Networking Basics

This tutorial describes basic networking concepts for PMO Neutron component. Please refer to Configuring Neutron for Neutron setup details in PMO.

Neutron is the key networking component of OpenStack. It is provided as a standalone OpenStack service, along with other core OpenStack services such as Nova, Glance, Keystone, Cinder etc. Neutron is designed with a pluggable architecture, allowing for easy integration with third-party networking solutions via plugins.

Network Types

Neutron networks in OpenStack roughly fall into three distinct categories:

  • Provider networks
  • Tenant networks
  • External networks

Please refer to Configuring Neutron for making Neutron aware of your data center’s physical network topology, as part of your Neutron setup process.

Provider Networks

Provider networks are designed to map directly to existing networks in your data center. A good example of a provider network is an existing VLAN-based or physical (flat) network within your data center that you would like to incorporate into your OpenStack environment. For example, you may have designated VLAN 20 on a specific subnet for all database traffic, and you might want to deploy database servers in your OpenStack deployment that will explicitly connect to this network.

A provider network in Neutron can be either flat, VLAN-based, GRE-based, or VXLAN-based. Here, we will focus primarily on flat and VLAN-based provider networks. To create a provider network in Platform9, browse to the ‘Network’ menu, then select ‘Create New Network’ and then select ‘Provider Network’ from the network type drop-down menu. As part of creation of a provider network, you need to explicitly specify what ‘physical network config’ this provider network should utilize.

This configuration is defined as part of the How to Configure OpenStack Neutron in Platform9 Managed OpenStack. The physical network refers to the unique label associated with the provider network config, and the ‘segmentation ID’ refers to the VLAN ID corresponding to this physical network that you’d like to utilize for this provider network. This VLAN ID must fall in the range of VLAN IDs that you supplied as part of the physical network config.

New Neutron Network

Tenant Networks

Neutron tenant networks are meant to be private to a given tenant, and are generally created by a user or a group of users within a tenant. Without a Neutron router, these networks are isolated from one another, so that the virtual machines created within these networks can not route traffic outside of the network.

To create a tenant network in Platform9, browse to the ‘Network’ menu, then select ‘Create New Network’ and then select ‘Tenant Network’ from the network type drop-down menu.

New Neutron Network

Network Interfaces and Ports

Each Neutron network will typically have one or more {Network Interface, Port} Tuples associated with it. An interface and a port on a network uniquely maps it to a device in the OpenStack environment. The device can be one of the following:

  • A virtual machine instance
  • A router
  • A DHCP server

External Networks

External networks generally correspond to the physical networks in your data center that are publicly routable/enabled with access to Internet. As an administrator, you would want to supply one or more external networks to Neutron so that:

  • Your virtual machines can route packets from the internal network to the Internet
  • You can assign floating IPs to your virtual machine and have them publicly addressable from the Internet

To configure an external network in Platform9 Managed OpenStack, you follow a process similar to creation of a provider network or a tenant network. Just browse to ‘Network’ menu in Platform9, then select ‘Create New Network’ and then select ‘External Network’ from the network type dropdown menu.

New Network step 1

Neutron Router/Gateway

Neutron routers enable routing of traffic between two or more Neutron networks. A router is capable of routing traffic between Neutron networks of any type - external, provider and tenant. When a router maps an internal network to an external network, it is sometimes referred to as a gateway.

Private/Shared Networks and Multi-Tenancy

You might have noticed that each network in Neutron is created in the context of some tenant who will be the default owner of that network. A network can be explicitly marked as ‘shared’, which will make it accessible to all tenants in OpenStack.

VLAN

VLAN stands for Virtual Local Area Network.

VLANs are logical networks that may operate a single physical network.

A VLAN is a means to logically divide a physical network such that the network traffic on each VLAN is independent of and invisible to the network traffic on another VLAN on the same physical network.

VXLAN

VXLAN stands for Virtual Extensible Local Area Network.

VXLAN is a virtual overlay network that is built on top of Open Systems Interconnection Model (OSI) Layer 2 and Layer 3 technology. VXLAN extends the virtual LAN (VLAN) address space.

VLAN supports the assignment of up to 4096 VLAN IDs at a time, which may be insufficient for big-scale cloud computing. VXLAN adds a 24-bit segment ID, and hence, increases the number of available VLAN IDs to 16 million.

GRE

GRE stands for Generic Routing Encapsulation.

GRE is a protocol that facilitates the delivery of a message payload from one endpoint to another endpoint through a point-to-point virtual tunnel over IP networks.

GRE is generally used to encrypt multicast traffic.

Subnet

A subnet or subnetwork provides a usable IP addressing range within a layer 2 broadcast domain.

The computers belonging to the same subnet can communicate with one another directly without the need for a router, as they are part of the same subnet.

Ports

Ports are the virtual communication endpoints which attach devices such as routers or virtual machines, and enable communication across the network.

A port can be associated with a router, a network, a virtual machine, or a DHCP server.

OpenStack automatically creates ports when instances are created. It is also possible to create ports manually.

Routers

Neutron routers enable routing of traffic between two or more Neutron networks. A router is capable of routing traffic between external, provider or tenant Neutron networks. A router which serves to connect one or more distinct networks is sometimes referred to as a gateway.

Floating IP Address

An instance in PMO is created by default with a fixed IP address.

An instance can be assigned a floating IP address that can be used to access it over a public network.

An instance is identifiable over a public network with the floating IP address.

A pool of floating IP addresses can be created and one floating IP from the pool can be assigned to an instance at a given time.

Security Group

A security group is a group of rules that apply to inbound and outbound network traffic for an instance. A security group acts as a virtual firewall that controls the inbound and outbound network traffic for the instances to which the group has been assigned.

Rules are defined based on what type of network traffic should be allowed to the instance to which the security group is assigned. Traffic that does not match any of the rules assigned to an instance, is denied access, by default.

A default rule is predefined in Clarity that allows all outbound traffic from the instance to which the security group has been assigned.

Network Traffic Types

East-west traffic and north-south traffic are terms commonly used in networking.

East-West Traffic

East-west traffic is the traffic between different virtual machines on the same network.

North-South Traffic

North-south traffic is the traffic between an external network and a virtual machine.