floatingip enahncement for plublic cloud infrastructure · 2017-08-13 · network node compute...
TRANSCRIPT
Copyright 2015 FUJITSU LIMITED
FloatingIP Enhancement For
Public Cloud Infrastructure
June 4, 2015
Yushiro Furukawa
Fujitsu Limited
0
Who am I ?
Yushiro Furukawa (Speaker)
Software Engineer of Fujitsu from 2011
•Developer of OpenStack Neutron
Characteristics
•Red glasses frame
Copyright 2015 FUJITSU LIMITED 1
Agenda
1. OpenStack Neutron Overview
2. FloatingIP allocation with public cloud infrastructure
3. Legacy Router and DVR
Copyright 2015 FUJITSU LIMITED 2
OpenStack Neutron Overview
Copyright 2015 FUJITSU LIMITED 3
OpenStack Neutron
Copyright 2015 FUJITSU LIMITED 4
OpenStack Neutron
• Provide L2 / L3 networking
• Network isolation between tenants
• vRouter, NAT
• DHCP server
• Firewall
• FloatingIP
Etc…
• Connectable for VM Instances
created by Nova.
Copyright 2015 FUJITSU LIMITED 5
Neutron Components (Legacy Router)
Copyright 2015 FUJITSU LIMITED
Controller Node
Compute Node
Network Node
eth0
eth1 eth2 eth1 eth2 eth1
eth0
Data network Management network
External network
Neutron Server
ML2 plugin
ML2 plugin
OVS-agent
ML2 plugin
OVS-agent
L3-agent
DHCP-agent
Metadata-agent
API network
6
Neutron services
Copyright 2015 FUJITSU LIMITED
VM
Instance
vRouter
Internet
Subnet
VM
Instance
Firewall
External Network
Network
Security-group Security-group
Tenant
Port Port
7
Security-group Security-group
Neutron virtual networking services
Copyright 2015 FUJITSU LIMITED
VM
Instance
Port
vRouter
Internet
Subnet
VM
Instance
Port
Firewall
External Network
Network
Virtual L2 network
Connects a VM instance and Network
Able to attach Security-Group
IP address pool
Provides an IP address for Port
Network
Port
Subnet
Tenant
8
Neutron extension services
Copyright 2015 FUJITSU LIMITED
VM
Instance
Port
vRouter
Internet
Subnet
VM
Instance
Port
Firewall
External Network
Network
Security-group Security-group
Security-group
Firewall
FloatingIP
External Network
Connects Networks, also Network and External network.
Virtual L2 network between the Internet and tenants
Will be explained later
Works on Port
Filters ingress/egress packets
Uses a White-list for filtering
Works on vRouter
Filters packets
vRouter
Tenant
9
FloatingIP Allocation For
Public Cloud Infrastructure
Copyright 2015 FUJITSU LIMITED 10
Tenant:A Tenant:B
What is FloatingIP?
In public cloud, GlobalIP is usually used as FloatingIP.
We can associate a FloatingIP with a specific Port.
Copyright 2015 FUJITSU LIMITED
VM1 VM2 VM3 VM1 VM2 VM3
External Network
172.10.1.0/24
Network
vRouter
FloatingIP
Internet
localIP:192.168.1.100 localIP:192.168.2.100
Port Port Port Port Port Port
11
Tenant:A Tenant:B
Setup steps
1. Create a FloatingIP
$ neutron floatingip-create FLOATING_NETWORK
2. Associate the FloatingIP with a Port of a VM instance.
$ neutron floatingip-associate FLOATINGIP_ID PORT
Copyright 2015 FUJITSU LIMITED
VM1 VM2 VM3 VM1 VM2 VM3
External Network
172.10.1.0/24
172.16.1.3
1
2
Internet
Network
vRouter
localIP:192.168.1.100 localIP:192.168.2.100
Port Port Port Port Port Port
12
Tenant:A Tenant:B
How FloatingIP works?
SNAT and DNAT rule are added into vRouters.
Copyright 2015 FUJITSU LIMITED
VM1 VM2 VM3 VM1 VM2 VM3
172.16.1.2 172.10.1.3
Internet SNAT and DNAT
localIP FloatingIP
Port Port Port Port Port Port
localIP:192.168.1.100 localIP:192.168.2.100
Network
vRouter
13
Case-1: Single External Network
GlobalIP is used as FloatingIP.
FloatingIP address is allocated from the Subnet.
IP address for physical network devices is manually picked up from the IP addresses in the Subnet.
