We intend to slot it in to a location which uses VLANs heavily. In
our DMZ is on a VLAN, with the subnet's gateway at our firewall. We
use VxLANs within OpenStack.
Is it possible to make OpenStack aware of the DMZ VLAN, so that we can use it in projects? Is it possible to use the DMZ VLAN without routing
Hi Dominic, particular, plan to through the
OpenStack network node(s)?
It is definitely possible. In OpenStack terms, you are looking for "Provider Networks", which can be used to bind a VLAN to OpenVSwitch directly on the respective compute node where a VM is running. Security groups can be used to provide port security at the VM's "ports" (vNICs). "Tenant Networks", in your configuration, will use VXLANs, and are typically managed by Neutron's DVR (Distributed Virtual Routing) which manages the VXLAN configuration on OpenVSwitches on each compute node. SNAT will always use a network node since the NAT table has to be consistent and is not replicated (it is an iptables configuration on the network node in a specific Linux network namespace for the tenant network). Floating IPs only work with networks marked as "external", which are provider networks that are VLAN-based. External networks are connected as the external gateway of an OpenStack router, where the router performs the 1:1 NAT function. Note that this does not work with IPv6, only IPv4, since IPv6 does not use NAT. The subnet assigned to the external network has a gateway property, which can be set to your firewall's gateway IP. Note that you can have multiple provider networks and share these network(s) with specific projects to provide access to a specific VLAN. These would be marked as "internal" networks. This provides a great way to transition VMs from VLAN-based networks to VXLAN-based networks. This has a good overview of the items I have discussed: https://superuser.openstack.org/articles/tenant-networks-vs-provider-net works-in-the-private-cloud-context/ Eric
Thank you,
Dominic L. Hilsbos, MBA Director - Information Technology Perform Air International Inc. DHilsbos@PerformAir.com www.PerformAir.com