Neutron Network

Neutron Network

Neutron, an essential OpenStack cloud computing platform component, provides a flexible and scalable networking service. Designed to meet the needs of modern cloud environments, Neutron plays a crucial role in creating and managing virtual networks. In this blog post, we will explore the fundamentals of Neutron networks and their significance in cloud networking.

Neutron Network is an abstraction layer allowing tenants (users) to create and manage virtual networks, routers, subnets, and other network-related resources. Neutron enables users to define and control their network infrastructure programmatically by providing a set of APIs and plugins.

Table of Contents

Highlights: Neutron Network

Application Program Interface

Neutron’s pluggable application program interface ( API ) architecture enables the management of network services for container networking in public or private cloud environments. The API allows users to interact with neutron networking constructs, such as routers and switches, enabling instance reachability. The OpenStack Neutron and OpenStack network types were initially built into Nova but lacked flexibility for advanced designs. It was helpful for large Layer 2 networks, but most environments require better multi-tenancy with advanced load balancing and firewalling functionality.

Decoupled Layer 3 Approach

The limited networking functionality gave Neutron, which offers a decoupled Layer 3 approach. It operates an Agent-Database model where the API receives and sends calls to agents installed locally on the hosts. Without this efficiency, there won’t be any communication and connectivity between your host’s platforms, which can sometimes affect productivity.

For additional pre-information, you may find the following helpful:

  1. OpenStack Neutron Security Groups
  2. Kubernetes Network Namespace
  3. Service Chaining



OpenStack Network Types.

Key Neutron Network Discussion points:


  • Introduction to Neutron Networking.

  • Discussion on OpenStack Network Types.

  • Virtual switches, routing and advanced services with Neutron.

  • Neutron High Availability.

  • Discussion on traffic flow.

Back to Basics: Neutron Network

Key Features and Benefits:

1. Network Virtualization: Neutron Network leverages network virtualization technologies such as VLANs, VXLANs, and GRE tunnels to create isolated virtual networks. This allows tenants to have complete control over their network resources without interference from other tenants.

2. Scalability: Neutron’s distributed architecture can scale horizontally to accommodate many virtual networks and instances. This ensures that cloud environments can handle increased workloads without compromising performance.

3. Network Segmentation: Neutron Network supports network segmentation, allowing tenants to partition their virtual networks based on specific requirements. This enables better network isolation, security, and performance optimization.

4. Flexible Network Topologies: Neutron provides the flexibility to create a variety of network topologies, including flat networks, VLAN-based networks, and overlay networks. This adaptability empowers users to design their networks according to their unique needs.

5. Integration with Security Services: Neutron Network integrates seamlessly with OpenStack’s security services, such as Firewall-as-a-Service (FWaaS) and Virtual Private Network-as-a-Service (VPNaaS). This integration enhances network security by providing additional layers of protection.

6. Load Balancing and VPN Services: Neutron Network offers load balancing services, allowing users to distribute network traffic across multiple instances for improved performance and reliability. Additionally, it supports VPN services to establish secure connections between different networks or remote users.

Neutron Network Architecture:

Under the hood, Neutron Network consists of several components working together to provide a robust networking service. The main elements include:

– Neutron API: Provides a RESTful API for users to interact with Neutron Network and manage their network resources.

– Neutron Core Plugin: The central component responsible for handling network-related requests and managing network plugins.

– Neutron Agents: Various agents, such as the DHCP agent, L3 agent, and OVS agent, ensure the smooth operation of the Neutron Network by handling specific tasks like DHCP allocation, routing, and switching.

– Network Plugins: Neutron supports multiple plugins, such as the Open vSwitch (OVS) plugin and the Linux Bridge plugin, which provide different network virtualization capabilities and integrate with various networking technologies.

OpenStack Network Types

Logical network information is stored in the database. It’s the role of plugins and agents to extract the data and carry out the necessary low-level functions to pin the virtual network, enabling instance connectivity. For example, the Open vSwitch agent converts information in the Neutron database to Open vSwitch flow while maintaining the local flows to match the network design following topology changes. Agents and plugins build the network based on the logical data model. The screenshot below illustrates the agent-to-host installation.

openstack network types

OpenStack Network Types

  • Neutron Networking: Network, Subnets, and Ports

Neutron consists of 4 elements that form the foundation for OpenStack Network Types. The configuration consists of the following entities – Networks, Subnets, and Ports. A network is a standard Layer 2 broadcast domain in which subnets and ports are assigned. A subnet is an IPv4 or IPv6 address block ( IPAM – IP Address Management) posted to a network.

A port is a connection point with properties similar to a physical port, except that it is virtual. Ports have media access control addresses ( MAC ) and IP addresses. All port information is stored in the Neutron database used by plugins/agents to stitch and build the virtual infrastructure. 

 

OpenStack Network Types: Neutron networking features

Neutron networks enable core networking and the potential for a lot more once the appropriate extension and plugin are activated. Extensions enhance plugins to provide additional network functionality. Due to its pluggable architecture, Neutron can be extended with 3rd party open-source or proprietary products, for example, an SDN OpenDaylight controller for advanced centralized functionality. 

