FloatingIP Enahncement For Plublic Cloud Infrastructure · 2017-08-13 · Network Node Compute...

Copyright 2015 FUJITSU LIMITED

FloatingIP Enhancement For

Public Cloud Infrastructure

June 4, 2015

Yushiro Furukawa

Fujitsu Limited

0

Who am I ?

Yushiro Furukawa (Speaker)

Software Engineer of Fujitsu from 2011

•Developer of OpenStack Neutron

Characteristics

•Red glasses frame

Copyright 2015 FUJITSU LIMITED 1

Agenda

1. OpenStack Neutron Overview

2. FloatingIP allocation with public cloud infrastructure

3. Legacy Router and DVR

Copyright 2015 FUJITSU LIMITED 2

OpenStack Neutron Overview

Copyright 2015 FUJITSU LIMITED 3

OpenStack Neutron

Copyright 2015 FUJITSU LIMITED 4

OpenStack Neutron

• Provide L2 / L3 networking

• Network isolation between tenants

• vRouter, NAT

• DHCP server

• Firewall

• FloatingIP

Etc…

• Connectable for VM Instances

created by Nova.

Copyright 2015 FUJITSU LIMITED 5

Neutron Components (Legacy Router)

Copyright 2015 FUJITSU LIMITED

Controller Node

Compute Node

Network Node

eth0

eth1 eth2 eth1 eth2 eth1

eth0

Data network Management network

External network

Neutron Server

ML2 plugin

ML2 plugin

OVS-agent

ML2 plugin

OVS-agent

L3-agent

DHCP-agent

Metadata-agent

API network

6

Neutron services

Copyright 2015 FUJITSU LIMITED

VM

Instance

vRouter

Internet

Subnet

VM

Instance

Firewall

External Network

Network

Security-group Security-group

Tenant

Port Port

7

Security-group Security-group

Neutron virtual networking services

Copyright 2015 FUJITSU LIMITED

VM

Instance

Port

vRouter

Internet

Subnet

VM

Instance

Port

Firewall

External Network

Network

Virtual L2 network

Connects a VM instance and Network

Able to attach Security-Group

IP address pool

Provides an IP address for Port

Network

Port

Subnet

Tenant

8

Neutron extension services

Copyright 2015 FUJITSU LIMITED

VM

Instance

Port

vRouter

Internet

Subnet

VM

Instance

Port

Firewall

External Network

Network

Security-group Security-group

Security-group

Firewall

FloatingIP

External Network

Connects Networks, also Network and External network.

Virtual L2 network between the Internet and tenants

Will be explained later

Works on Port

Filters ingress/egress packets

Uses a White-list for filtering

Works on vRouter

Filters packets

vRouter

Tenant

9

FloatingIP Allocation For

Public Cloud Infrastructure

Copyright 2015 FUJITSU LIMITED 10

Tenant:A Tenant:B

What is FloatingIP?

In public cloud, GlobalIP is usually used as FloatingIP.

We can associate a FloatingIP with a specific Port.

Copyright 2015 FUJITSU LIMITED

VM1 VM2 VM3 VM1 VM2 VM3

External Network

172.10.1.0/24

Network

vRouter

FloatingIP

Internet

localIP:192.168.1.100 localIP:192.168.2.100

Port Port Port Port Port Port

11

Tenant:A Tenant:B

Setup steps

1. Create a FloatingIP

$ neutron floatingip-create FLOATING_NETWORK

2. Associate the FloatingIP with a Port of a VM instance.

$ neutron floatingip-associate FLOATINGIP_ID PORT

Copyright 2015 FUJITSU LIMITED

VM1 VM2 VM3 VM1 VM2 VM3

External Network

172.10.1.0/24

172.16.1.3

1

2

Internet

Network

vRouter

localIP:192.168.1.100 localIP:192.168.2.100

Port Port Port Port Port Port

12

Tenant:A Tenant:B

How FloatingIP works?

SNAT and DNAT rule are added into vRouters.

Copyright 2015 FUJITSU LIMITED

VM1 VM2 VM3 VM1 VM2 VM3

172.16.1.2 172.10.1.3

Internet SNAT and DNAT

localIP FloatingIP

Port Port Port Port Port Port

localIP:192.168.1.100 localIP:192.168.2.100

Network

vRouter

13

Case-1: Single External Network

GlobalIP is used as FloatingIP.

FloatingIP address is allocated from the Subnet.

IP address for physical network devices is manually picked up from the IP addresses in the Subnet.