Meaning the cloud provider has to make sure to avoid overlapping
Copyright 2015 FUJITSU LIMITED
Physical
Network Devices Physical
Network Devices
Subnet
133.10.1.0/24
External Network
Internet
VM1
Port
VM2
Port
VM3
Port
vRouter
Network
14
Case-1: Single External Network
Copyright 2015 FUJITSU LIMITED
Physical
Network Devices Physical
Network Devices
vRouter
External Network
Internet
This increases complexity of address allocation algorithm
VM1
Port
VM2
Port
VM3
Port
Subnet
133.10.1.0/24
GlobalIP is used as FloatingIP.
FloatingIP address is allocated from the Subnet.
IP address for physical network devices is manually picked up from the IP addresses in the Subnet.
Network
15
FloatingIP pool
133.10.1.0/24
Proposal of Case-1
GlobalIP is used as FloatingIP.
Use PrivateIP for vRouters and physical routers.
Create “FloatingIP Pool” for FloatingIP allocation.
The cloud provider no longer has to be worried about overlapping
Copyright 2015 FUJITSU LIMITED
Physical
Network Devices Physical
Network Devices
subnet
100.64.0.0/24 External Network
Internet
VM1 VM2 VM3
vNIC Port Port Port
vRouter
Network
16
Case-2: Multiple External Networks
Copyright 2015 FUJITSU LIMITED
Physical
Network Devices Physical
Network Devices
External Network
Internet
Physical
Network Devices Physical
Network Devices
External Network
GlobalIP is used as FloatingIP.
There can be a case where several external networks exist in the infrastructure for some reasons
…
VM1 VM2 VM3
vNIC Port Port Port
subnet
100.64.0.0/24 subnet
100.65.0.0/24
vRouter
Network
17
Case-2: Multiple External Networks
Copyright 2015 FUJITSU LIMITED
Physical
Network Devices Physical
Network Devices
External Network
Internet
Physical
Network Devices Physical
Network Devices
External Network
GlobalIP is used as FloatingIP.
There can be a case where several external networks exist in the infrastructure for some reasons
…
Tenant-user have to select which external network to connect to,
but it’s just a burden tenant users shouldn’t be take
VM1 VM2 VM3
vNIC
subnet
100.64.0.0/24 subnet
100.65.0.0/24
Port
vRouter
Network
Port Port
18
subnet
100.64.0.0/24 subnet
100.65.0.0/24
Proposal of Case-2
Abstract the External Network
Tenant-users can see only one abstracted external network
FloatingIP pool simplifies the mechanism of the Abstracted External Network.
Without FloatingIP pool, each External network has a Subnet, and the Abstracted External Network needs to select which Subnet to use...
Copyright 2015 FUJITSU LIMITED
Physical
Network Devices Physical
Network Devices Internet
Physical
Network Devices Physical
Network Devices
External Network
External Network Abstracted External Network
…
FloatingIP pool
133.10.1.0/24
VM1
vNIC
VM2
vNIC
VM3
vNIC Port Port Port
vRouter
Network
19
However….
I have been thinking about FloatingIP enhancement for legacy router configuration.
DVR is becoming the de facto standard configuration, and now I also should consider to develop the enhancement on DVR.
Copyright 2015 FUJITSU LIMITED
DVR?
20
DVR (Distributed Virtual Router)
Enhancement
Copyright 2015 FUJITSU LIMITED 21
Neutron Components (Legacy-Router)
Copyright 2015 FUJITSU LIMITED
Controller Node
Compute Node
Network Node
eth1 eth2 eth1 eth2 eth1
eth0
Data network Management network
External network
Neutron Server
ML2 plugin
ML2 plugin
OVS-agent
ML2 plugin
OVS-agent
L3-agent
DHCP-agent
Metadata-agent
API network
eth0
22
Neutron Components (DVR)
Copyright 2015 FUJITSU LIMITED
Controller Node
Compute Node
Network Node
eth0
eth1 eth2 eth1 eth2 eth1
eth0
Data network Management network
External network
Neutron Server
ML2 plugin
ML2 plugin
OVS-agent
ML2 plugin
OVS-agent
L3-agent (SNAT)
DHCP-agent
L3-agent
Metadata-agent
API network
eth0
23
Network Traffic on Legacy Router
Copyright 2015 FUJITSU LIMITED
VM1 VM2
Network Node
Compute Node#2
Compute Node#1
VM1 VM3 VM2
br-int br-int br-ex br-int
Main characteristic:
vRouter only exists on Network Node.
All network traffic must go through Network Node.
• East-West (between different Subnets)
• North-South (between the Internet and tenants using FloatingIP or SNAT)
=> Can be a performance bottle neck.
Network Node is also Single-Point-of-Failure. 24
Network Traffic on DVR
Copyright 2015 FUJITSU LIMITED
Main characteristic:
vRouter exists on all Compute Nodes.
Basically, Network traffic only has to go through Network Node when the traffic goes to the Internet using SNAT
=> Performance can scale more.