While Neutron does offer an API for network interaction, it does not provide an API to manage the network. Integrating an SDN controller with Neutron enables a centralized viewpoint and management entity for the entire network infrastructure, not just individual pieces.

Some vendor plugins complement Neutron, while others completely replace it. Advancements have been made to Neutron in an attempt to make it more “production-ready,” but some of these features are still at the experimental stage. There are bugs in all platforms, but generally, early-release features should be kept in nonproduction environments.

OpenStack Network Types: Virtual switches, routing, and advanced services

Virtual switches are software switches that connect VM instances at Layer 2. Any communication outside that boundary requires a Layer 3 router, either physical or virtual. Neutron has built-in support for Linux Bridges and Open vSwitch virtual switches. Overlay networking, the foundation for multi-tenancy for cloud computing, is supported in both. 

Layer 3 routing permits external connectivity and connectivity between VMs in different subnets. Routing is enabled through IP forwarding rules, IPtables, and network namespaces.

IPtables provide ingress/egress filtering throughout different parts within the network (for example, perimeter edge or local compute ), namespaces provide network stack isolation, and IP forwarding rules provide forwarding. Firewalling and security services are based on Security Groups or/FWaaS (FireWall-as-a-Service).

They can be used in conjunction with each other for better defense in depth. Both operate with IPtables but differ in network placement.

Security group IPtable rules are configured locally on ports corresponding to the compute node hosting the instance. Implementation is close to the actual workload, offering finer-grained filleting. Firewall IPtable rules are at the network’s edge on Neutron routers ( namespaces ), filtering perimeter traffic.

Load balancing enables requests to be distributed to multiple instances. Dispersing load to multiple hosts offers advantages similar to the traditional world. The plugin is based on open-source HAProxy. Finally, VPNs allow operators to extend the network securely with IPSec-based VPN tunnels. 

 

OpenStack Network Types: Virtual network preparation

The diagram below displays the initial configuration and physical interface assignments for a standard neutron deployment. The reference model consists of a controller, network, and compute nodes. The compute nodes are restricted to provide compute resources, while the controller/network node may be combined or separated for all other services.

Separating services on the compute nodes allows compute services to be scaled horizontally. It’s common to see the controller and networking node operating on a single host.

Service OpenStack

The number and type of interfaces depend on how good you feel about combining control and data traffic. Networking can function with just one interface, but splitting the different types of network traffic into several separate interfaces is good.

OpenStack Network Types uses four types of traffic – Management, API, External, and Guest. If you are going to separate anything, it’s recommended to physically separate management and API traffic from all other types of traffic. Separating the traffic to different interfaces splits the control from data traffic—a tick from the security auditors’ box.

Neutron Reference Design

In the preceding diagram, Eth0 is used for the management and API network, Eth1 for overlay traffic, and Eth2 for external and Tenant networks ( depending on the host ). The tenant networks ( Eth2 ) reside on the compute nodes, and the external network resides on the controller node ( Eth2 ).

The controller Eth2 interface uses Neutron routers for external network traffic to instances. In certain Neutron Distributed Virtual Routing ( DVR ) scenarios, the external networks are at the compute nodes.

 

Plugins and drivers

Neutron networking operates with the concept of plugins and drivers. Neutrons core plugin can be either ML2 or a vendor plugin. Before ML2, Neutron was limited to a single-core plugin at any given time. The ML2 plugin introduces the concept of type and mechanism drivers.

Type drivers represent type-specific network states and support local, flat, vlan, gre, and vxlan network types. Mechanism drivers take information from the type driver and ensure its implementation correctly.

There are agent-based, controller-based, and Top-of-Rack models of the mechanism driver. The L2 population, Open vSwitch, and Linux bridge are the most popular. In addition, the mechanism driver arena is a popular space for vendors’ products.

 

Linux Namespaces

The majority of environments out there require some multi-tenancy. Cloud environments would be straightforward if built for only one customer or department. In reality, this is never the case. Multi-tenancy within Neutron is based on Linux Namespaces. Namespace offers a completely isolated stack to do what you want. They enable a logical copy of the network stack supporting overlapping IP assignments.

A lot of Neutron networking is made possible with the use of namespaces and the ability to connect them.

We have a qdhcp namespace, qrouter namespace, qlbass namespace, and additional namespaces for DVR functionality. Namespaces are present on nodes running the respective agents. The following command displays different routing tables for NAMESPACE-A and the global namespace, illustrating the ability of network stack isolation.

Linux namespace

OpenStack Network Types: Virtual network infrastructure

Local, Flat, VLAN, VXLAN, and GRE networks

Neutron networking supports Local, Flat, VLAN, VXLAN, and GRE networks. Local networks are isolated networks. Flat networks do not incorporate any VLAN tagging. On the other hand, VLAN networks use the standard. Q tagging ( IEEE 802.1Q ) to segregate traffic. VXLAN networks encapsulate Layer 2 traffic over IP using VTEP and VXLAN network identifier ( VNI ).

GRE is another type of Layer 2 over Layer 3 overlay. GRE and VXLAN accomplish the same goal of emulation over pure IP but have different ways of doing so – VXLAN uses UDP, and GRE traffic uses IP protocol 47.