Meaning the cloud provider has to make sure to avoid overlapping

Copyright 2015 FUJITSU LIMITED

Physical

Network Devices Physical

Network Devices

Subnet

133.10.1.0/24

External Network

Internet

VM1

Port

VM2

Port

VM3

Port

vRouter

Network

14

Case-1: Single External Network

Copyright 2015 FUJITSU LIMITED

Physical

Network Devices Physical

Network Devices

vRouter

External Network

Internet

This increases complexity of address allocation algorithm

VM1

Port

VM2

Port

VM3

Port

Subnet

133.10.1.0/24

GlobalIP is used as FloatingIP.

FloatingIP address is allocated from the Subnet.

IP address for physical network devices is manually picked up from the IP addresses in the Subnet.

Network

15

FloatingIP pool

133.10.1.0/24

Proposal of Case-1

GlobalIP is used as FloatingIP.

Use PrivateIP for vRouters and physical routers.

Create “FloatingIP Pool” for FloatingIP allocation.

The cloud provider no longer has to be worried about overlapping

Copyright 2015 FUJITSU LIMITED

Physical

Network Devices Physical

Network Devices

subnet

100.64.0.0/24 External Network

Internet

VM1 VM2 VM3

vNIC Port Port Port

vRouter

Network

16

Case-2: Multiple External Networks

Copyright 2015 FUJITSU LIMITED

Physical

Network Devices Physical

Network Devices

External Network

Internet

Physical

Network Devices Physical

Network Devices

External Network

GlobalIP is used as FloatingIP.

There can be a case where several external networks exist in the infrastructure for some reasons

…

VM1 VM2 VM3

vNIC Port Port Port

subnet

100.64.0.0/24 subnet

100.65.0.0/24

vRouter

Network

17

Case-2: Multiple External Networks

Copyright 2015 FUJITSU LIMITED

Physical

Network Devices Physical

Network Devices

External Network

Internet

Physical

Network Devices Physical

Network Devices

External Network

GlobalIP is used as FloatingIP.

There can be a case where several external networks exist in the infrastructure for some reasons

…

Tenant-user have to select which external network to connect to,

but it’s just a burden tenant users shouldn’t be take

VM1 VM2 VM3

vNIC

subnet

100.64.0.0/24 subnet

100.65.0.0/24

Port

vRouter

Network

Port Port

18

subnet

100.64.0.0/24 subnet

100.65.0.0/24

Proposal of Case-2

Abstract the External Network

Tenant-users can see only one abstracted external network

FloatingIP pool simplifies the mechanism of the Abstracted External Network.

Without FloatingIP pool, each External network has a Subnet, and the Abstracted External Network needs to select which Subnet to use...

Copyright 2015 FUJITSU LIMITED

Physical

Network Devices Physical

Network Devices Internet

Physical

Network Devices Physical

Network Devices

External Network

External Network Abstracted External Network

…

FloatingIP pool

133.10.1.0/24

VM1

vNIC

VM2

vNIC

VM3

vNIC Port Port Port

vRouter

Network

19

However….

I have been thinking about FloatingIP enhancement for legacy router configuration.

DVR is becoming the de facto standard configuration, and now I also should consider to develop the enhancement on DVR.

Copyright 2015 FUJITSU LIMITED

DVR?

20

DVR (Distributed Virtual Router)

Enhancement

Copyright 2015 FUJITSU LIMITED 21

Neutron Components (Legacy-Router)

Copyright 2015 FUJITSU LIMITED

Controller Node

Compute Node

Network Node

eth1 eth2 eth1 eth2 eth1

eth0

Data network Management network

External network

Neutron Server

ML2 plugin

ML2 plugin

OVS-agent

ML2 plugin

OVS-agent

L3-agent

DHCP-agent

Metadata-agent

API network

eth0

22

Neutron Components (DVR)

Copyright 2015 FUJITSU LIMITED

Controller Node

Compute Node

Network Node

eth0

eth1 eth2 eth1 eth2 eth1

eth0

Data network Management network

External network

Neutron Server

ML2 plugin

ML2 plugin

OVS-agent

ML2 plugin

OVS-agent

L3-agent (SNAT)

DHCP-agent

L3-agent

Metadata-agent

API network

eth0

23

Network Traffic on Legacy Router

Copyright 2015 FUJITSU LIMITED

VM1 VM2

Network Node

Compute Node#2

Compute Node#1

VM1 VM3 VM2

br-int br-int br-ex br-int

Main characteristic:

vRouter only exists on Network Node.

All network traffic must go through Network Node.

• East-West (between different Subnets)

• North-South (between the Internet and tenants using FloatingIP or SNAT)

=> Can be a performance bottle neck.

Network Node is also Single-Point-of-Failure. 24

Network Traffic on DVR

Copyright 2015 FUJITSU LIMITED

Main characteristic:

vRouter exists on all Compute Nodes.

Basically, Network traffic only has to go through Network Node when the traffic goes to the Internet using SNAT

=> Performance can scale more.

