[Openstack-operators] VPNaaS and FWaaS

Adam Lawson alawson at aqorn.com
Fri May 20 05:21:37 UTC 2016

We don't use FWaaS but we certainly are interested in LBaaS and VPNaaS.
Chalk us up to a vendor trying to implement these. VPNaaS is huge as it
allows customers to non-disruptively attach their organizations to a public
cloud with the same IP space as is the case with AWS. I'd be open to
letting this go IF it being addressed elsewhere in some other manner.


*Adam Lawson*

427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (844) 4-AQORN-NOW ext. 101
International: +1 302-387-4660
Direct: +1 916-246-2072

On Thu, May 19, 2016 at 6:52 PM, Joseph Bajin <josephbajin at gmail.com> wrote:

> We have actually started to look at VPNaaS as a way to tie two different
> region's Tenant Networks together..  This will hopefully allow us to not
> have to look at users using too many Floating IPs to just support tools and
> products that have issues with Floating IPs.
> On Tue, May 10, 2016 at 4:18 AM, Matt Jarvis <
> matt.jarvis at datacentred.co.uk> wrote:
>> We see FWaaS generally being used by customers with larger deployments,
>> where they want overall firewall rules at the boundary as well as security
>> groups. Since my original post on this thread, I went to look at the
>> numbers - it's actually being used more widely than I originally thought on
>> our platform, including many of our largest customers.
>> On 10 May 2016 at 09:03, Mariano Cunietti <mcunietti at enter.it> wrote:
>>> Hi Kyle,
>>> > I know there are operators relying on these functions, particularly in
>>> the
>>> > public cloud space in Europe, so this would impact those people. I
>>> also know
>>> > this list doesn't necessarily reach all of them either, so I will try
>>> and
>>> > reach out by other means as well, but it would be very useful to try
>>> and get
>>> > a clearer picture of how many people are using VPNaaS and FWaaS. If
>>> you are,
>>> > could you please respond to this thread ?
>>> We are using VPNaaS and FWaaS on entercloudsuite.com, on Juno.
>>> With VPNaaS it basically works (or: works basically) but there are some
>>> issues with the configuration of MTU and some other server side
>>> configurations that drop some client connections. I can can provide more
>>> details if you want on a private thread.
>>> With FWaaS we are providing it but we also deprecate it; moreover, it’s
>>> generating a lot of confusion and overlap with Security Groups
>>> >
>>> I'm actually really surprised that people are *using* FWaaS. It's been
>>> marked experimental for over 3 years now, and it only recently in
>>> Liberty received work which made it somewhat useful, which was the
>>> ability to apply a firewall on a specific Neutron router rather than
>>> all tenant routers. FWaaS in production sounds pretty risky to me, but
>>> I supposed that our fault for not being clear on it's readiness.
>>> Agree, but the words EXPERIMENTAL and NOT PRODUCTION READY are pretty
>>> visible in the documentation.
>>> So, not your fault at all
>>> > If we have metrics that a constituent part of the user community need
>>> these
>>> > functions, then we can try and find a way to help the Neutron team to
>>> cover
>>> > the resourcing gaps.
>>> >
>>> If people are using these, IMHO that's another reason to keep them
>>> around. I've already said that we have at least one large user of VPN,
>>> so that project will continue to be worked on even if it's removed
>>> from Neutron.
>>> Here’s what WE’D LOVE to have:
>>>    - VPNaaS
>>>    - IDS or some TAPaaS to redirect router traffic to a tenant’s
>>>    instance (remember we all sell instances)
>>>    - IPS, that is the ability not only to eavesdrop but also to drop
>>>    traffic using Snort or better Suricata + ELK (
>>>    https://github.com/StamusNetworks/SELKS/blob/master/README.rst)
>>>    - FWaaS meant as multiple firewall “flavors”. Lots of customers ask
>>>    for PFSense or their own Linux/FreeBSD solution
>>>    - Network analytics in general (with InfluxDB or Monasca)
>>> Thanks
>>> Mariano
>> DataCentred Limited registered in England and Wales no. 05611763
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160519/4604c6e7/attachment.html>

More information about the OpenStack-operators mailing list