Chapter 1.  OpenStack Networking in a Nutshell

Information technology (IT) applications are rapidly moving from dedicated infrastructure to a dynamic cloud-based infrastructure. This move to cloud started with server virtualization, where a hardware server ran as a virtual machine on a hypervisor. The adoption of cloud-based applications has accelerated due to factors such as globalization and outsourcing, where diverse teams need to collaborate in real time.

Server hardware connects to network switches using Ethernet and IP to establish network connectivity. However, as servers move from physical to virtual, the network boundary also moves from the physical network to the virtual network. Traditionally, applications, servers, and networking were tightly integrated. But modern enterprises and IT infrastructure demand flexibility in order to support complex applications.

The flexibility of cloud infrastructure requires networking to be dynamic and scalable. Software-Defined Networking (SDN) and Network Function Virtualization (NFV) play a critical role in data centers in order to deliver the flexibility and agility demanded by cloud-based applications. By providing practical management tools and abstractions that hide the underlying physical network's complexity, SDN allows operators to build complex networking capabilities on demand.

OpenStack is an open source cloud platform that helps build public and private cloud at scale. Within OpenStack, the name for the OpenStack Networking project is Neutron. The functionality of Neutron can be classified as core and service.

This chapter aims to provide a short introduction to OpenStack Networking. We will cover the following topics in this chapter:

  • Understanding traffic flows between virtual and physical networks
  • Neutron entities that support Layer 2 (L2) networking
  • Layer 3 (L3) or routing between OpenStack networks
  • Securing OpenStack network traffic
  • Advanced networking services in OpenStack
  • OpenStack and SDN

The terms Neutron and OpenStack Networking are used interchangeably throughout this book.

Virtual and physical networking

Server virtualization led to the adoption of virtualized applications and workloads running inside physical servers. While physical servers are connected to the physical network equipment, modern networking has pushed the boundary of networks into the virtual domain as well. Virtual switches, firewalls, and routers play a critical role in the flexibility provided by cloud infrastructure:

Virtual and physical networking

Figure 1: Networking components for server virtualization

The preceding diagram describes a typical virtualized server and its various networking components.

The virtual machines are connected to a Virtual Switch inside the Compute Node (or server). The traffic is secured using virtual routers and firewalls. The Compute Node is connected to a Physical Switch, which is the entry point into the physical network.

Let us now walk through different traffic flow scenarios using Figure 1 as the background. In Figure 2, traffic from one VM to another on the same Compute Node is forwarded by the Virtual Switch itself. It does not reach the physical network. You can even apply firewall rules to traffic between the two virtual machines:

Virtual and physical networking

Figure 2: Traffic flow between two virtual machines on the same server

Next, let us have a look at how traffic flows between virtual machines across two compute nodes. In Figure 3, the traffic comes out from the first Compute Node and then reaches the Physical Switch. The Physical Switch forwards the traffic to the second Compute Node and the Virtual Switch within the second Compute Node steers the traffic to the appropriate VM:

Virtual and physical networking

Figure 3: Traffic flow between two virtual machines on different servers

Finally, the following diagram is a depiction of traffic flow when a virtual machine sends or receives traffic from the Internet. The Physical Switch forwards the traffic to the Physical Router and Firewall, which is presumed to be connected to the Internet:

Virtual and physical networking

Figure 4: Traffic flow from a virtual machine to external network

As seen in the preceding diagrams, the physical and the virtual network components work together to provide connectivity to virtual machines and applications.

Tenant isolation

As a cloud platform, OpenStack supports multiple users grouped into tenants. One of the key requirements of a multi-tenant cloud is to provide isolation of data traffic belonging to one tenant from the rest of the tenants that use the same infrastructure. OpenStack supports different ways of achieving the isolation of network data traffic and it is the responsibility of the virtual switch on each compute node to implement the isolation.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.142.135.121