create web_tier 10.0.0.0/24 neutron router-create router1 neutron router-interface-add router1 web_tier
© 2013 IBM Corporation 7
Application centric abstraction
• Need a more application centric set of abstractions as well • More easily understood/utilized by higher layers • Declarative model • Separation of concerns (application/infrastructure)
• Provide policy-based connectivity between application tiers • Enable redirection to network services and service chains • Support dynamic application of policies
© 2013 IBM Corporation 8
• Endpoint (EP) • Lowest unit of abstraction to which policy is applied
• Endpoint Group (EPG) • Logical grouping of endpoints
• Policy Rule • Specifies allowed/disallowed network access to EPGs
• Policy (a.k.a. contract) • Collection of policy rules
Group based policy constructs
© 2013 IBM Corporation 9
EPG Web
EPG Application
EPG Database
Firewall
EPG External Network (Internet)
Policy
Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN
Protocol:TCP Port:3306 Action:ALLOW
Protocol:TCP Port:9080 Action:ALLOW
EPG EPG (Endpoint Group)
Example multi tier application with GBP extension
neutron classifier-create Insecure-Web-Access --port 80 \ --protocol TCP --direction IN neutron policy-rule-create insecure-web --policy-classifier \ Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web
© 2013 IBM Corporation 10
For further information
• Neutron wiki • https://wiki.openstack.org/wiki/Neutron • https://ibm.biz/BdFyZu
• Blueprints for Neutron • https://blueprints.launchpad.net/neutron • https://ibm.biz/BdE4dC
• Group-based policy abstractions for Neutron • https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction • https://ibm.biz/BdE4dQ
© 2013 IBM Corporation 11