East-West and the compute VM flows come to a centralized gateway for security audit
Hello Everyone, Any advice about configure of Openstack or OVN/OVS, to implement a centralized gateway of all the flows of VMs for flow audit? Since the default type is distributed mode for the East-West flow, I want to know if we can change to a centralized one? Thank you! Best regards, Andy Zhou
Hi, Dnia wtorek, 30 września 2025 01:35:38 czas środkowoeuropejski letni Andy Zhou pisze:
Hello Everyone,
Any advice about configure of Openstack or OVN/OVS, to implement a centralized gateway of all the flows of VMs for flow audit? Since the default type is distributed mode for the East-West flow, I want to know if we can change to a centralized one?
Thank you! Best regards, Andy Zhou
In ML2/OVN east-west traffic is always distributed. In ML2/OVS you can use centralized routers so that all traffic going through the router will be centralized but even then your traffic in the same L2 network e.g. between VMs will not go through that node but directly between compute nodes. Maybe Tap-as-a-service [1] is something what you should look at. [1] https://github.com/openstack/tap-as-a-service -- Slawek Kaplonski Principal Software Engineer Red Hat
Thank you so much for your helpful answer, Slawek. Could we modify the rules or even not so much code to redirect the traffic of the same L2 network to a centralized node? Best regards, Andy Zhou On Wed, Oct 1, 2025 at 12:08 AM Sławek Kapłoński <skaplons@redhat.com> wrote:
Hi,
Dnia wtorek, 30 września 2025 01:35:38 czas środkowoeuropejski letni Andy Zhou pisze:
Hello Everyone,
Any advice about configure of Openstack or OVN/OVS, to implement a centralized gateway of all the flows of VMs for flow audit? Since the default type is distributed mode for the East-West flow, I want to know if we can change to a centralized one?
Thank you! Best regards, Andy Zhou
In ML2/OVN east-west traffic is always distributed. In ML2/OVS you can use centralized routers so that all traffic going through the router will be centralized but even then your traffic in the same L2 network e.g. between VMs will not go through that node but directly between compute nodes. Maybe Tap-as-a-service [1] is something what you should look at.
[1] https://github.com/openstack/tap-as-a-service
-- Slawek Kaplonski Principal Software Engineer Red Hat
participants (2)
-
Andy Zhou
-
Sławek Kapłoński