Layer 2 data is transported from an end host, encapsulated over IP to the egress switch that sends the data to the destination host. With an underlay and overlay approach, you have two layers to debug when something goes wrong.

openstack network types

OpenStack Network Types: Virtual Network Switches

The first step in building a virtual network is to make the virtual switching infrastructure. This acts as the base for any network design, whether virtual or physical. Virtual switching provides connectivity to and from the virtual instances, building the concrete for advanced networking services. The first piece of the puzzle is the virtual network switches.

Neutron networking includes built-in support for the Linux Bridge and Open vSwitch. Both are virtual switches but operate with some significant differences. The Linux bridge uses VLANs to tag traffic, while the Open vSwitch uses flow rules to manipulate traffic before forwarding.

Instead of mapping the local VLAN ID to a physical VLAN ID, the local ID is added or stripped from the Ethernet header by flow rules.

The “brctl show” command displays the Linux bridge. The bridge ID is automatically generated based on the NIC, and the bridge name is based on the UUID of the corresponding Neutron network. The “ovs-vsctl show” command displays the Open vSwtich. It has a slightly more complicated setup, with the br-int ( integration bridge ) acting as the main center point of connections.

openstack network types

Neutron uses the bridge, 802.1q, and vxlan kernel modules to connect instances with the Linux bridge. Bridge and Open vSwitch kernel modules are used for the Open vSwitch. The Open vSwitch uses some userspace utilities to manage the OVS database. Most networking elements are connected with virtual cables, known as veth cables. What goes in one end must come out; the other best describes a virtual cable.

Veths connect many elements, including namespace to the namespace, Open vSwitch to Linux bridge, and Linux bridge to Linux bridge, all combined with veth cables. The Open vSwitch uses additional particular patch ports to connect Open vSwitch bridges. The Linux bridge doesn’t use patch ports.

The Linux Bridge and Open vSwitch can be used to complement each other. For example, when Neutron Security Groups are enabled, instances connect to the Linux and Open vSwitch Integration bridges with a veth cable. The workaround is caused by the inability to place IPtable rules ( needed by security groups ) on tap interfaces connected to Open vSwitch bridge ports.

 

Neutron network and network address translation (NAT)

Neutron employs the concept of Network Address Translation (NAT) to predict inbound and outbound translations. The concept of NAT stays the same in the virtual world, either by modifying an IP packet’s source or destination address. Neutron employs two types of translations – one-to-one and one-to-many.

One-to-one translations utilize floating IP addresses, and many-to-one is a Port Address Translation ( PAT ) style design where floating IP is not used. F

Floating IP addresses are externally routed IP addresses that directly map instances and an external IP address. The term floating comes from the fact that they can be modified on-the-fly between instances. They are associated with a Neutron port logically mapped to an instance. Ports can have multiple IP addresses assigned.

    • SNAT refers to source NAT, which changes the source IP address to appear as the externally connected interface.
    • Floating IPs are called Destination NAT ( DNAT ), which change the source and destination IP address depending on traffic direction.

The external network connected to the virtual router is the network from which floating IPs are derived. The default behavior is to source NAT traffic from instances that lack floating IP. Instances that use source NAT can not accept traffic initiated externally. If you want traffic created externally to hit an instance, you must use a one-to-one mapping with a floating IP.

Neutron High Availability

Standalone router

The most accessible type of router to create in Neutron is a standalone router. As the name suggests, it lacks high availability. Routers created with Neutron exist on namespaces that reside on the nodes running the L3 agent. It is the role of the Layer 3 agent to create the network namespace representing the routing function.

A virtual router is essentially a network namespace called the qrouter namespace. The qrouter namespace uses routing tables to forward traffic and IPtable rules to dictate how traffic is translated.

neutron networking

A virtual router can connect to two different types of networks. Either a single external provider network or one or more tenant networks. The interface to an external provider bridge network is “qg” and to a tenant network bridge is a “qr” interface. The tenant network traffic is routed from the “qr” interface to the “qg” interface for onward external forwarding.

 

Virtual router redundancy protocol

VRRP is pretty simple and offers highly available and redundant default gateways or the next hop of a route. The namespaces ( routers ) are spread across multiple hosts running the Layer 3 agent. Multiple router namespaces are created and distributed among the Layer 3 agents. VRRP operates with a Linux keepalive instance. Each runs a “keepalive” service to detect the other’s availability.

The keepalive service is a Linux keepalive tool that uses VRRP internally. It is the role of the L3 agent to start the keepalive instance on every namespace. A dedicated HA network allows the routers to talk to each other. There are split-brain and MAC flapping issues; as far as I understand, it’s still an experimental feature.

 

Distributed virtual routing 

DVR eliminates the bottleneck caused by the Layer 3 agent and distributes most of the routing function across multiple compute nodes. This helps isolate failure domains and increases the high availability of the virtual network infrastructure. With DVR, the routing function is not centralized anymore but decentralized to the compute nodes. The compute nodes themselves become one big router.

