What do you get with Print?

Instant access to your digital eBook copy whilst your Print order is Shipped

Paperback book shipped to your preferred address

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Learning OpenStack Networking (Neutron), Second Edition

Chapter 1. Preparing the Network for OpenStack

In today's data centers, networks are composed of more devices than ever before. Servers, switches, routers, storage systems, and security appliances now exist as virtual machines and virtual network appliances. These devices place a large strain on traditional network management systems, as they are unable to provide a scalable, automated approach to managing next-generation networks. Users now expect more control and flexibility of the infrastructure with quicker provisioning, all of which OpenStack promises to deliver.

This chapter will introduce many features that OpenStack Networking provides as well as various network architectures supported by OpenStack.

What is OpenStack Networking?

OpenStack Networking is a pluggable, scalable, and API-driven system to manage networks and IP addresses in an OpenStack-based cloud. Like other core OpenStack components, OpenStack Networking can be used by administrators and users to increase the value and maximize the utilization of existing data center resources.

Neutron, the code name of OpenStack Networking, is a standalone service that can be installed independently of other OpenStack services such as Nova (compute service), Glance (image service), Keystone (identity service), Cinder (block storage), and Horizon (dashboard). OpenStack Networking services can be split among multiple hosts to provide resiliency and redundancy, or they can be configured to operate on a single node.

OpenStack Networking exposes an application programmable interface, or API, to users and passes requests to the configured network plugins for additional processing. Users are able to define network connectivity in the cloud, and cloud operators are allowed to leverage different networking technologies to enhance and power the cloud.

Like many other OpenStack services, Neutron requires access to a database for persistent storage of the network configuration.

Features of OpenStack Networking

OpenStack Networking includes many technologies one would find in a data center, including switching, routing, load balancing, firewalling, and virtual private networks. These features can be configured to leverage open source or commercial software, and provide a cloud operator with all the tools necessary to build a functional and self-contained cloud. OpenStack Networking also provides a framework for third-party vendors to build on and enhance the capabilities of the cloud.

Switching

A virtual switch is defined as a software application that connects virtual machines to virtual networks at layer 2, or the data-link layer, of the OSI model. Neutron supports multiple virtual switching platforms, including Linux bridges provided by the bridge kernel module and Open vSwitch. Open vSwitch, also known as OVS, is an open source virtual switch that supports standard management interfaces and protocols, including NetFlow, SPAN, RSPAN, LACP, and 802.1q VLAN tagging. However, many of these features are not exposed to the user through the OpenStack API. In addition to VLAN tagging, users can build overlay networks in software using L2-in-L3 tunneling protocols, such as GRE or VXLAN. Open vSwitch can be used to facilitate communication between instances and devices outside the control of OpenStack, which include hardware switches, network firewalls, storage devices, dedicated servers, and more. Additional information on the use of Linux bridges and Open vSwitch as switching platforms for OpenStack can be found in Chapter 4, Building a Virtual Switching Infrastructure.

Routing

OpenStack Networking provides routing and NAT capabilities through the use of IP forwarding, iptables, and network namespaces. Inside a network namespace, we can find sockets, bound ports, and interfaces that were created in the namespace. Each network namespace has its own routing table, interfaces, and iptables processes that provide filtering and network address translation. By leveraging network namespaces to separate networks, there is no concern of overlapping subnets between networks created by tenants. Configuring a router within Neutron enables instances to interact and communicate with outside networks or other networks in the cloud. Router namespaces are also leveraged by the advanced networking services Firewall as a Service and Virtual Private Network as a Service, which will be discussed later in this book. More information on routing within OpenStack can be found in Chapter 7, Creating Standalone Routers with Neutron; Chapter 8, Router Redundancy Using VRRP; and Chapter 9, Distributed Virtual Routers.

Load balancing

First introduced in the Grizzly release of OpenStack, Load Balancing as a Service, also known as LBaaS, provides users with the ability to distribute client requests across multiple instances or servers. Users can create monitors, set connection limits, and apply persistence profiles to traffic traversing a virtual load balancer. The Kilo release of OpenStack introduced version 2 of the LBaaS API in an experimental status. The v2 API is a vast improvement over version 1, and by the Liberty release, it should be stable. OpenStack Networking is equipped with a plugin for LBaaS that utilizes HAProxy in the open source reference implementation. More information on the use of load balancers within Neutron can be found in Chapter 10, Load Balancing Traffic to Instances.

