OpenStack network summary: basic concepts of the network in openstack
Openstack-install-guide-yum-icehouse.pdf/7. Add a networking service/Networking concepts
OpenStack's Neutron can manage Virtual Network Infrastructure (VNI) and physical network infrastructure (PNI) in the OpenStack environment ). OpenStack's Neutron allows tenants to create virtual network topologies, including services such as firewalls, Server Load balancer, and virtual private network (VPN.
Neutron provides an abstraction of the following objects: Network, subnet, and router.
Each includes a function that imitates physical hardware: The network contains subnets, and traffic between different subnets and networks is transmitted by routes.
A simple network topology is shown below
Any created network must contain at least one "external network" (ext-net in the figure ). Unlike other networks, this network is not only essentially defined. It also represents external network segments that can access openstack. Devices outside the openstack environment can access an IP address in the "external network. Because this network only represents one slice of the external network, DHCP is disabled in the "external network.
Except for the "external network", any network has one or more "internal networks" (icenet, icenet2 in the figure ). These software-defined networks are directly connected to virtual machines. Only virtual machines bound to a specified internal network or subnet connected to a route through interfaces can directly access the virtual machines connected to the network.
To access a virtual machine from a network outside the openstack environment, you need to create a "Route" between networks (ice_route in the figure ). Each "Route" has a gateway connected to the network and interfaces connecting multiple subnets. Like a physical router, a virtual machine on a subnet can access a virtual machine connected to another subnet on the same vro (a VM on icenet2 can access a VM on icenet ), the machine can access the external network through the gateway of the router.
In addition, you can also assign an "external network" IP address to the internal network port. As long as a VM instance is connected to a subnet, the connection is called a port. You can associate the virtual machine port with the Internet IP address. In this way, the entities in the external network can access virtual machines in the openstack environment. For example, if the Virtual Machine on icenet is assigned an external IP address of 192.168.40.202, the virtual machine can be accessed externally through this IP address.
The Network also supports security groups. Security groups allow administrators to define firewall rules on a group. virtual machines can belong to one or more security groups. Neutron applies these security group rules to block or allow virtual machine ports, or traffic type access.
The functions of Neutron can be extended in the form of plug-ins. Each Neutron plug-in has its own concept. Kernel plug-ins and Security Group plug-ins are relatively basic plug-ins. In addition, the Firewall Service (FWaaS) and Server Load balancer (LBaaS) are optional plug-ins.