DVR routers are spawned on the compute nodes, and all the routing gets done closer to the workload. Distributing routing to the compute nodes is much better than having a central element perform the routing function.

There are two types of modes: dvr and dvr_snat. Mode dvr_snat handles north-to-south SNAT traffic. Mode dvr handles North to south DNAT traffic ( floating IP) and all east-to-west traffic.

Key Points:

  • East-West traffic ( server to server ) previously went through the centralized network node. DVR pushes this down to the compute nodes hosting the VMs.
  • North-South traffic with floating IPs ( DNAT ) is routed directly by the compute nodes hosting the VMs.
  • North-South traffic without floating IP ( SNAT ) is routed through a central network node. Some complications exist in distributing the SNAT functions to the local compute nodes.
  • There is a requirement for DNAT that computes nodes using floating IPs that require direct external connectivity.

 

East-west traffic between instances

East-to-west traffic (traditional server-to-server) refers to local communication, such as traffic between a frontend and the backend application tier. DVR enables each compute node to host a copy of the same router. The router namespace created on each compute node has the same interface, MAC, and IP settings.

East West traffic

DVR East to WestNEWDVR East to West

The qr interfaces within the namespaces on each compute node share the same IP and MAC address. But how is this possible?? One can assume the distribution of ports would raise IP clashes and MAC flapping. Neutron cleverly uses routing tables and Open vSwitch flow rules to enable this type of forbidden sharing.

Neutron allocates a unique MAC address to each compute node. This MAC is used whenever traffic leaves the node.

Once traffic leaves the virtual router, Open vSwitch rules rewrite the source MAC address with the unique MAC address allocated to the source node. All the manipulation is done before and after traffic leaves or enters, so the VM is unaware of any rewriting and operates as usual.

 

Centralized SNAT 

Source SNAT is used when instances do not have a floating IP address. Neutron decided not to distribute SNAT to the compute nodes and keep it central similar to the legacy model. Why do they decide to do this when DVR distributes floating IP for north-south traffic?

Decentralizing SNAT would require an address from the external network on every node providing the SNAT service. This would consume a lot of addresses on your external network.

centralized SNAT

The Layer 3 agent configured as dvr_snat server is the centralized SNAT function. Two namespaces get created for the same router – a regular qrouter namespace and a SNAT namespace. The SNAT and qrouter namespace are created on the centralized nodes, either the controller or the network node.

The qrouter namespaces on the controller and compute nodes are identical. However, even though the router is attached to an external network, there are no qg interfaces. The qg interfaces are now inside the SNAT namespace. There is also now a new interface called the sg. This is used as an extra hop.

 

Packet Flow

  • A VM without a floating IP sends a packet to an external destination.
  • Traffic arrives at the regular qrouter namespace on the actual node and gets redirected to the SNAT namespace on the central node.
  • To redirect traffic from the qrouter namespace to the SNAT namespace is carried out by clever tricks with source routing and multiple routing tables.

 

North-to-south traffic with Neutron floating IP

In the legacy world, floating IPs are configured as /32 prefixes on the router’s external device. The one-to-one mapping between the VM IP address and the floating IP address is used so external devices can initiate traffic externally to the internal instance.

North-to-south traffic with floating IP is now handled with another namespace, called the fip namespace. The new fip namespace is created by the Layer 3 agent and represents the external network to which the fip belongs.

distributed virtual routing

Every router on the compute node is hooked into the new fip namespace with a veth pair. As already mentioned, veth pairs are commonly used to connect namespaces. One side of the other pair is in the router namespace (rfp). The other end belongs to the fip namespace (fpr).

Whenever a layer 3 agent creates a new floating IP, a new rule is specific to that IP. Neutron adds the fixed IP of the VM to the rules table with an additional new routing table.

 

Packet Flow

  • When a VM with a floating IP sends traffic to an external destination, it arrives at the qrouter namespace.
  • The IP rules are consulted, showing a default route for that source to the next hop. IPtables rules kick in, and the source IP is translated to the floating IP.
  • Traffic is forwarded out the rfp interface and arrives at the fpr interface at the fip namespace.
  • The fip namespace uses a default route to forward traffic out the ‘fg’ device to its external destination.

Traffic in the reverse direction requires Proxy ARP, so the fip namespace answers requests for the floating IP configured on the router’s router namespace ( not the fip namespace ). In addition, proxy ARP enables hosts ( fip namespace) to answer ARP requests intended for other hosts ( qrouter namespace ).

 

Summary: Neutron Network

Neutron Network, a fundamental component of OpenStack, is pivotal in connecting virtual machines and providing networking services within a cloud infrastructure. In this blog post, we delved into the intricacies of the Neutron Network and explored its key features and benefits.

Section 1: Understanding Neutron Network Architecture

Neutron Network operates with a modular architecture comprising various components such as agents, plugins, and drivers. These components work together to enable network virtualization, creating virtual networks, subnets, and routers. By understanding the architecture, users can leverage the full potential of the Neutron Network.

Section 2: Network Virtualization with Neutron

One of the standout features of Neutron Network is its ability to provide network virtualization. By abstracting the underlying physical network infrastructure, Neutron empowers users to create isolated virtual networks tailored to their specific requirements. This flexibility allows for enhanced security, scalability, and agility within cloud environments.

