How Neutron Builds Network Topology For Your Multi-tier Application Sadique Puthen Principal Technical Support Engineer, Red Hat 20 May 2015, Openstack Summit, Vancouver
Multi tier-app-network-topology-neutron-final
Jul 28, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
How Neutron Builds Network Topology For Your Multi-tier Application
Sadique PuthenPrincipal Technical Support Engineer, Red Hat20 May 2015, Openstack Summit, Vancouver
Agenda
❖Neutron Overview
➢Native and External components
➢Network Namespace
❖Application Network Topology.
➢How to build application network topology.
❖Correlate application topology with Neutron
➢What happens inside neutron when we
build it?
➢Explore with Native HA available in
neutron.
❖Why am I doing this?
Neutron Overview and Components
❖Neutron is a project with in
Openstack that delivers
Networking-as-a-Service.
➢Create/manage/remove Networks,
Routers, Load Balancers, Firewalls,
VPNs, Layer 2 flow, etc on demand.
➢Involves multiple neutron native
components.
➢Depends highly on external
components.
Neutron Overview
❖Native Components Involves:
➢Neutron API
➢Neutron DHCP Agent
➢Neutron Layer 3 Agent
➢Neutron LbaaS Agent
➢Neutron FWaaS Agent
➢Neutron VPNaaS Agent
➢Metadata Agent.
➢Neutron Layer 2 Agent.
◆ eg. Neutron Openvswitch
Agent.
◆ Other third party Agents.
Neutron Components
Database
Mes
sag
e q
ueu
e
Neutron API Servers
lbaas Agents dhcp Agents
l3 Agents
Metadata Agents
layer 2 agents
fwaas Agents
vpn Agents
❖External Components.
➢Network Namespace
➢Openvswitch
➢Dnsmasq
➢Libreswan/Openswan
➢Keepalived
➢Haproxy or a third party HA daemon
➢Iptables firewall
◆ DNAT/SNAT
➢Networking userspace components.
➢kernel
Neutron External Components
Layer 2 Agent
Metadata Agent
VPN Agent
L3 AgentDHCP Agent
fwaas Agent API Server
Openvswitchdnsmasq
openswan
iptables
haproxy
kernel
networking tools
keepalived
DNAT/SNAT
LBaaS Agent Neutron
❖A namespace allows isolation
of a group of resources to its
own space.
➢These resources in the group
run with the illusion that they
are the only processes on the
system.
➢Multiple such groups can run on
a system without knowing each
other.
■This facilitates using same
parameters.
Namespace and Network Namespace
namespace1 namespace2 namespace3
httpd 192.168.1.1
iptables routing
Port 80
httpd 192.168.1.1
iptables routing
Port 80
httpd 192.168.1.1
iptables routing
Port 80interface interface interface
Operating System/ Kernel
➢Grouping network related resources in such a way forms network
namespaces.
■Neutron uses this to support overlapping ip addressing
Neutron Physical Topology
❖Neutron components are usually
spread into three types of
physical systems.
➢Controllers.
■Usually more than one node is
deployed for high availability.
■Runs neutron API server.
➢Network Nodes.
■Usually more than one node is
deployed for high availability.
■Runs l3, dhcp, lbaas, vpn and layer 2
agents
➢Compute nodes run layer 2 agent.
dhcp-agent l3-agent lbaas-agent vpn-agent layer 2 agen metadata-agent
neutron-serverneutron-server
Controller Nodes
Network Nodes
Compute Nodes
Layer 2 agents Layer 2 agents
dhcp-agent l3-agent lbaas-agent vpn-agent layer 2 agen metadata-agent
Application Network Topology
Multi-Tier Application Network Topology
Instance
Instance
Instance
Instanc
e
Instance
Instance
Instance
Instance
Data
base
Netw
ork
Web
serv
er
Netw
ork
Floating IP
Instanc
e
Instanc
e
Instance
Instanc
e
Ap
plicati
on
Serv
er
Netw
ork
Rem
ote
N
etw
ork
Tenant X
Openstack Site B Openstack Site AL
oad
Bal
ance
r
Internet
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
Example multi-tier application
❖ On Site A
➢Application that we are going to build
involves
■A web tier with a load balancer in the front.
■An application tier.
■A database tier.
➢Each tier is isolated to its own private
network.
■Connected together using separate virtual
routers.
