openstack networking (neutron)
TRANSCRIPT
OpenStack Networking
Giuseppe Cossu
Research Engineer
Webinar on October 5th, 2015 - 15:00 CET
Hello!I am Giuseppe Cossu
I am an enthusiastic OpenStack user.
I work at Create-Net as Research
Engineer. Mainly involved on Cloud
Computing and Networking.
Contacts:
http://it.linkedin.com/in/giuseppecossu/en
Agenda
■ Introduction
OpenStack Overview
■ NeutronOverviewMain features with Live Demo
■ Networking ArchitectureMain Components
Neutron server and agentsModular Layer 2 (ML2) plugin
Type Driver, Mechanism Driver
DVR (Distributed Virtual Router)L3 services on Compute Nodes
Advanced Services: FWaaS, LBaaS, VPNaaS
Introduction
OpenStack is a free and open-source cloud-computing software platform
OpenStack Logical Architecture
Network as a Service
Openstack Networking Architecture
Management network
■ Used for internal OpenStack
communications
■ Connects all OpenStack
Components
Data network■ Used for VMs data communication
External network■ Used to provide VMs with Internet
access in some deployment
scenarios
■ The IP addresses on this network
should be reachable by anyone on
the Internet
API network■ Exposes all OpenStack APIs to
tenants
■ The IP addresses on this network
should be reachable by anyone on
the Internet
What is Neutron?
“Neutron is an OpenStack project to provide Networking as a Service (NaaS) between interface devices managed by other Openstack services”
History: from nova-network to Neutron
■ nova-network is the original OpenStack networking implementation
still available (but is going to be deprecated)managed by administrator
Tenant can not create/manage networks
Limitations:lack of API for networking servicesbasic model of performing isolation through Linux VLANs
and IP tableslimited networking technology (e.g. no L2-in-L3 tunneling,
no OpenFlow)
■ The OpenStack Neutron was called “Quantum”renamed to “Neutron” for trademark issues
Neutron
■ Provides REST APIs to create and manage virtual networks and network resources
■ Allows tenants having multiple private networks and to choose their own IP addressing scheme
■ Enables advanced cloud networking use casese.g., multi-tiered web applications
■ Pluggable Architecturea plugin is a back-end implementation of the Networking API
flexibility to choose different network virtualization technologies (e.g. VLAN, GRE, VxLAN)
■ Plugins available (ML2 Mechanism Drivers):Open vSwitch, Cisco (UCS/Nexus), Juniper (Opencontrail),
VMware NSX, OpenDaylight, Midonet, PLUMgrid, etc.
Live Demo
■ Live Demo using the OpenStack Dashboard
graphical interface to access, provision and automate cloud-based resources
■ The demo provides an overview on the main Neutron features
Neutron: networking resources & L2 functionalities (I)
■ Each tenant can create L2 private networks
Network: an isolated virtual layer-2 broadcast domain
It is reserved for the tenant who created it
■ ...and associate a sub-network to each network
Subnet: an IP address block (CIDR) that can be used to assign IP addresses to virtual instances
It is possible to configure DNS, gateway and enable DHCP
Neutron: networking resources & L2 functionalities (II)
Virtual instances attach their VIF (Virtual network InterFace) into ports:
■ Port: a virtual switch port on a logical network switchDefines the MAC&IP addresses to be assigned to the interfaces
plugged into themTypically a virtual network interface belonging to a VM
■ Each instance receive a Fixed IP on creationStay the same until the instance is explicitly terminated
Neutron: networking resources & L2 functionalities (III)
■ Each tenant can configure rich network topologies by creating and configuring networks and subnets
having multiple private networkschoosing their own IP addressing scheme (even if those IP
addresses overlap with those used by other tenants)
■ Admin can create shared networksThe network resources can be accessed by any tenant
Neutron: networking resources & L3 functionalities (I)
In order to provide inbound/outbound Internet connectivity to VMs, Neutron provides L3 functionality by means of:
■ External Network: a “virtual” network, that typically maps public IP ranges available in the DC network
managed by admincan be used as external gateway for internal tenant network or
create floating IPs and associate them with ports■ Router: a logical entity used to:
interconnect subnets and forward traffic among themNATing tenant network traffic to external networks
■ Floating IPs: IP addresses on an external network, typically public, that can be dynamically associated with an instance
A Floating IP allows access to an instance on a private network from an external network
Neutron: networking resources & L3 functionalities (II)
Scenario 1: Create an External Network and a Router
■ The router connects the private to the external network, offering NAT functionality
■ Associate a floating IP to an internal port (e.g. access instances from Internet)
Neutron: networking resources & L3 functionalities (III)
Scenario 2: Connect two private networks■ The router connects private networks forwarding traffic among
them
Networking Architecture
Neutron under the hood
Neutron Server and agents
■ Neutron-Server exposes the Networking API and enable administration of the configured plug-in
The agents interact with the main neutron process through RPC or API
Neutron agents:
Neutron features
■ Modular Layer 2 (ML2) pluginCore Plugin: it is bundled with OpenStackallows to simultaneously utilize the variety of
layer 2 networking technologies
■ DVR (Distributed Virtual Router)L3 forwarding and NAT are distributed to the
