Book Image

Learning OpenStack Networking (Neutron)

By : James Denton
Book Image

Learning OpenStack Networking (Neutron)

By: James Denton

Overview of this book

OpenStack Neutron is an OpenStack component that provides networking as a service for other OpenStack services to architect networks and create virtual machines through its API. This API lets you define network connectivity in order to leverage network capabilities to cloud deployments. Through this practical book, you will build a strong foundational knowledge of Neutron, and will architect and build an OpenStack cloud using advanced networking features. We start with an introduction to OpenStack Neutron and its various components, including virtual switching, routing, FWaaS, VPNaaS, and LBaaS. You’ll also get hands-on by installing OpenStack and Neutron and its components, and use agents and plugins to orchestrate network connectivity and build a virtual switching infrastructure. Moving on, you’ll get to grips with the HA routing capabilities utilizing VRRP and distributed virtual routers in Neutron. You’ll also discover load balancing fundamentals, including the difference between nodes, pools, pool members, and virtual IPs. You’ll discover the purpose of security groups and learn how to apply the security concept to your cloud/tenant/instance. Finally, you' ll configure virtual private networks that will allow you to avoid the use of SNAT and floating IPs when connecting to remote networks.
Table of Contents (21 chapters)
Learning OpenStack Networking (Neutron) Second Edition
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
Index

Implementing security group rules


In the following example, an instance named WEB1 will be created that acts as a web server running Apache on ports 80 and 443. To demonstrate how security group rules are implemented on a compute node, take note of the following WEB_SERVERS security group created with the Neutron security-group-create command:

Figure 6.3

The following screenshot shows two security group rules being added to the WEB_SERVERS security group using the security-group-rule-create command. The rules allow inbound connections on ports 80 and 443 from any remote host:

Figure 6.4

Using the Neutron port-update command, the WEB_SERVERS security group can be applied to the Neutron port of the WEB1 instance, as shown in the following screenshot:

Figure 6.5

Once a security group is applied to the corresponding Neutron port of an instance, a series of iptables rules and chains are implemented on the compute node hosting the instance.

Stepping through the chains

The implementation of security group...