In my previous post “THERE’S REAL MAGIC BEHIND OPENSTACK NEUTRON” I’ve talked how OpenStack Neutron and OpenVSwitch work together to provide basic network virtual elements to your project. You can create virtual routers, get network services like DHCP and DNS to your assets, Floating IP addresses and private subnets. Besides all this important stuff – basically you cannot be efficient enough to build your web apps into any tenant – you need security components to control the access to your application resources.
OpenStack brings components like security groups that protect every instance in the tenant. These sec-groups are based on iptables and you can control de access to the protected instance’s ports from other instances, tenants or/and outside systems. However, OpenStack Neutron can bring a Firewall at the edge to protect the tenant and its instances from any outside attack. Actually, this last system uses iptables and brings an additional protection allowing you to define des-militarized zones into the tenant to implement a more secured topology for your project’s applications.
This firewall solution support the definition of MAC/CIDR pairs – MAC address and its IP addresses defined through its corresponding Classless Inter-Domain Routing block- This feature helps you to float an “IP address between two instances to enable fast data plane failover” and enable “the use of protocols such as VRRP” – I’ve got these quotes from the OpenStack Neutron documentation that explains better this cool feature than the way I could figure it out.
Additionally, there are virtual load balancers that can be created to monitor and spread user’s sessions among different web server instances. These load balancers work among different methods: round-robin (taking each come-in session to the next server in the pool no matters how this server is performing), source-IP (taking sessions from the same source IP to the same web server) and least connections (taking the next session to the server with the least connections). Sessions are persistent between users and servers through this LBs. LBs use different ways to monitor the status of the server through protocols as ping, TCP, HTTP GET and HTTPS GET -some of you could find limited the amount of available protocols to monitor, they are the most used anyway-
Firewalls and Load Balancers are located in the Neutron Network Nodes. They are directly connected to the Integration Bridge – Again, check my note about these switches at “THERE’S REAL MAGIC BEHIND OPENSTACK NEUTRON” – They are supported by independent Linux Network Stacks and works in a independent Linux IP namespace. The integration bridge interconnect these components with routers and network services through a VLAN tagging process.
This components could be provisioned through the OpenStack DashBoard – yes, Horizon – as easy as you cannot imagine how all the components are acting behind. Well, this is the beauty of Openstack anyway.
See you next!