■Webserver network is also connected to
internet.
■There is a firewall between each network.
TenantA has two sites siteA and siteB.
Data
base
Netw
ork
Web
serv
er
Netw
ork
Floating IP
Ap
plicati
on
Serv
er
Netw
ork
Lo
ad B
ala
nc
er
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
Instance
Instance
InstanceInstance
Instance
Instance Instance
Instance
Instance
Internet
➢HTTP requests from end user is listening on a floating ip that forwards requests to the private VIP for the load balancer.
Example multi-tier application
❖On Site B
➢ Tenant has one private network
connected to Internet.
➢Web server private network and this
private network need to be connected
together using a VPN for secure data
transfer and enable direct network
communication.
TenantA has two sites siteA and siteB.
Instanc
e
Instance
Instanc
e
Rem
ote
N
etw
ork
Internet
192.168.4.0/24
How To Build It?What Happens Inside Neutron?
How to build it? Neutron Topology.
❖There are multiple ways to build it.
➢Use horizon dashboard.
➢Use CLI.
➢Via API.
➢Use a heat template to automate
them.
br-
int
br-
tun
br-
int
br-
tun
br-
ex
br-
ex
Intenet
❖Neutron topology that I am going to
correlate with has two network
nodes.
➢Each neutron agent runs with HA using
HA tool (Not discussed here).
➢Tenant virtual routers and dhcp
processes for each network run with
native HA available in neutron.
Create Networks
❖On Site A, create three networks
and spawn instances to them.
➢Specify name, subnet, gateway,
allocation pool, etc during creation.
1
2 3
Create Networks - Spawn instances to networks
❖Create Networks and spawn instances to
it.
➢ neutron-api service accepts the request and
moves to AMQP for further processing.
➢ For dhcp-agent.
■create qdhcp-xx namespace.
■Create a port in the namespace, tag it
using internal vlan id and attach to br-int.
■spawns dnsmasq process to serve the
network bound to the port.
➢ On Network node.
■Add required ovs flows to map internal
vlan id for each network to tunnel id and
vice-versa.
■Tag associated ports for each networks
using its internal vlan id.W
eb
serv
er
netw
ork
Ap
plicati
on
serv
er
netw
ork
D
ata
bse
netw
ork
qd
hcp
-we
b
dn
sm
asq
qd
hcp
-ap
pq
dh
cp-d
b
dn
sm
asq
dn
sm
asq
br-
int
br-
tun
br-
int
br-
tun
qd
hcp
-we
bq
dh
cp-a
pp
qd
hcp
-db
dn
sm
asq
dn
sm
asq
dn
sm
asq
Instance
Instance
Instance
Instance
Instan
ce
Instan
ce
Instance
Instance
Instance
5
6
7
6
7
5
Spawn Instances to Networks - Compute node
❖Associate each private network with an
internal ovs vlan id.
➢ This vlan id is translated to a gre/vxlan
tunnel id or external vlan id before
transporting the packet using a physical
shared device and vice-versa.
➢ For each instance nic:
■Create a linux bridge.
● Connect instance nic to it. Security group rules
are applied here.
● Connect it to br-int using patch-peer.
● When the packet reaches patch-peer end on
br-int, tag the packet using internal vlan id for
that network.
■The packet is then moved to br-tun where a flow
in ovs removes vlan id and adds tunnel id
associated with the network and moved to the
physical network devices.
■Return packet does this in the reverse order.
6 5
Create Routers, Connect Network Together
❖Create routers.➢Attach ports from subnets to
respective routers.
1 2
Create Routers, Connect networks together
❖Create routers to connect networks together.
➢ neutron-api service accepts the request and moves
to AMQP for further processing.
➢ Each l3 agent,
■creates qrouter-xx namespace for each router.
■Create an port for VRRP traffic and assign it ip
from pre-created VRRP network.
■Spawn keepalived process bound to the
namespace to facilitate HA of the router.
■Creates two or more ports in the namespace, tag
it using internal vlan id and attach to br-int
■Keepalived elects one of the namespace as
master and binds default gateway of the
associated networks to it.
