Open Stack

Please see my response below.

Mike Spreitzer <mspreitz at us.ibm.com> wrote:

> Scott Lowe <scott.lowe at scottlowe.org> wrote on 04/08/2015 09:56:40 PM:
> 
> > Please see my responses inline, prefixed by [SL].
> > 
> > Mike Spreitzer <mspreitz at us.ibm.com> wrote:
> > 
> > > Oops, my original email did not contain all of the constraints. Each
> > > compute instance gets only one network interface, only one IP address.
> > > Does Juno Neutron have a way to solve this problem?
> > 
> > 
> > [SL] Use James' approach as described below, except with a single network
> > interface on each instance. The OS inside the instance will see a single IP
> > address (a private address from the tenant network), but a floating IP
> > address can be associated with the instance. You'll probably need to
> > implement split DNS (so that instances on the tenant network will resolve
> > the address from the tenant network's subnet while external systems will
> > resolve the floating IP address).
> > 
> > Even so, you could run into problems if the application running on those
> > instances needs to report an IP address to other systems; it will report the
> > private address, which may not be accessible by the other system.
> > 
> > 
> > > Thanks,
> > > Mike 
> > > 
> > > 
> > > 
> > >> From: James Denton <james.denton at rackspace.com> 
> > >> To: Mike Spreitzer/Watson/IBM at IBMUS, openstack 
> > <openstack at lists.openstack.org> 
> > >> Date: 04/08/2015 07:04 PM 
> > >> Subject: Re: [Openstack] [neutron] how to use multiple external networks? 
> > >> 
> > >> 
> > >> 
> > >> Hi Mike, 
> > >> 
> > >> With those requirements, I think dual-homing the instances may be the
> > >> best approach.
> > >> 
> > >> In my mind, you would have 5 networks: 
> > >> 
> > >> A - External Network 1 
> > >> B - External Network 2 
> > >> C - Tenant Network 1 
> > >> D - Tenant Network 2 
> > >> E - Shared Tenant Network (No gateway) 
> > >> 
> > >> Because routers can only connect to one external network at a time, and a
> > >> tenant network can only be connected to one router at a time, you would
> > >> need two routers:
> > >> 
> > >> Router 1 
> > >> Router 2 
> > >> 
> > >> You would connect them as follows: 
> > >> 
> > >> External Network 1 <-> Router 1 <-> Tenant Network 1 
> > >> External Network 2 <-> Router 2 <-> Tenant Network 2 
> > >> 
> > >> The VMs would then connect as follows: 
> > >> 
> > >> Tenant Network 1 <-> VM1 <-> Shared Network 
> > >> Tenant Network 2 <-> VM2 <-> Shared Network 
> > >> 
> > >> With no gateway set on the shared network, you won't have to worry about
> > >> multiple default routes, nor do you need to worry about terminating that
> > >> network off a router. It's simply isolated.
> > >> 
> > >> Hope that helps, 
> > >> James
> > >> 
> > >> 
> > >>> From: Mike Spreitzer <mspreitz at us.ibm.com>
> > >>> Sent: Wednesday, April 8, 2015 12:28 PM
> > >>> To: openstack
> > >>> Subject: [Openstack] [neutron] how to use multiple external networks? 
> > >>>   
> > >>> Supposing there are two external provider networks, and a tenant wants
> > >>> (a) some of his Compute Instances to have floating IP addresses on one
> > >>> of those external networks, (b) some other of his Compute Instances to
> > >>> have floating IP addresses on the other external network, and (c) all of
> > >>> his Compute Instances to be able to talk to each other using only tenant
> > >>> private networking, what arrangement of tenant networks and routers
> > >>> would accomplish this? In Juno, if it matters.
> > >>> 
> > >>> Thanks,
> > >>> Mike 
> > 
> > 
> 
> (sorry for top-posting the first time, I am switching to the usual
> convention now.)
> 
> Thanks Scott and James. What I was trying to say about all the tenant's
> Compute Instances communicating with only tenant private networking is
> that the tenant does not want to have to use floating IP addresses for
> that intra-tenant communication. After all, public IPv4 addresses are
> scarce; as an operator I am looking for a way that a tenant of mine can
> wire up all his compute instances without using external addresses for
> internal communication. I guess I should have explicitly added to my
> original (a) and (b) a third category: some of the tenant's Compute
> Instances do not need to accept any inbound connections from outside the
> tenant's network (and thus do not really need a floating IP address). As
> an operator, I am looking at the general case for how my tenants (which
> happen to be constrained in the one way I mentioned) can efficiently work
> in an environment with two external networks.
> 
> I was wondering if the following variant on James' topology would work:
> put the Shared Network between Router 1 and Router 2. Is there a way to do
> that without even attempting to make Router 1 and Router 2 be gateways for
> the Shared Network? After all, the Shared Network only needs to pass
> traffic between Tenant Network 1 and Tenant Network 2, it does not need to
> handle any other traffic.



All of James' assertions are ABSOLUTELY accurate---each router can connect
to only a single external network at a time, and a tenant network can only
connect to a single router at a time. Hence James' recommendation to use two
routers (each connected to an external network) and two tenant networks
(each connected to a router). Thus, you can't use a logical network as a
shared network because it would have to be connected to 2 routers
simultaneously.

With James' proposed topology:

- Instance on Tenant Network 1 or 2 communicating with another instance on
the same tenant network (regardless of the presence of floating IP address)
will communicate using private IP addresses (pulled from the subnet
associated with the tenant network)

- Instance on Tenant Network 1 or 2 communicating with an external instance
will NAT to the respective router's uplink (without a floating IP
associated) or will NAT to the floating IP (if associated)

- Instance on Tenant Network 1 can only communicate with instance on Tenant
Network 2 by traversing the appropriate external network(s). A floating IP
address *WOULD* be needed to receive inbound connections. A floating IP
address would *WOULD NOT* be needed to initiate outbound connections.

If you give up the need for multiple external networks, then you could use a
single logical router connected to one external network and multiple tenant
networks, and then the instances could communicate freely across tenant
networks without NAT/floating IPs (which would only be necessary to support
inbound connections from external systems).

Does that help at all?

-- 
Scott