OpenStack Networking

Giuseppe Cossu

Research Engineer

Webinar on October 5th, 2015 - 15:00 CET

Hello!I am Giuseppe Cossu

I am an enthusiastic OpenStack user.

I work at Create-Net as Research

Engineer. Mainly involved on Cloud

Computing and Networking.

Contacts:

gcossu@create-net.org

http://it.linkedin.com/in/giuseppecossu/en

Agenda

■ Introduction

OpenStack Overview

■ NeutronOverviewMain features with Live Demo

■ Networking ArchitectureMain Components

Neutron server and agentsModular Layer 2 (ML2) plugin

Type Driver, Mechanism Driver

DVR (Distributed Virtual Router)L3 services on Compute Nodes

Advanced Services: FWaaS, LBaaS, VPNaaS

Introduction

OpenStack is a free and open-source cloud-computing software platform

OpenStack Logical Architecture

Network as a Service

Openstack Networking Architecture

Management network

■ Used for internal OpenStack

communications

■ Connects all OpenStack

Components

Data network■ Used for VMs data communication

External network■ Used to provide VMs with Internet

access in some deployment

scenarios

■ The IP addresses on this network

should be reachable by anyone on

the Internet

API network■ Exposes all OpenStack APIs to

tenants

■ The IP addresses on this network

should be reachable by anyone on

the Internet

What is Neutron?

“Neutron is an OpenStack project to provide Networking as a Service (NaaS) between interface devices managed by other Openstack services”

History: from nova-network to Neutron

■ nova-network is the original OpenStack networking implementation

still available (but is going to be deprecated)managed by administrator

Tenant can not create/manage networks

Limitations:lack of API for networking servicesbasic model of performing isolation through Linux VLANs

and IP tableslimited networking technology (e.g. no L2-in-L3 tunneling,

no OpenFlow)

■ The OpenStack Neutron was called “Quantum”renamed to “Neutron” for trademark issues

Neutron

■ Provides REST APIs to create and manage virtual networks and network resources

■ Allows tenants having multiple private networks and to choose their own IP addressing scheme

■ Enables advanced cloud networking use casese.g., multi-tiered web applications

■ Pluggable Architecturea plugin is a back-end implementation of the Networking API

flexibility to choose different network virtualization technologies (e.g. VLAN, GRE, VxLAN)

■ Plugins available (ML2 Mechanism Drivers):Open vSwitch, Cisco (UCS/Nexus), Juniper (Opencontrail),

VMware NSX, OpenDaylight, Midonet, PLUMgrid, etc.

Live Demo

■ Live Demo using the OpenStack Dashboard

graphical interface to access, provision and automate cloud-based resources

■ The demo provides an overview on the main Neutron features

Neutron: networking resources & L2 functionalities (I)

■ Each tenant can create L2 private networks

Network: an isolated virtual layer-2 broadcast domain

It is reserved for the tenant who created it

■ ...and associate a sub-network to each network

Subnet: an IP address block (CIDR) that can be used to assign IP addresses to virtual instances

It is possible to configure DNS, gateway and enable DHCP

Neutron: networking resources & L2 functionalities (II)

Virtual instances attach their VIF (Virtual network InterFace) into ports:

■ Port: a virtual switch port on a logical network switchDefines the MAC&IP addresses to be assigned to the interfaces

plugged into themTypically a virtual network interface belonging to a VM

■ Each instance receive a Fixed IP on creationStay the same until the instance is explicitly terminated

Neutron: networking resources & L2 functionalities (III)

■ Each tenant can configure rich network topologies by creating and configuring networks and subnets

having multiple private networkschoosing their own IP addressing scheme (even if those IP

addresses overlap with those used by other tenants)

■ Admin can create shared networksThe network resources can be accessed by any tenant

Neutron: networking resources & L3 functionalities (I)

In order to provide inbound/outbound Internet connectivity to VMs, Neutron provides L3 functionality by means of:

■ External Network: a “virtual” network, that typically maps public IP ranges available in the DC network

managed by admincan be used as external gateway for internal tenant network or

create floating IPs and associate them with ports■ Router: a logical entity used to:

interconnect subnets and forward traffic among themNATing tenant network traffic to external networks

■ Floating IPs: IP addresses on an external network, typically public, that can be dynamically associated with an instance

A Floating IP allows access to an instance on a private network from an external network

Neutron: networking resources & L3 functionalities (II)

Scenario 1: Create an External Network and a Router

■ The router connects the private to the external network, offering NAT functionality

■ Associate a floating IP to an internal port (e.g. access instances from Internet)

Neutron: networking resources & L3 functionalities (III)

Scenario 2: Connect two private networks■ The router connects private networks forwarding traffic among

them

Networking Architecture

Neutron under the hood

Neutron Server and agents

■ Neutron-Server exposes the Networking API and enable administration of the configured plug-in

The agents interact with the main neutron process through RPC or API

Neutron agents:

Neutron features

■ Modular Layer 2 (ML2) pluginCore Plugin: it is bundled with OpenStackallows to simultaneously utilize the variety of

layer 2 networking technologies

■ DVR (Distributed Virtual Router)L3 forwarding and NAT are distributed to the

compute nodessolves single points of failures and scalability

problems of the Network Node

■ Advanced Services, implemented as service plugins

Load Balancer as a Service (LBaaS)Virtual Private Network as a Service (VPNaaS)Firewall as a Service (FWaaS)