Section 3: Neutron Network Extensions

Neutron Network offers many extensions that cater to diverse networking needs. From load balancers and firewalls to virtual private networks (VPNs) and quality of service (QoS) policies, these extensions provide additional functionality and customization options. We explored some popular extensions and their use cases.

Section 4: Neutron Network in Action: Use Cases

To truly comprehend the value of Neutron Network, it’s essential to explore real-world use cases where its capabilities shine. This section delved into scenarios such as multi-tenant environments, hybrid cloud deployments, and network function virtualization (NFV). By examining these use cases, readers can envision the practical applications of the Neutron Network.

Conclusion:

Neutron Network is a vital networking component within OpenStack, enabling seamless connectivity and virtualization. With its modular architecture, extensive feature set, and wide range of use cases, Neutron Network empowers users to build robust and scalable cloud infrastructures. As cloud technologies evolve, Neutron Network ensures efficient and reliable networking within cloud environments.

Computer case

Openstack Neutron Security Groups

 

 

OpenStack Neutron Security Groups

OpenStack Neutron is a powerful networking service crucial in managing network connectivity for OpenStack-based cloud environments. OpenStack Neutron Security Groups stand out as a critical feature among its various components. In this blog post, we will delve into the significance of OpenStack Neutron Security Groups and understand how they contribute to enhancing the security of cloud deployments.

OpenStack Neutron Security Groups serve as virtual firewalls, controlling inbound and outbound traffic for instances within an OpenStack cloud. They are an essential aspect of network security, allowing administrators to define and enforce access rules for different types of network traffic.

 

Highlights: OpenStack Neutron Security Groups

  • Network-as-a-Service

The power of open-source cloud environments is driven by Liberty OpenStack and the Neutron networks forming network-as-a-service. OpenStack can now be used with many advanced technologies – Kubernetes network namespace, Clustering, and Docker Container Networking. By default, Neutron handles all the networking aspects for OpenStack cloud deployments and allows the creation of network objects such as routers, subnets, and ports.

For example, Neutron creates three subnets and defines the conditions for tier interaction with a standard multi-tier application with a front, middle, and backend tier. The filtering is done centrally or distributed with tenant-level firewall OpenStack security groups.

  • OpenStack is Modular

OpenStack is very modular, which allows it to be enhanced by commercial and open-source network technologies. The plugin architecture allows different vendors to enhance networking and security with advanced routers, switches, and SDN controllers. Every OpenStack component manages a resource made available and virtualized to the user as a consumable service, creating a network or permitting traffic with ingress/egress rule chains. Everything is done in software – a powerful abstraction for cloud environments.

 



Openstack Security Group.

Key OpenStack Neutron Security Groups Discussion points:


  • Introduction to OpenStack Neutron Security Groups.

  • Discussion on the control, network, and compute components.

  • Neutron components and connectivity.

  • Discssion on Linux and agents.

 

For pre-information, you may find the following helpful

  1. OpenStack Architecture
  2. Application Aware Networking

 

Back to Basics With OpenStack Neutron Security Groups

Security Groups

Security groups are essential for maintaining access to instances by permitting users to create inbound and outbound rules that restrict traffic to and from models based on specific addresses, ports, protocols, and even other security groups.

Neutron creates default security groups for every project, allowing all outbound communication and restricting inbound communication to instances in the same default security group. Following security groups are locked down even further, allowing only outbound communication and not allowing any inbound traffic at all unless modified by the user.

 

Benefits of OpenStack Neutron Security Groups:

1. Granular Control: With OpenStack Neutron Security Groups, administrators can define specific rules to control traffic flow at the instance level. This granular control enables the implementation of stricter security measures, ensuring that only authorized traffic is allowed.

2. Enhanced Security: By utilizing OpenStack Neutron Security Groups, organizations can strengthen the security posture of their cloud environments. Security Groups help mitigate risks by preventing unauthorized access, reducing the surface area for potential attacks, and minimizing the impact of security breaches.

3. Simplified Management: OpenStack Neutron Security Groups offer a centralized approach to managing network security. Administrators can define and manage security rules across multiple instances, making enforcing consistent security policies throughout the cloud infrastructure easier.

4. Dynamic Adaptability: OpenStack Neutron Security Groups allow dynamic adaptation to changing network requirements. As instances are created or terminated, security rules can be automatically applied or removed, ensuring that security policies remain up-to-date and aligned with the evolving infrastructure.

Implementation Example:

To illustrate the practical implementation of OpenStack Neutron Security Groups, let’s consider a scenario where an organization wants to deploy a multi-tier web application in its OpenStack cloud. They can create separate security groups for each tier, such as web servers, application servers, and database servers, with specific access rules for each group. This segregation ensures that traffic is restricted to only the necessary ports and protocols, reducing the attack surface and enhancing overall security.

 

OpenStack Neutron Security Groups: The Components

Control, Network, and Compute

The OpenStack architecture for network-as-a-service Neutron-based clouds divides into Control, Network, and Compute components. At a very high level, the control tier runs the Application Programming Interfaces (API), compute is the actual hypervisor with various agents, and the network component provides network service control.