VM1 VM2

Network Node

Compute Node#2

Compute Node#1

VM1 VM3 VM2

br-int br-ex br-ex br-ex

SNAT

br-int br-int

25

Network Traffic Case#1

Copyright 2015 FUJITSU LIMITED

Legacy Router: to

DVR: to

VM1 VM2

VM1 VM2

Network Node

Compute Node#2

Compute Node#1

VM1 VM3 VM2

br-int br-int br-ex

Network Node

Compute Node#2

Compute Node#1

VM1 VM3 VM2

br-int br-int br-ex br-ex br-ex

fIP SNAT

br-int

br-int

Between VMs in the same Subnet and host

26

Network Traffic Case#2

Copyright 2015 FUJITSU LIMITED

Legacy Router: to

DVR: to

VM1 VM3

VM1 VM3

Network Node

Compute Node#2

Compute Node#1

VM1 VM3 VM2

br-ex

Network Node

Compute Node#2

Compute Node#1

VM1 VM3 VM2

br-int br-ex br-ex br-ex

fIP SNAT

br-int

br-int br-int

br-int

br-int

Between VMs in the same Subnet, but in Different hosts

27

Network Traffic Case#3

Copyright 2015 FUJITSU LIMITED

Legacy Router: to

DVR: to

VM1 VM2

VM1 VM2

Network Node

Compute Node#2

Compute Node#1

VM1 VM3 VM2

br-int br-ex

Network Node

Compute Node#2

Compute Node#1

VM1 VM3 VM2

br-int br-int br-ex br-ex br-ex

fIP SNAT

br-int

br-int

Between VMs in the same hosts, but in different Subnets

br-int

28

Network Traffic Case#4

Copyright 2015 FUJITSU LIMITED

Legacy Router: to

DVR: to

VM1 VM3

VM1 VM3

Network Node

Compute Node#2

Compute Node#1

VM1 VM3 VM2

br-int br-ex br-ex br-ex

fIP SNAT

br-int br-int

Between VMs in different Subnets and hosts

Network Node

Compute Node#2

Compute Node#1

VM1 VM3 VM2

br-int br-ex br-int br-int

29

Network Traffic Case#5

Copyright 2015 FUJITSU LIMITED

Legacy Router: to external

DVR: to external

VM3

VM3

Network Node

Compute Node#2

Compute Node#1

VM1 VM2

br-int br-ex

Network Node

Compute Node#2

Compute Node#1

VM1 VM3 VM2

br-int br-ex

fIP SNAT

br-int br-int br-ex br-ex

br-int br-int

Between the External Network and a VM using FloatingIP

VM3

30

Network Traffic Case#6

Copyright 2015 FUJITSU LIMITED

Legacy Router: is booted from Nova VM3

VM3

Network Node

Compute Node#2

Compute Node#1

VM1 VM2

br-int br-ex

Network Node

Compute Node#2

Compute Node#1

VM1 VM2

br-int br-ex

fIP DHCP

br-int br-ex br-ex

br-int br-int

DVR: is booted from Nova

DHCP VM3

VM3

br-int

VM booting: a VM accesses to DHCP server

31

Network Traffic Case#7

Copyright 2015 FUJITSU LIMITED

Legacy Router

Network Node

Compute Node#2

Compute Node#1

VM1 VM2

br-int br-ex

Network Node

Compute Node#2

Compute Node#1

VM1 VM2

br-int br-ex

fIP DHCP

br-int br-int br-ex br-ex

br-int br-int

DVR

DHCP VM3

VM3

VM booting: a VM gets metadata from the vRouter

32

Proposal: Distributed DHCP agent and L3-agent

Copyright 2015 FUJITSU LIMITED

Controller Node

Compute Node

Network Node

eth0

eth1 eth2 eth1 eth2 eth1

eth0

Data network Management network

External network

Neutron Server

ML2 plugin

ML2 plugin

OVS-agent

ML2 plugin

OVS-agent

DHCP-agent

L3-agent

Metadata-agent

API network

DHCP-agent

eth0

L3-agent (SNAT)

33

Elimination of Network Node

Distribute DHCP-agent to each Compute Node.

=> Reduce DHCP broadcast in Data Network

Move SNAT function to Compute Node.

=> Can eliminate Single-point-of-failure

Once completes this enhancement, I’ll work on FloatingIP enhancement for DVR

Copyright 2015 FUJITSU LIMITED

Compute Node#1

VM1 VM2

br-int

br-tun SNAT

fIP

DHCP

br-ex

Compute Node#2

VM3

br-int

br-tun SNAT

fIP

DHCP

br-ex

34

Copyright 2015 FUJITSU LIMITED