L2 Connectivity

L3 Connectivity

L4-L7Services

Neutron features

L2 Connectivity

Modular Layer 2 (ML2)

■ ML2 plugin is a framework allowing OpenStack Networking to simultaneously utilize the variety of layer 2 networking technologies

The Type Driver maintains any needed type-specific network state, and perform provider network validation and tenant network allocation

The Mechanism Driver is responsible for taking the information established by the Type Driver and ensuring that it is properly applied given the specific networking mechanisms that have been enabled

Network Segments (Type Driver)

■ Flatall instances reside on the same network, which can also be shared

with the hosts■ VLAN

allows users to create multiple networks using VLAN IDs (802.1Q) that correspond to VLANs present in the physical network

■ VxLAN or GREnetwork overlays to support private communication between

instanceseach network receives a unique tunnel ID (up to 16 million logical

networks)

ML2 with Open vSwitch (OVS) Mechanism Driver

■ Open vSwitch (L2) agent:communicates with the Neutron server over RPCcommunicates directly with the local Open vSwitch instance to

configure flows to implement the logical data modelgathers the configuration and mappings from the databaseapplies Security Group rules

GRE Tunnels

Neutron features

L2 Connectivity

L3 Connectivity

Legacy Routing in Neutron

■ Network node IP forwarding:Inter-subnet (east-west) traffic between VMsFloating IP (north-south) traffic between VM and external networkDefault SNAT (north-south) traffic from VM to external network

■ Issues:Performance bottleneckScalability limitationsSingle Point of Failure

Network Node Compute Node Compute Node

InternetExternal Network

Data NetworkVM1 VM2

Tenant Network

Distributed Virtual Router (DVR)

■ IP forwarding provided (also) by Compute nodes for local VMs

Inter-subnet (east-west) traffic between VMs

Floating IP (north-south) traffic between external and VM

■ Advantages:

Bypass network node improves performance

Scales with size of compute farm

Limited failure domain (per compute node)

■ Limitations:

Default SNAT function is still centralized

Network Node Compute Node Compute Node

InternetExternal Network

Data NetworkVM1 VM2

Tenant Network

Neutron features

L2 Connectivity

L3 Connectivity

L4-L7 Services

Load-Balancer-as-a-Service (LBaaS)

■ The LBaaS enable tenants to manage load balancers for their VMsload-balance incoming traffic by distributing workloads to application

services running on VMsLBaaS V2 API is experimental (stable on Liberty Release)

■ Load balancing methods to distribute incoming requests:Round robin: rotates requests evenly between multiple instancesSource IP: requests from a unique source IP address are consistently

directed to the same instanceLeast connections: allocates requests to the instance with the least

number of active connections

Firewall-as-a-Service (FWaaS)

■ FWaaS adds firewall management to Networkingoperates at the perimeter to filter traffic at the neutron routeruses iptables to apply firewall policy to all routers within a projectsupports one firewall policy and logical firewall instance per project

■ NOTE: Security Groups operate at the instance-level

Virtual-Private-Network-as-a-Service (VPNaaS)

■ The VPNaaS extension enables OpenStack tenants to extend private networks across the internet:

Relates the VPN with a specific subnet and router for a tenantMultiple VPN connections per tenantSite-to-site VPN that connects two private networks

■ Configuration:An IKE Policy is used for phase one and phase two negotiation of the

VPN connectionsupport with 3des, aes-128, aes-256, or aes-192 encryption

An IPsec Policy is used to specify the encryption algorithm, transform protocol, and mode (tunnel/transport) for the VPN connection

support with 3des, aes-128, aes-192, or aes-256 encryption, sha1 authentication, ESP, AH, or AH-ESP transform protocol, and tunnel or transport mode encapsulation

OpenStack Bootcamp

The main topics covered are:

Overview on OpenStack and its

architecture,

OpenStack networking;

Swift;

Ceilometer and its architecture,

Heat Overview;

OpenStack deployment.

At the end of the Bootcamp each

student will be able to:

Describe the architecture of an

OpenStack deployment;

Discuss the main functionalities of

OpenStack;

Deploy, configure and use the

Openstack services;

Create and manage VMs and

Virtual Networks;

Create and manage, suers, roles,

and quotas;

Use the OpenStack CLI and

Dashboard.

In partnership with Mirantis

For further information:

http://openstack.create-net.org

openstack@create-net.org

■ OpenStack Cloud Administrator Guide http://docs.openstack.org/admin-guide-cloud/content/index.html

■ OpenStack Networking API v2.0 Reference http://docs.openstack.org/api/openstack-network/2.0/content/index.html

■ OpenStack Training Guides http://docs.openstack.org/training-guides/content/index.html

■ OpenStackHowto: Quantum https://wiki.debian.org/OpenStackHowto/Quantum■ Mirantis Reference Architectures http://docs.mirantis.com/openstack/fuel/fuel-

6.0/reference-architecture.html■ OpenStack Networking Introduction - Yves Fauser, VMware NSBU■ http://www.slideshare.net/vivekkonnect/openstack-

kilosummitdvrarchitecture20140506mastergroup

References

Thanks!

Any questions?

You can find me at: gcossu@create-net.org

Follow-up email will include the link to slides and recording.