Firewalling

In the current release of OpenStack, there are two methods of providing security to instances: security groups and firewalls. When using security groups, instances are placed into groups that share common functionality and rule sets. Iptables rules are configured on compute nodes and filter traffic in and out of Linux bridges connected to each instance. In a reference implementation, when using virtual firewalls provided by Firewall as a Service, also known as FWaaS, security is handled at the edge of the network on a Neutron router rather than at the compute node. Through the Liberty release of OpenStack, the FWaaS API remains in an experimental status with no guaranteed backward compatibility in future releases. More information on securing instances can be found in Chapter 6, Managing Security Groups, and Chapter 11, Firewall as a Service.

Virtual private networks

A virtual private network, or VPN, extends a private network across a public network such as the Internet. A VPN enables a computer to send and receive data across public networks as if it were directly connected to the private network. Neutron provides a set of APIs to allow users to create IPSec-based VPN tunnels from Neutron routers to remote gateways when using the open source reference implementation. More information on creating and managing virtual private networks can be found in Chapter 12, Virtual Private Network as a Service.

Network functions virtualization

Network functions virtualization, or NFV, is a network architecture concept that proposes using traditional virtualization techniques to replace standalone network appliances used for various network functions. These functions include intrusion detection, caching, gateways, WAN accelerators, firewalls, and more. Support for NFV within OpenStack is growing, but requires a major shift in the current design model to support features such as VLAN trunking directly to virtualized instances, unaddressed interfaces, and others that may be required by network devices. In Juno, support for SR-IOV, also known as single root I/O virtualization, was introduced. Using SR-IOV, instances are no longer required to use para-virtualized drivers or to be connected to virtual bridges within the host. Instead, the instance is attached to an SR-IOV port that is associated with a virtual function (VF) in the NIC, allowing the instance to access the NIC hardware directly. Explaining how to configure support for SR-IOV is outside the scope of this book, but more information can be found on the OpenStack Wiki at https://wiki.openstack.org/.

Preparing the physical infrastructure

When architecting the network, it is important to first determine how the cloud will be used. Is a highly scalable environment with multiple levels of network, hardware, and service redundancy required? Or, are your needs less complex, requiring nothing more than a sandbox for application development, with little concern given to the resiliency of the network or compute platform? Are all of the advanced networking features that OpenStack Networking has to offer in terms of routing, firewalling, and load balancing required? Or, are you looking to leverage existing physical hardware in the data center to accomplish those tasks?

OpenStack Networking can serve many roles within different clouds but is better at some technologies than others. The purpose of the cloud itself, along with security requirements and available hardware, will play a big part in determining the architecture of the network and OpenStack's role in the network.

The official OpenStack website (www.openstack.org) provides reference architectures for OpenStack clouds leveraging Neutron networking that involves a combination of one or more of the following nodes:

Controller node
Network node
Compute node

Before the installation of OpenStack can begin, the physical network infrastructure must be configured to support the networks needed for an operational cloud. In the following diagram, I have highlighted the area of responsibility for the network administrator:

Figure 1.1

The physical network infrastructure must be configured to support OpenStack Networking, which can include a dedicated management interface, a network dedicated to overlay network traffic, and one or more networks that provide external connectivity to instances. As shown in the preceding diagram, the configuration of interfaces and networks represented in the top half of the diagram are the responsibility of the network or system administrator. These responsibilities include the configuration of physical switches, firewalls, or routers as well as interfaces on the servers themselves. The bottom half of the diagram represents interfaces and devices such as virtual switches and virtual machines that will be configured automatically by OpenStack.

In the next few chapters, I will define networks and VLANs that will be used throughout the book to demonstrate the various components of OpenStack Networking. Generic information on the configuration of switch ports, routers, or firewalls can be found in the upcoming chapters as well.

Types of network traffic

The reference architecture for OpenStack Networking defines at least four distinct types of traffic that will be seen on the network:

Management
API
External
Guest

Although I have taken the liberty of splitting out the network traffic into dedicated interfaces in this book, it is not necessary to do so to create an operational OpenStack cloud. In fact, many administrators and distributions choose to collapse multiple traffic types onto single or bonded interfaces using VLAN tagging. Depending on the chosen deployment model, the administrator may spread networking services across multiple nodes or collapse them onto a single node. The security requirements of the enterprise deploying the cloud will often dictate how the cloud is built. The various network and service configurations will be discussed in the upcoming sections.