All these components use a database and message bus. Examples of a database include MySQL, PostgreSQL, and MariaDB; for message bus, we have, for example, RabbitMQ and Qpid. The default plugins are Modular Layer 2 (ML2) and Open vSwitch. 

Openstack Neutron Security Groups

Ports, Networks, and Subnets

Neutrons’ network-as-a-service core and the base for the API are elementary. It consists of Ports, Networks, and Subnets. Ports hold the IP and MAC address and define how a VM connects to the network. They are an abstraction for VM connectivity.

A network is a Layer 2 broadcast domain, represented as an external network (reachable from the internet), provider network (mapped to an existing network), and tenant network, created by cloud users, isolated from other tenant networks. Layer 3 routers connect networks; subnets are the subnet spaces attached to networks.

 

OpenStack Neutron: Components

OpenStack networking with Neutron provides an API to create various network objects. This powerful abstraction allows the creation of networks in software and the ability to attach multiple subnets to a single network. The Neutron Network is isolated or connected with Layer 3 routers for inter-network connectivity.

Neutron employs the concepts of floating IP, best understood as a 1:1 NAT translation. The term “floating” comes from the fact that it can be modified on the fly between instances.

It may seem that floating IPs are assigned to instances but are assigned to ports. Everything gets assigned to ports – fixed IP, Security Groups, and MAC addresses. SNAT (source NAT) or DNAT (destination NAT) enables inbound and outbound to and from tenants. DNAT modifies the IP address of the destination in the IP packet header, and SNAT modifies the sender’s IP address in IP packets. 

 

Open vSwitch and the Linux bridge

Neutron can be integrated for switching functionality with Open vSwitch and Linux bridge. By default, it integrates with the ML2 plugin and Open vSwitch. Open vSwitch, and Linux bridges are virtual switches orchestrating the network infrastructure.

For enhanced networking, the virtual switch can be controlled outside Neutron by 3rd party network products and SDN controllers via plugins. The Open vSwitch may also be replaced or used in parallel. Recently, there have been many enhancements to the classic forwarding with Open vSwitch and Linux Bridge.

We now have numerous high availability options with L3 High Availability & VRRP and Distributed Virtual Routing (DVR) feature. DVR essentially moves to route from the Layer 3 agent to compute nodes. However, it only works with tunnels, and L2pop enabled, requiring the compute nodes to have external network connectivity.

For production environments, these HA features are a welcomed update. The following shows three bridges created in Open vSwitch – br-ex, br-ens3, and br-int. The br-int is the main integration bridge; all others connect via particular patch ports.

 

Openstack Neutron Security Groups

 

Network-as-a-service and agents

Neutron has several parts backed by a relationship database. The Neutron server is the API, and the RPC service talks to the agents (L2 agent, L3 agent, DHCP agent, etc.) via the message queue. The Layer 2 agent runs on the compute and communicates with the Neutron server with RPC. Some deployments don’t have an L2 agent, for example, if you are using an SDN controller.

Also, if deploying the Linux bridge instead of the Open vSwitch, you wouldn’t have the Open vSwitch agent; instead, use the standard Linux Bridge utilities. The Layer 3 agent runs on the Neutron network node and uses Linux namespaces to implement multiple copies of the IP stack. It also runs the metadata agent and supports static routing. 

 

Linux Namespaces

An integral part of Neutron networking is the Linux namespace for object isolation. Namespaces enable multi-tenancy and allow overlapping IP address assignment for tenants – an essential requirement for many cloud environments. Every network and network service a user creates is a namespace.

For example, the qdhcp namespace represents the DHCP services, qrouter namespace represents the router namespace and the qlbaas represents the load balance service based on HAProxy. The qrouter namespaces provide routing amongst networks – north-south and east-west traffic. It also performs SNAT and DNAT in classic non-DVR scenarios. For certain cases with DVR, the snat namespaces perform SNAT for north-south network traffic.

 

OpenStack Neutron Security Groups

OpenStack has the concept of OpenStack Neutron Security Groups. They are a tenant-level firewall enabling Neutron to provide distributed security filtering. Due to the limitations of Open vSwitch and iptables, the Linux bridge controls the security groups. Neutron security groups are not directly added to the Integration bridge. Instead, they are implemented on the Linux bridge that connects to the integrated bridge.

The reliance on the Linux bridge stems from Neutron’s inability to place iptable rules on tap interfaces connected to the Open vSwitch. Once a Security Group has been applied to the Neutron port, the rules are translated into iptable rules, which are then applied to the node hosting the respective instance.

Neutron also can protect instances with perimeter firewalls, known as Firewall-as-a-service.

Firewall rules implemented with perimeter firewalls utilizing iptables within a Neutron routers namespace instead of configuring on every compute host. The following diagram displays ingress and egress rules for the default security group. Tenants that don’t have a security group are placed in the default security group.