■kernel ip forwarding is enabled between the ports
and routing between them starts working.
br-
int
br-
tun
br-
int
br-
tun
InstanceW
eb
serv
er
netw
ork
Instance
Instance
Instan
ce
Instance
Instance
Instance
Instan
ce
Instance
Ap
plicati
on
serv
er
netw
ork
D
ata
bse
netw
ork
qro
ute
r-ap
p
qro
ute
r-ap
p
qro
ute
r-d
b
VRRP
VRRP
Keepalived
Keepalived
Keepalived
Keepalived
qr-
xxq
r-xx
tap
x
qro
ute
r-d
b
qr-
xxta
px
qr-
xx
qr-
xxq
r-xx
tap
xq
r-xx
qr-
xxta
px
5
6
8
7
6
8
5
6
7
6
8
8
Create Load Balancer For Webservers
❖Create Load Balancer.
➢Create health monitor, pool, add
members (instances) to pools,
create and associate VIP and with
pool to create a load balancer.
1 2
3 4
Create Load Balancer for Webservers
❖Place load balancer for web server
network.
➢neutron-api service accepts the request and
moves to AMQP for further processing.
➢ On lbaas agent.
■Create qlbaas-xx namespace for each load
balancer.
■Create a port in the namespace, tag it
using internal vlan id for the network, bind
VIP to the port and attach to br-int.
■Spawn haproxy process on the port to
listen for the service on VIP and load
balance among the back end instances.
br-
int
br-
tun
br-
int
br-
tun
Web
serv
er
netw
ork
Ap
plicati
on
serv
er
netw
ork
D
ata
bse
netw
ork
qlb
aas-
web
Lo
ad B
ala
nc
er
tap
xx
Instance
Instance
Instance Instance
Instance
Instance Instance
Instance
Instance
haproxy
8
External network and floating ip
❖Associate floating ip with VIP
➢Create a router, Set external
network as gateway, Attach
webserver network to it.
➢Allocate a floating ip and associate
with VIP1 2 3
External network and floating ip
❖Floating ips and routing to external
network.
➢On l3_agent
■Create qrouter-xx namespace for the
external router.
■Creates two ports in the namespace (qr-xx
and qg-xx), tag it using internal vlan id,
bind default gateway of the tenant network
on qr-xx and an ip from external network
on qg-xxx.
■Binds floating ips as aliases on qg-xx port
and adds appropriate DNAT and SNAT rules
to nat table to forward them to the correct
private ip of the instance.
● In our case, DNAT/SNAT is done to the VIP of the
load balancer.
Web
serv
er
netw
ork
Ap
plicati
on
serv
er
netw
ork
D
ata
bse
netw
ork
Lo
ad B
ala
nc
er
Intenet
Instance
Instance
Instance Instance
Instance
Instance Instance
Instance
Instance
R
em
ote
Netw
ork
Instance
Instance
Instance
br-
int
br-
tun
br-
int
br-
tun
br-
ex
br-
ex
Intenet
VRRP
qro
ute
r-w
ebq
lbaa
s-w
eb
tap
xx
floating IP
keepali ved
keepali ved floating
IP
qr-
xxq
g-x
xta
px
qro
ute
r-w
eb
qr-
xxta
px
qg
-xx
5
8
5
7
8
8
7
Create firewalls
❖Create firewalls.
➢ Create firewall rules, policies
and then firewalls so they are
automatically associated with
routers.1 2 3
Create firewalls
❖Floating ips and routing to external
network.
➢neutron-api service accepts the request and
moves to AMQP. fwaas_agent gets the
request that need to be processed from
AMQP.
➢On fwaas_agent.
■Creation of firewall rules and policies
has nothing to do except updating
database.
■Creating firewall translates firewall rules
and policies to corresponding iptables
rules and is applied on all active routers.
■Running iptables -nL inside namespace
will show us the list of rules.
■It also adds a REJECT rule at the end to
drop everything not allowed explicitly.
Web
serv
er
netw
ork
Ap
plicati
on
serv
er
netw
ork
D
ata
bse
netw
ork
Lo
ad B
ala
nc
er
Intenet
Instance
Instance
Instance Instance
Instance
Instance Instance
Instance
Instance
R
em
ote
Netw
ork
Instance
Instance
Instance
br-
int
br-
tun
br-
int
br-
tun
qro
ute
r-d
b
VRRP
VRRP
qro
ute
r-d
b
qro
ute
r-ap
pq
rou
ter-
web
qro
ute
r-w
eb
VRRP
iptables rules applied here
iptables rules applied here
iptables rules applied here
iptables rules applied here
iptables rules applied here
qro
ute
r-ap
p
qr-
xxq
r-xx
qg
-xx
qr-
xx
qr-
xxq
r-xx
qr-
xxq
r-xx
qr-
xxq
g-x
x
qr-
xxq
r-xx
5
6
5
6
7
7
iptables rules applied here
5
6
7
7
6
5
Create VPN and Connect remote network.❖Create VPN.