Management network

The management network, also referred to as the internal network in some distributions, is used for internal communication between hosts for services such as the messaging service and database service. All hosts will communicate with each other over this network. In many cases, this same interface may be used to facilitate Glance image transfers between hosts or some other bandwidth-intensive traffic. The management network can be configured as an isolated network on a dedicated interface or combined with another network, as described in the following section.

API network

The API network is used to expose OpenStack APIs to users of the cloud and services within the cloud. Endpoint addresses for services, such as Keystone, Neutron, Glance, and Horizon, are procured from the API network.

It is a common practice to utilize a single interface and IP address for API endpoints and management access to the host itself over SSH. A diagram of this configuration is provided later in this chapter.

Tip

It is recommended, though not required, that you physically separate management and API traffic from other traffic types, such as storage traffic, to avoid issues with network congestion that may affect operational stability.

External network

An external network provides Neutron routers with network access. Once a router has been configured and attached to the external network, the network becomes the source of floating IP addresses for instances and other network resources. IP addresses in an external network are expected to be routable and reachable by clients on a corporate network or the Internet.

Guest network

The guest network is a network dedicated to instance traffic. Options for guest networks include local networks restricted to a particular node, flat or VLAN-tagged networks, or virtual overlay networks made possible with GRE or VXLAN encapsulation. For more information on guest networks, refer to Chapter 5, Creating Networks with Neutron.

The physical interfaces used for external and guest networks can be dedicated interfaces or ones that are shared with other types of traffic. Each approach has its benefits and drawbacks, and they are described in more detail later in the chapter.

Physical server connections

The number of interfaces needed per host is dependent on the purpose of the cloud, the security and performance requirements of the organization, and the availability of hardware.

A single interface per server that results in a combined control and data plane is all that is needed for a fully operational OpenStack cloud. Many organizations choose to deploy their cloud this way, especially when port density is at a premium. Collapsed networking may also be used when the environment is simply used for testing, or network failure at the node level is a non-impacting event. It is my recommendation, however, that you split control and data traffic across multiple interfaces whenever possible.

Single interface

For hosts using a single interface, all traffic to and from instances as well as internal OpenStack, SSH management, and API traffic traverse the same interface. This configuration can result in severe performance degradation, as a guest can create a denial of service attack against its host by consuming all available bandwidth.

The following diagram demonstrates the use of a single physical interface for all traffic when using the Open vSwitch driver. On the controller node, a single interface is connected to a bridge and handles external, guest, management, and API service traffic. On the compute node, a single interface handles guest and management traffic:

Figure 1.2

In the preceding diagram, all OpenStack service and management traffic traverses the same physical interface as guest traffic.

Multiple interfaces

To reduce the likelihood of guest network bandwidth consumption impacting management traffic and to maintain a more robust security posture, segregation of traffic between multiple physical interfaces is recommended. At a minimum, two interfaces should be used: one that serves as a dedicated interface for management and API traffic and another that serves as a dedicated interface for external and guest traffic. Additional interfaces can be used to further segregate traffic. The following diagram demonstrates traffic split across two physical interfaces when using the Open vSwitch driver:

Figure 1.3

In the preceding diagram, a dedicated physical interface on the controller node handles OpenStack API and management traffic. Another interface is connected to a bridge that handles external and overlay traffic to and from Neutron routers and other network resources. On the compute node, a dedicated physical interface is used for management traffic and another for overlay traffic to and from instances.

In this book, the environment will be built using three interfaces: one for management and API traffic, one for external or VLAN tenant network traffic, and another for overlay network traffic:

Figure 1.4

In the preceding diagram, a dedicated interface on the controller node handles OpenStack API and management traffic. Another dedicated interface handles overlay traffic, and another is connected to a bridge that handles external traffic. On the compute node, a dedicated interface is used for management traffic, another dedicated interface handles overlay traffic, and another is connected to a bridge that handles VLAN traffic when VLAN tenant networks are in use.