VM1 VM2
Network Node
Compute Node#2
Compute Node#1
VM1 VM3 VM2
br-int br-ex br-ex br-ex
SNAT
br-int br-int
25
Network Traffic Case#1
Copyright 2015 FUJITSU LIMITED
Legacy Router: to
DVR: to
VM1 VM2
VM1 VM2
Network Node
Compute Node#2
Compute Node#1
VM1 VM3 VM2
br-int br-int br-ex
Network Node
Compute Node#2
Compute Node#1
VM1 VM3 VM2
br-int br-int br-ex br-ex br-ex
fIP SNAT
br-int
br-int
Between VMs in the same Subnet and host
26
Network Traffic Case#2
Copyright 2015 FUJITSU LIMITED
Legacy Router: to
DVR: to
VM1 VM3
VM1 VM3
Network Node
Compute Node#2
Compute Node#1
VM1 VM3 VM2
br-ex
Network Node
Compute Node#2
Compute Node#1
VM1 VM3 VM2
br-int br-ex br-ex br-ex
fIP SNAT
br-int
br-int br-int
br-int
br-int
Between VMs in the same Subnet, but in Different hosts
27
Network Traffic Case#3
Copyright 2015 FUJITSU LIMITED
Legacy Router: to
DVR: to
VM1 VM2
VM1 VM2
Network Node
Compute Node#2
Compute Node#1
VM1 VM3 VM2
br-int br-ex
Network Node
Compute Node#2
Compute Node#1
VM1 VM3 VM2
br-int br-int br-ex br-ex br-ex
fIP SNAT
br-int
br-int
Between VMs in the same hosts, but in different Subnets
br-int
28
Network Traffic Case#4
Copyright 2015 FUJITSU LIMITED
Legacy Router: to
DVR: to
VM1 VM3
VM1 VM3
Network Node
Compute Node#2
Compute Node#1
VM1 VM3 VM2
br-int br-ex br-ex br-ex
fIP SNAT
br-int br-int
Between VMs in different Subnets and hosts
Network Node
Compute Node#2
Compute Node#1
VM1 VM3 VM2
br-int br-ex br-int br-int
29
Network Traffic Case#5
Copyright 2015 FUJITSU LIMITED
Legacy Router: to external
DVR: to external
VM3
VM3
Network Node
Compute Node#2
Compute Node#1
VM1 VM2
br-int br-ex
Network Node
Compute Node#2
Compute Node#1
VM1 VM3 VM2
br-int br-ex
fIP SNAT
br-int br-int br-ex br-ex
br-int br-int
Between the External Network and a VM using FloatingIP
VM3
30
Network Traffic Case#6
Copyright 2015 FUJITSU LIMITED
Legacy Router: is booted from Nova VM3
VM3
Network Node
Compute Node#2
Compute Node#1
VM1 VM2
br-int br-ex
Network Node
Compute Node#2
Compute Node#1
VM1 VM2
br-int br-ex
fIP DHCP
br-int br-ex br-ex
br-int br-int
DVR: is booted from Nova
DHCP VM3
VM3
br-int
VM booting: a VM accesses to DHCP server
31
Network Traffic Case#7
Copyright 2015 FUJITSU LIMITED
Legacy Router
Network Node
Compute Node#2
Compute Node#1
VM1 VM2
br-int br-ex
Network Node
Compute Node#2
Compute Node#1
VM1 VM2
br-int br-ex
fIP DHCP
br-int br-int br-ex br-ex
br-int br-int
DVR
DHCP VM3
VM3
VM booting: a VM gets metadata from the vRouter
32
Proposal: Distributed DHCP agent and L3-agent
Copyright 2015 FUJITSU LIMITED
Controller Node
Compute Node
Network Node
eth0
eth1 eth2 eth1 eth2 eth1
eth0
Data network Management network
External network
Neutron Server
ML2 plugin
ML2 plugin
OVS-agent
ML2 plugin
OVS-agent
DHCP-agent
L3-agent
Metadata-agent
API network
DHCP-agent
eth0
L3-agent (SNAT)
33
Elimination of Network Node
Distribute DHCP-agent to each Compute Node.
=> Reduce DHCP broadcast in Data Network
Move SNAT function to Compute Node.
=> Can eliminate Single-point-of-failure
Once completes this enhancement, I’ll work on FloatingIP enhancement for DVR
Copyright 2015 FUJITSU LIMITED
Compute Node#1
VM1 VM2
br-int
br-tun SNAT
fIP
DHCP
br-ex
Compute Node#2
VM3
br-int
br-tun SNAT
fIP
DHCP
br-ex
34
Copyright 2015 FUJITSU LIMITED