[Openstack-operators] VPNaaS and FWaaS

Joseph Bajin josephbajin at gmail.com
Fri May 20 01:52:59 UTC 2016


We have actually started to look at VPNaaS as a way to tie two different
region's Tenant Networks together..  This will hopefully allow us to not
have to look at users using too many Floating IPs to just support tools and
products that have issues with Floating IPs.

On Tue, May 10, 2016 at 4:18 AM, Matt Jarvis <matt.jarvis at datacentred.co.uk>
wrote:

> We see FWaaS generally being used by customers with larger deployments,
> where they want overall firewall rules at the boundary as well as security
> groups. Since my original post on this thread, I went to look at the
> numbers - it's actually being used more widely than I originally thought on
> our platform, including many of our largest customers.
>
> On 10 May 2016 at 09:03, Mariano Cunietti <mcunietti at enter.it> wrote:
>
>> Hi Kyle,
>>
>> > I know there are operators relying on these functions, particularly in
>> the
>> > public cloud space in Europe, so this would impact those people. I also
>> know
>> > this list doesn't necessarily reach all of them either, so I will try
>> and
>> > reach out by other means as well, but it would be very useful to try
>> and get
>> > a clearer picture of how many people are using VPNaaS and FWaaS. If you
>> are,
>> > could you please respond to this thread ?
>>
>>
>> We are using VPNaaS and FWaaS on entercloudsuite.com, on Juno.
>> With VPNaaS it basically works (or: works basically) but there are some
>> issues with the configuration of MTU and some other server side
>> configurations that drop some client connections. I can can provide more
>> details if you want on a private thread.
>> With FWaaS we are providing it but we also deprecate it; moreover, it’s
>> generating a lot of confusion and overlap with Security Groups
>>
>>
>> >
>> I'm actually really surprised that people are *using* FWaaS. It's been
>> marked experimental for over 3 years now, and it only recently in
>> Liberty received work which made it somewhat useful, which was the
>> ability to apply a firewall on a specific Neutron router rather than
>> all tenant routers. FWaaS in production sounds pretty risky to me, but
>> I supposed that our fault for not being clear on it's readiness.
>>
>>
>> Agree, but the words EXPERIMENTAL and NOT PRODUCTION READY are pretty
>> visible in the documentation.
>> So, not your fault at all
>>
>>
>> > If we have metrics that a constituent part of the user community need
>> these
>> > functions, then we can try and find a way to help the Neutron team to
>> cover
>> > the resourcing gaps.
>> >
>> If people are using these, IMHO that's another reason to keep them
>> around. I've already said that we have at least one large user of VPN,
>> so that project will continue to be worked on even if it's removed
>> from Neutron.
>>
>>
>> Here’s what WE’D LOVE to have:
>>
>>    - VPNaaS
>>    - IDS or some TAPaaS to redirect router traffic to a tenant’s
>>    instance (remember we all sell instances)
>>    - IPS, that is the ability not only to eavesdrop but also to drop
>>    traffic using Snort or better Suricata + ELK (
>>    https://github.com/StamusNetworks/SELKS/blob/master/README.rst)
>>    - FWaaS meant as multiple firewall “flavors”. Lots of customers ask
>>    for PFSense or their own Linux/FreeBSD solution
>>    - Network analytics in general (with InfluxDB or Monasca)
>>
>> Thanks
>>
>> Mariano
>>
>>
>>
>
> DataCentred Limited registered in England and Wales no. 05611763
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160519/bed6d2f9/attachment.html>


More information about the OpenStack-operators mailing list