Bonding

NIC bonding offers users the ability to multiply available bandwidth by aggregating links. Two or more physical interfaces can be combined to create a single virtual interface, or bond, which can then be placed in a bridge or used as a regular interface. The technology used to accomplish this is known as IEEE 802.1ad Link Aggregation Control Protocol, or LACP. The physical switching infrastructure must be capable of supporting this type of bond. Legacy switching devices required the multiple links of a bond to be connected to the same switch. Modern devices support technology such as vPC and MLAG. They allow links of a bond to be connected to two switches, providing hardware redundancy between switches while allowing users the full bandwidth of the bond in normal operating conditions, with no changes to the server configuration necessary.

In addition to aggregating interfaces, bonding can also refer to the ability to create redundant links in an active/passive manner. Both links are simultaneously cabled to a switch or pair of switches, but only one interface is active at any given time. Both types of bonds can be created within the operating system when the appropriate kernel module is installed. Bonding can be configured in Open vSwitch if desired, but is outside the scope of OpenStack and this book.

Bonding interfaces can be an inexpensive way to provide hardware-level network redundancy to the cloud infrastructure. If you are interested in configuring NIC bonding on your hosts, refer to the Ubuntu bonding page at https://help.ubuntu.com/community/UbuntuBonding.

Note

Bonding configurations vary greatly between Linux distributions. Refer to the respective documentation of your Linux distribution for assistance in configuring bonding.

Separating services across nodes

Like other OpenStack services, cloud operators can split OpenStack Networking services across multiple nodes. Small deployments may use a single node to host all services, including networking, compute, database, and messaging. Others might find benefit in using a dedicated compute node and a dedicated network node to handle guest traffic routed through software routers and to offload Neutron DHCP and metadata services. The following sections describe a few common service deployment models.

Using a single controller node

In an environment consisting of a single controller and one or more compute nodes, the controller will likely handle all networking services and other OpenStack services, while the compute nodes strictly provide compute resources.

The following diagram demonstrates a controller node hosting all OpenStack management and networking services where the Neutron layer 3 agent is not utilized. Two physical interfaces are used to separate management and instance network traffic:

Figure 1.5

The preceding diagram reflects the use of a single combined controller/network node and one or more compute nodes, with Neutron providing only layer 2 connectivity between instances and external gateway devices. An external router is needed to handle routing between network segments.

The following diagram demonstrates a controller node hosting all OpenStack management and networking services, including the Neutron L3 agent. Three physical interfaces are used to provide separate control and data planes:

Figure 1.6

The preceding diagram reflects the use of a single combined controller/network node and one or more compute nodes in a network configuration that utilizes the Neutron L3 agent. Software routers created with Neutron reside on the controller node and handle routing between connected tenant networks and external provider networks.

The environment built out in this book will be composed of a single controller node running all OpenStack network services and two compute nodes running Nova compute services.

Using a dedicated network node

A network node is dedicated to handling most or all the OpenStack Networking services, including the L3 agent, DHCP agent, metadata agent, and more. The use of a dedicated network node provides additional security and resilience, as the controller node will be at less risk of network and resource saturation. Some Neutron services, such as the L3 and DHCP agents and the Neutron API service, can be scaled out across multiple nodes for redundancy and increased performance.

The following diagram demonstrates a network node hosting all OpenStack Networking services, including the Neutron L3, DHCP, metadata, and LBaaS agents. The Neutron API service, however, remains installed on the controller node. Three physical interfaces are used where necessary to provide separate control and data planes:

Figure 1.7

The preceding diagram reflects the use of a dedicated network node in a network configuration that utilizes the Neutron L3 agent. Software routers created with the Neutron API reside on the network node and handle routing between connected tenant networks and external provider networks. The neutron-server Neutron API service remains on the controller node.

Key benefits

• This completely up-to-date edition will show you how to deploy a cloud on OpenStack using community-driven processes. It includes rich examples that will help you understand complex networking topics with ease.

• Understand every aspect of designing, creating, customizing, and maintaining the core network foundation of an OpenStack cloud using OpenStack Neutron all in one book.

• Written by best-selling author James Denton, who has more than 15 years of experience in system administration and networking. James has experience of deploying, operating, and maintaining OpenStack clouds and has worked with top enterprises and organizations.