➢ Create IKE policy, IPsec Policy and VPN
Service.
➢ Ceate a Site-to-Site connection using
above details and peer router ip and
remote private network.
1 2
43
Create VPN and connect remote network
❖Floating ips and routing to external
network.
➢vpn_agent when a site-to-site connection is
created:
■Spawns a libreswan/openvpn process to
the qrouter-xxx namespace using a
configuration file generated with details of
tunnel to be created between web server
private network and remote private
network.
■This process on the source qrouter-xx
gateway captures packets to the remote
private network, encapsulates it, sends it
over internet to the gateway on remote site
via a tunnel.
■On the remote end, a similar process
decapsulates it and routes to the
destination private network.
Web
serv
er
netw
ork
Ap
plicati
on
serv
er
netw
ork
D
ata
bse
netw
ork
Lo
ad B
ala
nc
er
Intenet
Instance
Instance
Instance Instance
Instance
Instance Instance
Instance
Instance
R
em
ote
Netw
ork
Instance
Instance
Instance
br-
int
br-
tun
br-
int
br-
tun
br-
ex
br-
ex
Intenet
qro
ute
r-w
eb
VRRP
qro
ute
r-w
eb
External vpn gw ip
keepali ved
keepali ved
libre
swan
/vp
n
libre
swan
/vp
n
External vpn gw ip
qr-
xxq
g-x
xta
px
qr-
xxq
g-x
xta
px
5
6
8
5
6
8
Why This Talk?
Applicaton topology - Simple to create.
Instance
Instance
Instance
Instanc
e
Instance
Instance
Instance
Instance
Data
base
Netw
ork
Web
serv
er
Netw
ork
Floating IP
Instanc
e
Instanc
e
Instance
Instanc
e
Ap
plicati
on
Serv
er
Netw
ork
Rem
ote
N
etw
ork
Tenant X
Openstack Site B Openstack Site AL
oad
Bal
ance
r
Internet
Network node 1 Site ANetwork node 1 Network node 2
qro
ute
r-w
ebq
rou
ter-
app
qro
ute
r-d
bq
rou
ter-
web
qlbaas-web
qd
hcp
-web
qd
hcp
-ap
pq
dh
cp-d
b
br-
int
qd
hcp
-web
qd
hcp
-ap
pq
dh
cp-d
b
pat
chp
eer
qro
ute
r-ap
pq
rou
ter-
db
qro
ute
r-w
eb
br-
tun
br-
tun
libre
swan
/vp
n
libre
swan
/vp
n
br-
ex
pat
chp
eer
br-
ex
pat
chp
eer
dn
sm
asq
dn
sm
asq
dn
sm
asq
haproxy
pat
chp
eer
br-
int
dn
sm
asq
qd
hcp
-rem
ote
pat
chp
eer
pat
chp
eer
br-
tun
libre
swan
/vp
nlib
resw
an/v
pn
br-
ex
br-
tun
br-
ex
libre
swan
/vp
nq
rou
ter-
rem
ote
pat
chp
eer
pat
chp
eer
qd
hcp
-rem
ote
Network node 2Site B
Inte
rnet
br-
int
VRRP
VRRP
VRRP
Corresponding Neutron topology - Simple to create?
qro
ute
r-re
mo
te
dn
sm
asq
qr-
xxq
g-x
xta
px
qr-
xxq
g-x
xta
px
qr-
xxq
g-x
xta
px
qr-
xxq
g-x
xta
px
qr-
xxq
g-x
xta
px
qr-
xxq
g-x
xta
px
qr-
xxq
g-x
xta
px
qr-
xxq
g-x
xta
px
dn
sm
asq
dn
sm
asq
dn
sm
asq
6
7
5
6
7
5
4
br-
int
5
7
8 5
7
8
7
6
8
7
6
8
5
6
8 5
6
8 8
1
2
3
2
3
1
4
Related Documents