compute nodessolves single points of failures and scalability
problems of the Network Node
■ Advanced Services, implemented as service plugins
Load Balancer as a Service (LBaaS)Virtual Private Network as a Service (VPNaaS)Firewall as a Service (FWaaS)
L2 Connectivity
L3 Connectivity
L4-L7Services
Neutron features
L2 Connectivity
Modular Layer 2 (ML2)
■ ML2 plugin is a framework allowing OpenStack Networking to simultaneously utilize the variety of layer 2 networking technologies
The Type Driver maintains any needed type-specific network state, and perform provider network validation and tenant network allocation
The Mechanism Driver is responsible for taking the information established by the Type Driver and ensuring that it is properly applied given the specific networking mechanisms that have been enabled
Network Segments (Type Driver)
■ Flatall instances reside on the same network, which can also be shared
with the hosts■ VLAN
allows users to create multiple networks using VLAN IDs (802.1Q) that correspond to VLANs present in the physical network
■ VxLAN or GREnetwork overlays to support private communication between
instanceseach network receives a unique tunnel ID (up to 16 million logical
networks)
ML2 with Open vSwitch (OVS) Mechanism Driver
■ Open vSwitch (L2) agent:communicates with the Neutron server over RPCcommunicates directly with the local Open vSwitch instance to
configure flows to implement the logical data modelgathers the configuration and mappings from the databaseapplies Security Group rules
GRE Tunnels
Neutron features
L2 Connectivity
L3 Connectivity
Legacy Routing in Neutron
■ Network node IP forwarding:Inter-subnet (east-west) traffic between VMsFloating IP (north-south) traffic between VM and external networkDefault SNAT (north-south) traffic from VM to external network
■ Issues:Performance bottleneckScalability limitationsSingle Point of Failure
Network Node Compute Node Compute Node
InternetExternal Network
Data NetworkVM1 VM2
Tenant Network
Distributed Virtual Router (DVR)
■ IP forwarding provided (also) by Compute nodes for local VMs
Inter-subnet (east-west) traffic between VMs
Floating IP (north-south) traffic between external and VM
■ Advantages:
Bypass network node improves performance
Scales with size of compute farm
Limited failure domain (per compute node)
■ Limitations:
Default SNAT function is still centralized
Network Node Compute Node Compute Node
InternetExternal Network
Data NetworkVM1 VM2
Tenant Network
Neutron features
L2 Connectivity
L3 Connectivity
L4-L7 Services
Load-Balancer-as-a-Service (LBaaS)
■ The LBaaS enable tenants to manage load balancers for their VMsload-balance incoming traffic by distributing workloads to application
services running on VMsLBaaS V2 API is experimental (stable on Liberty Release)
■ Load balancing methods to distribute incoming requests:Round robin: rotates requests evenly between multiple instancesSource IP: requests from a unique source IP address are consistently
directed to the same instanceLeast connections: allocates requests to the instance with the least
number of active connections
Firewall-as-a-Service (FWaaS)
■ FWaaS adds firewall management to Networkingoperates at the perimeter to filter traffic at the neutron routeruses iptables to apply firewall policy to all routers within a projectsupports one firewall policy and logical firewall instance per project
■ NOTE: Security Groups operate at the instance-level
Virtual-Private-Network-as-a-Service (VPNaaS)
■ The VPNaaS extension enables OpenStack tenants to extend private networks across the internet:
Relates the VPN with a specific subnet and router for a tenantMultiple VPN connections per tenantSite-to-site VPN that connects two private networks
■ Configuration:An IKE Policy is used for phase one and phase two negotiation of the
VPN connectionsupport with 3des, aes-128, aes-256, or aes-192 encryption
An IPsec Policy is used to specify the encryption algorithm, transform protocol, and mode (tunnel/transport) for the VPN connection
support with 3des, aes-128, aes-192, or aes-256 encryption, sha1 authentication, ESP, AH, or AH-ESP transform protocol, and tunnel or transport mode encapsulation
OpenStack Bootcamp
The main topics covered are:
Overview on OpenStack and its
architecture,
OpenStack networking;
Swift;
Ceilometer and its architecture,
Heat Overview;
OpenStack deployment.
At the end of the Bootcamp each
student will be able to:
Describe the architecture of an
OpenStack deployment;
Discuss the main functionalities of
OpenStack;
Deploy, configure and use the
Openstack services;
Create and manage VMs and
Virtual Networks;
Create and manage, suers, roles,
and quotas;
Use the OpenStack CLI and
Dashboard.
In partnership with Mirantis
For further information:
http://openstack.create-net.org
■ OpenStack Cloud Administrator Guide http://docs.openstack.org/admin-guide-cloud/content/index.html
■ OpenStack Networking API v2.0 Reference http://docs.openstack.org/api/openstack-network/2.0/content/index.html
■ OpenStack Training Guides http://docs.openstack.org/training-guides/content/index.html
■ OpenStackHowto: Quantum https://wiki.debian.org/OpenStackHowto/Quantum■ Mirantis Reference Architectures http://docs.mirantis.com/openstack/fuel/fuel-
6.0/reference-architecture.html■ OpenStack Networking Introduction - Yves Fauser, VMware NSBU■ http://www.slideshare.net/vivekkonnect/openstack-
kilosummitdvrarchitecture20140506mastergroup
References
Thanks!
Any questions?
You can find me at: [email protected]
Follow-up email will include the link to slides and recording.