 

Openstack Neutron Security Groups

 

Conclusion:

OpenStack Neutron Security Groups offer a robust solution for managing network security in OpenStack-based cloud environments. By providing granular control, enhanced security, simplified management, and dynamic adaptability, they contribute significantly to safeguarding cloud deployments. As organizations continue to embrace the benefits of OpenStack, leveraging the power of Neutron Security Groups becomes paramount in building secure and resilient cloud infrastructures.

Kubernetes Network Namespace

Kubernetes Network Namespace

Kubernetes has emerged as the de facto standard for containerization and orchestration for managing containerized applications. Among its many features, Kubernetes offers network namespace functionality, which is critical in isolating and securing network resources within a cluster. This blog post will delve deeper into Kubernetes Network Namespace, exploring its purpose, benefits, and how it enhances its overall network management capabilities.

In simple terms, a network namespace is an isolated network stack that allows for the creation of separate network environments within a single Linux kernel. Kubernetes leverages network namespaces to provide logical network isolation between pods, ensuring each pod operates in its virtual network environment.

Table of Contents

Highlights: Kubernetes Network Namespace

The Role of Docker

In addition to my theoretical post on container networking – Docker & Kubernetes, the following hands-on series examines Linux Namespaces and Docker Networking. The advent of Docker makes it easy to isolate the Linux processes so they don’t interfere with one another. As a result, users can run various applications and dependencies on a single Linux machine, all sharing the same Linux kernel. This abstraction is made possible by using Linux Namespaces, which form the docker container security basis.

Before you proceed, you may find the following helpful post for pre-information.

  1. Neutron Network
  2. OpenStack neutron security groups
  3. Kubernetes Networking 101



Kubernetes Network Namespace.

Key Kubernetes Network Namespace  Discussion points:


  • Introduction to both Docker networking and Linux.

  • Discussion on the namespace and virtual interface types.

  • Kubernetes network namespace and docker networking.

  • Security options with Linux firewall and Netfilter.

Back to Basics: Kubernetes Networking

Kubernetes users generally do not create pods directly. Instead, users create a high-level workload, such as a deployment, which organizes pods according to some intended spec. In the case of deployment, users specify a template for pods, along with how many pods (often called replicas) they want to exist.

There are several additional ways to manage workloads, such as ReplicaSets and StatefulSets. Remember that Pods themselves are ephemeral, suggesting they are deleted and replaced with new versions of themselves.

Benefits of Kubernetes Network Namespace:

1. Enhanced Network Isolation: Kubernetes Network Namespace provides a robust framework for isolating network resources, ensuring that pods do not interfere with each other’s network traffic. This isolation helps prevent unauthorized access, reduces the attack surface, and enhances overall security within a Kubernetes cluster.

2. Efficient Resource Utilization: By utilizing network namespaces, Kubernetes optimizes the utilization of network resources. Pods within a namespace can share the same IP address range while maintaining complete isolation, resulting in more efficient use of IP addresses and reduced network overhead.

3. Simplified Networking Configuration: Kubernetes Network Namespace simplifies the configuration of network policies and routing rules. Administrators can define network policies at the namespace level, allowing for granular control over inbound and outbound traffic between pods and external resources.

4. Scalability and Flexibility: With Kubernetes Network Namespace, organizations can scale their applications without worrying about network conflicts. By encapsulating each pod within its network namespace, Kubernetes ensures that the network resources can scale seamlessly, enabling the deployment of complex microservices architectures.

How Kubernetes Network Namespace Works:

Kubernetes Network Namespace leverages the underlying Linux kernel’s network namespace feature to create separate network environments for each pod. When a pod is created, Kubernetes assigns a unique network namespace, isolating the pod’s network stack from other pods in the cluster.

Each pod has network interfaces, IP addresses, routing tables, and firewall rules within a network namespace. This isolation allows each pod to operate as if it were running on its virtual network, even though it shares the same underlying physical network infrastructure.

Administrators can define network policies at the namespace level, controlling traffic flow between pods within the same namespace and across different namespaces. These policies enable fine-grained control over network traffic, enhancing security and allowing for the implementation of complex networking scenarios.

Docker Default Networking 101 & Linux Namespaces

Six namespaces are implemented in the Linux kernel, enabling the core of container based virtualization. The following diagram displays per process isolation – IPC, MNT, NET, PID, USER, and UTS. The number on the right in the square brackets is each namespace’s unique proc inode number.

To implement namespaces in the Linux kernel, a structure called nsproxy was added. As the name suggests, it’s a namespace proxy. We have several userspace packages to support namespace – util-linux, iproute2, ethtool and wireless iw. In this hands-on series, we will focus on iproute2 userspace allowing management of the network namespace (NET) with the IP NETNS, and IP LINK commands.

Docker Networking

Docker networking, essentially a namespacing tool, can isolate processes into small containers. Containers differ from VMs that emulate a hardware layer on the operating system. Instead, they use operating system features like namespaces to provide similar isolation without emulating the hardware layer.

Each namespace has an individual and isolated view, allowing sharing the same host but with individual routing tables and interfaces.

Users may create namespaces, assign ports, and connect for external connectivity. A virtual interface type known as virtual Ethernet (veth) interface is set to namespaces. They act as pairs and have a similar analogy of an isolated tube – what comes in one end must go back out the other.

