Applications and the network have become distributed. Applications are fragmented to micro-services so the network is being composed of different clouds from different regions. But with this, the need to have control of all resource aspects is increased due to increasing security concerns. SD-WAN is available for enterprise. But what if data centers or endpoints are less and spread across multiple regions? This article focuses on the interconnection of OpenStack clouds using Neutron APIs.
The Neutron to Neutron Communication
There may be a situation where you need to interconnect two or more separate data centers or NFV PoPs powered with OpenStack. Those data centers are considered to be located in different regions as well. These data centers either want to have an interconnection on-demand initially. Further, the interconnection may require private addressing and isolation to share data end-to-end with a dedicated communication channel. A combination of on-demand and private addressing and isolation possible with Neutron VPN as a service (VPNaaS). We have different VPN options available after performing selecting a suitable solution after VPN reviews. But this solution involved IPSec which has a performance overhead. Additionally, for a proper interconnection, you want a solution that avoids the overhead of packet isolation.
One of the architecture for interconnection of OpenStack cloud can be – adding an orchestrator in between clouds and resources in participant clouds are interconnected. But it has several demerits. Like
The orchestrator may need admin rights to establish networking in resources of data centers. But it is difficult when there are different organizations are involved. Also, adding orchestrator will expose the APIs to different attacks and because of this, it is treated as a complex system.
The recommended option remain is to extend the Neutron APIs to interconnect resources like virtual routers of OpenStack powered data centers. It involves two facets User Facing API and Neutron to Neutron API.
In User facing APIs, there will be a symmetrical call that will be made by centrally located admin to neutron modules in data centers. A link will be established with approval from both of the data centers.
In Neutron to Neutron, the API will allow each Neutron component to check if the symmetrical interconnection has been defined on the other side. In this way, Neutron components in the different regions coordinate together to set up these private isolated interconnections without orchestration nor network device configuration.
The solution was discussed at the OpenStack summit Berlin back in 2018. This solution is applicable to use cases where:
- OpenStack is involved in the data center
- If there are multiple regions involved with one OpenStack cloud
- Between multiple OpenStack clouds where trust entities are co-ordinated
- And, where different OpenStack cloud instances use the different SDN solutions
You can download the presentation from here and watch a demo
- Using CloudOps Principles to Improve OpenStack Management - November 27, 2023
- Application Security Best Practices for OpenStack Workloads - November 9, 2023
- ABAC with OpenStack: What Are the Options? - September 25, 2023