Metapod Neutron Networking Overview
Metapod networking allows you to create and manage network objects, such as networks, subnets, and ports, which other Metapod OpenStack services can use. The networking service, Neutron, provides an API and CLI that lets admin and users define network connectivity including L3 forwarding and NAT, and addressing in the cloud. Metapod's Neutron implementation supports two primary deployment methodologies that cover a number of use cases which will be covered in other support articles.
Neutron, the networking service, includes the following components:
The Metapod Neutron Networking API includes support for Layer 2 networking and IP address management (IPAM), as well as an extension for a Layer 3 router construct that enables routing between Layer 2 networks and gateways to external networks.
OpenStack Networking plug-in and agents
Metapod only supports the Cisco ML2 + Linux bridge agent and the Cisco ASR1k plug-in for Layer 3 networking services, if needed.
Neutron uses OpenStacks's messaging platform to accept and route RPC neutron networking requests between OpenStack services to complete API operations.
To configure network topologies, admins can create and configure networks and subnets and instruct other services, like Compute, to attach virtual devices to ports on these networks. Compute is a prominent consumer of networking to provide connectivity for its instances. In particular, networking supports each tenant having multiple private networks and enables tenants to choose their own IP addressing scheme, even if those IP addresses overlap with those that other tenants use. There are two types of network, tenant and provider networks. It is possible to share any of these types of networks among tenants as part of the network creation process.
A Tenant Network is the network that provides connectivity to a project. An Admin user can create, delete and modify tenant networks. Each tenant network is isolated from other tenant networks by a VLAN. Admins are allowed to create multiple provider or tenant networks using VLAN IDs (802.1Q tagged) that correspond to VLANs present in the physical network. This allows instances to communicate with each other across the environment. They can also communicate with dedicated servers, firewalls, load balancers, and other networking infrastructure on the same layer 2 VLAN.
Provider networks map to existing physical networks in the data center. To configure rich network topologies, admins can create and configure networks and subnets and other OpenStack services like Compute will request to be connected to these networks by requesting virtual ports. In particular, networking supports each tenant having multiple private networks and enables tenants to choose their own IP addressing scheme, even if those IP addresses overlap with those that other tenants use.
A block of IP addresses and associated configuration state. This is also known as the native IPAM (IP Address Management) provided by the networking service for both tenant and provider networks. Subnets are used to allocate IP addresses when new ports are created on a network.
A port is a connection point for attaching a single device, such as the NIC of a virtual server, to a virtual network. Also describes the associated network configuration, such as the MAC and IP addresses to be used on that port.
This is a logical component that forwards data packets between networks. It also provides L3 and NAT forwarding to provide external network access for VMs on tenant networks. Required by certain plug-ins only.
A security group acts as a virtual firewall for your compute instances to control inbound and outbound traffic. Security groups act at the port level, not the subnet level. Therefore, each port in a subnet could be assigned to a different set of security groups. If you don’t specify a particular group at launch time, the instance is automatically assigned to the default security group for that network.
Security groups and security group rules give administrators and tenants the ability to specify the type of traffic and direction (ingress/egress) that is allowed to pass through a port. A security group is a container for security group rules. When a port is created, it is associated with a security group. If a security group is not specified, the port is associated with a ‘default’ security group. By default, the default group allows all ingress traffic for all other instances in the same tenant that are assigned to the default group and allows all egress. Rules can be added to this group in order to change the behavior.