The pairing enables namespace connectivity. Users may also connect namespaces using Open vSwitch. The following screenshot displays the creation of a namespace called NAMESPACE, a veth pair, and adding a veth interface to the newly created namespace. As discussed, the IP NET and IP LINK commands enable interaction with the network namespace. 

Docker Networking

The following screenshot displays IP-specific parameters for the previously created namespace. The routing table will only show specific namespace parameters, not information from other namespaces. For example, the following ip route list command does not display the 192.168.1.1/24 interface assigned to the NAMESPACE-A.

This is because the ip route list command looks into the global namespace, not the routing table assigned to the new namespace. Instead, the command will show different route table entries, including different default gateways for each namespace. 

Netnamespace

Kubernetes Network Namespace & Docker Networking

Installing Docker creates three networks that can be viewed by issuing the docker network ls command: bridge, host, and null. Running containers with a specific –net flag highlights the network in which you want to run the container. The “none” flag puts the container in no network, so it’s completely isolated. The “host” flag puts the container in the host’s network.

Leaving the defaults places the container into the bridge default network. The default docker bridge is what you will probably use most of the time. Any containers connected to the default bridge, like a flat VLAN, can communicate freely. The following displays the networks created and any containers attached. Currently, no containers are attached.

docker network

The image below displays the initiation of the default Ubuntu image pulled from the Docker public registry. There are plenty of images up there that are free to pull down. As you can see, Docker automatically creates a subnet and a gateway. The docker run command starts the container in the default network.

With this setup, it will stop running if you don’t use crtl+p + ctrl +q to exit the container. Running containers are viewed with the docker ps command, and users can connect to a container with the Docker attach command. \

docker network

IPTables

Communication between containers can be restricted with IPTables. The Linux kernel uses different IPtables according to the protocol in use:

  •  IPtables for IPv4 – net/ipv4/netfliter/ip_tables.c
  •  IP6table for IPv6 -net/ipv6/netfliter/ip6_tables.c
  •  arptables for ARP -net/ipv4/netfliter/arp_tables.c
  •  ebtables for Ethernet – net/bridge/netfilter/ebtables.c

Docker Security Options

They are essentially a Linux firewall before the Netfilter, providing a management layer for adding and deleting Netfilter rules and displaying statistics. The Netfilter performs various operations on packets traversing the network stack. Check the FORWARD chain; it has a default policy of ACCEPT or DROP.

All packets reach this hook point after a lookup in the routing system. The following screenshot shows the permit for all sources of the container. If you want to narrow this down, restrict only source IP 8.8.8.8 access to the containers with the following command – iptables -I DOCKER -i ext_if! -s 8.8.8.8 -j DROP

IPTABLES

In addition to the default networks created during Docker installation, users may create user-defined networks. User-defined networks come in two forms – Bridge and Overlay networks. Bridge networks support single-host connectivity, and containers connected to an overlay network may reside on multiple hosts.

The user-defined bridge network is similar to the docker0 bridge. An overlay network allows containers to span multiple hosts, enabling a multi-host connectivity model. However, it has some prerequisites, such as a valid data store. 

 

Summary: Kubernetes Network Namespace

Kubernetes, the powerful container orchestration platform, offers various features to manage and isolate workloads effectively. One such feature is Kubernetes Network Namespace. In this blog post, we deeply understood what Kubernetes Network Namespace is, how it works, and its significance in managing network communications within a Kubernetes cluster.

Section 1: Understanding Network Namespace

Kubernetes Network Namespace is a virtualized network stack that isolates network resources within a cluster. It acts as a logical boundary, allowing different pods and services to have their own network configuration and routing tables. Using Network Namespace, Kubernetes ensures that each workload operates within its defined network environment, preventing interference and maintaining security.

Section 2: Benefits of Kubernetes Network Namespace

One of the significant advantages of Kubernetes Network Namespace is enhanced network segmentation. By segregating network resources, Kubernetes enables better isolation, reducing the risk of network conflicts and potential security breaches. Additionally, Network Namespace facilitates improved resource utilization by efficiently allocating IP addresses and network policies specific to each workload.

Section 3: Working with Kubernetes Network Namespace

Administrators and developers can leverage various Kubernetes objects and configurations to utilize Kubernetes Network Namespace effectively. This includes creating and managing namespaces, deploying pods and services within specific namespaces, and configuring network policies to control traffic between namespaces. Understanding and implementing these concepts ensures a robust and well-organized network infrastructure.

Section 4: Best Practices for Kubernetes Network Namespace

While working with Kubernetes Network Namespace, following best practices is crucial for maintaining a stable and secure environment. Some recommendations include properly labeling pods and services with namespaces, implementing network policies to control traffic flow, regularly monitoring network performance, and considering network plugin compatibility when using third-party solutions.

Conclusion:

Kubernetes Network Namespace is vital in managing network communications within a Kubernetes cluster. By providing isolation and segmentation, it enhances security and resource utilization. Understanding the concept of Network Namespace and following best practices ensures a well-structured and efficient network infrastructure for your Kubernetes deployments.