© 2014 IBM Corporation

Neutron Networking: Service Groups, Policies and Chains OpenStack Meetup - IBM OpenStack Lightning Talks John M. Tracey for Mohammad Banikazemi October 7, 2014

IBM T. J. Watson Research Center

© 2013 IBM Corporation

Agenda

§ Current Neutron application programming interface

§ Example multi tier application with current API

§ Application centric abstraction

§ Group based policy constructs

§ Example multi tier application with policy extension

§ For more information

2

© 2013 IBM Corporation

Abstract

§ Neutron is OpenStack’s networking service. It defines an API, but allows different implementations to be plugged in.

§ The current OpenStack Neutron API provides constructs that are closely tied to physical network entities.

§ To better support application developers and allow better separation of application and infrastructure concerns, a Neutron blueprint is well underway that adds a set of higher-level abstractions to Neutron, known as group-based policy.

3

© 2013 IBM Corporation 4

Neutron application programming interface

•  Current Neutron API is somewhat low-level

•  Neutron constructs mirror physical devices

•  Network: layer-2 broadcast domain; private/shared

•  Port: virtual switch port on a network; has MAC and IP address properties

•  Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers

•  Router: provides IP routing among networks, supports source NAT

© 2013 IBM Corporation 5

Web Application

Database

Firewall Load Balancer

External Network (Internet)

Example multi tier application

© 2013 IBM Corporation 6

Q

Network/ subnet

Network/ subnet

Network/ subnet Router

External Network

Port

Q

Example multi tier application with current neutron CLI

neutron net-create web_tier neutron subnet-create web_tier 10.0.0.0/24 neutron router-create router1 neutron router-interface-add router1 web_tier

© 2013 IBM Corporation 7

Application centric abstraction

•  Need a more application centric set of abstractions as well •  More easily understood/utilized by higher layers •  Declarative model •  Separation of concerns (application/infrastructure)

•  Provide policy-based connectivity between application tiers •  Enable redirection to network services and service chains •  Support dynamic application of policies

© 2013 IBM Corporation 8

• Endpoint (EP) •  Lowest unit of abstraction to which policy is applied

• Endpoint Group (EPG) •  Logical grouping of endpoints

• Policy Rule •  Specifies allowed/disallowed network access to EPGs

• Policy (a.k.a. contract) •  Collection of policy rules

Group based policy constructs

© 2013 IBM Corporation 9

EPG Web

EPG Application

EPG Database

Firewall

EPG External Network (Internet)

Policy

Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN

Protocol:TCP Port:3306 Action:ALLOW

Protocol:TCP Port:9080 Action:ALLOW

EPG EPG (Endpoint Group)

Example multi tier application with GBP extension

neutron classifier-create Insecure-Web-Access --port 80 \ --protocol TCP --direction IN neutron policy-rule-create insecure-web --policy-classifier \ Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web

© 2013 IBM Corporation 10

For further information

•  Neutron wiki •  https://wiki.openstack.org/wiki/Neutron •  https://ibm.biz/BdFyZu

•  Blueprints for Neutron •  https://blueprints.launchpad.net/neutron •  https://ibm.biz/BdE4dC

•  Group-based policy abstractions for Neutron •  https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction •  https://ibm.biz/BdE4dQ

© 2013 IBM Corporation 11