Description

OpenStack Neutron is an OpenStack component that provides networking as a service for other OpenStack services to architect networks and create virtual machines through its API. This API lets you define network connectivity in order to leverage network capabilities to cloud deployments. Through this practical book, you will build a strong foundational knowledge of Neutron, and will architect and build an OpenStack cloud using advanced networking features. We start with an introduction to OpenStack Neutron and its various components, including virtual switching, routing, FWaaS, VPNaaS, and LBaaS. You’ll also get hands-on by installing OpenStack and Neutron and its components, and use agents and plugins to orchestrate network connectivity and build a virtual switching infrastructure. Moving on, you’ll get to grips with the HA routing capabilities utilizing VRRP and distributed virtual routers in Neutron. You’ll also discover load balancing fundamentals, including the difference between nodes, pools, pool members, and virtual IPs. You’ll discover the purpose of security groups and learn how to apply the security concept to your cloud/tenant/instance. Finally, you' ll configure virtual private networks that will allow you to avoid the use of SNAT and floating IPs when connecting to remote networks.

Who is this book for?

If you are an OpenStack-based cloud operator and administrator who is new to Neutron networking and wants to build your very own OpenStack cloud, then this book is for you. Prior networking experience and a physical server and network infrastructure is recommended to follow along with concepts demonstrated in the book.

What you will learn

• Architect and install the latest release of OpenStack on Ubuntu Linux 14.04 LTS

• Review the components of OpenStack networking, including plugins, agents, and services, and learn how they work together to coordinate network operations

• Build a virtual switching infrastructure using reference architectures based on ML2 + Open vSwitch or ML2 + LinuxBridge

• Create networks, subnets, and routers that connect virtual machine instances to the network

• Deploy highly available routers using DVR or VRRP-based methods

• Scale your application with haproxy and Load Balancing as-a-Service

• Implement port and router-level security using Security Groups and Firewall as-a-Service

• Provide connectivity to tenant networks with Virtual Private Networking as-a-Service (VPNaaS)

• Find out how to manage OpenStack networking resources using CLI and GUI-driven methods

What do you get with Print?

Instant access to your digital eBook copy whilst your Print order is Shipped

Paperback book shipped to your preferred address

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Frequently bought together

₹4096.99

Learning OpenStack Networking (Neutron), Second Edition

₹4096.99

Total ₹ 8,193.98

Filter reviews by

All

Amazon verified reviews

Ceylan and Ceren Apr 21, 2016

Having a good networking background in firewalls and load-balancers, this book helped me tremendously to get my lab working in no time. It goes in detail into how Neutron works, all the components. Last 4 chapters is where you get into the real life scenarios. It also gives good pointers on how Openstack networking evolved over time.If you are new to OpenStack and networking is your focus, you cannot go wrong with this book.

Amazon Verified review

andrea Dec 22, 2015

Un ottimo testo che approccia in maniere chiara e dettagliata neutron. La seconda edizione offre un aggiornamento sull'evoluzione di openstack

Customer Jul 17, 2018

Helpful

Jonathan Velez Jun 27, 2016

This book is a very good high level intro into OpenStack networking but just as the author prefaces, you must have a good handle on networking and system administration before hand. OpenStack has so many moving parts and its quite refreshing to get an understanding of a single piece of the puzzle. The explanations in this edition are more concise in comparison to the first edition which in my opinion had a lot extra material that caused it to be a little bit more confusing in a system with so much going in the background already.I was able to setup my environment with relative ease with minimal linux knowledge and mess around with the interface as it should be. I would still like a troubleshooting section but to be honest everything was relatively easy.

SuJo Jan 31, 2016

Neutron looks really pretty on the surface, but it is still a very complex system to digest. This book is highly recommended for configuring OpenStack Networking if you're using Neutron. As another reviewer recommended having this in your OpenStack library for Administration purposes, I couldn't agree more. The book is very clear, concise, and stays on track. Following along is a breeze and the detailed information is well worth the cost alone for this book.

Learning OpenStack Networking (Neutron), Second Edition: Wield the power of OpenStack Neutron networking to bring network infrastructure and capabilities to your cloud

What do you get with Print?

Features of OpenStack Networking

Switching

Routing

Load balancing

Firewalling

Virtual private networks

Network functions virtualization

Management network

API network

External network

Guest network

Key benefits

Description

Who is this book for?

What you will learn

Product Details

What do you get with Print?

Product Details

Packt Subscriptions

Frequently bought together

Table of Contents

Recommendations for you

Customer reviews

Filter reviews by

People who bought this also bought

About the author

FAQs