JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

1 of 30

Developing, Deploying, and Consuming L4-7 Network Services in an OpenStack Cloud

Hands-On Workshop, OpenStack Summit, Austin

https://wiki.openstack.org/wiki/GroupBasedPolicy/Austin

Sumit Naiksatam, Igor Duarte Cardoso, Hemanth Ravi, Ivar Lazzaro, Jason Plank, David Grizzanti

2 of 30

3 of 30

Agenda

1. Intro + Workshop logistics - Sumit, 5 mins

2. OpenStack *aaS services and SFC in Neutron and GBP - Igor, 10 mins

3. GBP Intro + Service Chain consumption workflow (tenant API) - Sumit, 20 mins

4. Service Chain deployment workflow (Operator API) - Ivar, 20 mins

5. BYOF - Service Developer workflow - Hemanth, 20 mins

6. HA for Services + Sungard Production setup tour - David, 10 mins

7. Q/A

4 of 30

Logistics

Workshop Resources:

https://wiki.openstack.org/wiki/GroupBasedPolicy/Austin

Workshop Guide:

https://goo.gl/EwAJeg

Contains lab access information

Also, GBP devstack available to practice after workshop

5 of 30

OpenStack *aaS services and SFC in Neutron and GBP

6 of 30

OpenStack *aaS services and SFC in Neutron and GBP

7 of 30

OpenStack *aaS services and SFC in Neutron and GBP

8 of 30

OpenStack *aaS services and SFC in Neutron and GBP

9 of 30

OpenStack *aaS services and SFC in Neutron and GBP

VPNaaS, FWaaS, LBaaS

GBP can easily instantiate them

GBP can also chain them

Instantiation/configuration and chaining/plumbing are not coupled

Other drivers or plumbers can easily be introduced

The Neutron's Advanced Services [LBaaS, FWaaS and VPNaaS] allow us to place and use load balancers, firewalls and virtual private networks.

The Group-Based Policy project is able to consume and reuse these services as is. They can be placed between groups of VMs, like different tiers of virtual servers, through policy and intent definitions that the tenant can specify, without the user having to be concerned about the internals or configuration of these services.

Furthermore, GBP also supports service chaining in the sense that it can chain traffic between multiple advanced services, through similar policy definitions that are applied between the groups of VMs. This requires no changes to Neutron or the advanced services, keeping all the necessary orchestration logic inside GBP.

The instantiation/configuration vs. chaining/plumbing of services in GBP are decoupled from each other.

A special driver, the node driver, takes care of configuring a specific service, and requesting specific networking resources. There is a driver for each of services in the chain.

Another, orthogonal entity, the plumber, essentially takes care of connecting all the networking resources advertised by the service drivers, so that traffic can flow through them.

This makes the underlying GBP architecture pluggable both in terms of the services it supports and the plumbing method that it supports. As an example, today, support for chaining between Neutron ports would be possible by simply introducing a plumbing driver that is able to talk to the networking-sfc project. Also, a special node driver for Service VMs already exists in GBP today, the Network Function Plugin is able to manage the full lifecycle of Service VMs.

In this workshop you will learn how to use Group-Based Policy, including how to to create Service Chains of different services.

neutron->services->orchestrate and configure->gbp->chain->configure and plumb->extensibility->adapt to networking-sfc->use nfp for all lifecycle->workshop gbp and sc

10 of 30

Policy Based Service Lifecycle Management

11 of 30

Group Based Policy Model

12 of 30

Resource Model

13 of 30

Resource Model

14 of 30

1-2-3 Easy!

Define service chains using simple commands/UI
Create Application Policy to redirect to service chain
Groups provide & consume Application Policy, done!

15 of 30

Consuming - Tenant Workflow

16 of 30

Workshop Goal

Web

FW

+ LB

HTTP

External-

World

App

LB

HTTP

DB

FW

(3306)

TCP

External Group

PRS

Service Chain

Internal Group

VM

17 of 30

Deploying - Operator Workflow

18 of 30

Separation of Concerns

Operators do this once:

So that Users only have to do this:

19 of 30

Operator Workflow

Provide basic infrastructure constructs your cloud’s Tenants, so that they don’t have to worry about them.

External Connectivity Policies

Service Chain Policies

Application Contracts

20 of 30

Operator Workflow

Provide basic infrastructure constructs your cloud’s Tenants, so that they don’t have to worry about them.

External Connectivity Policies

Service Chain Policies

Application Contracts

21 of 30

External Connectivity

Neutron External Network
Neutron Subnet
External Segment
Nat Pool

22 of 30

Service Chain

Network Service Policy
Service Profile
Service Chain Node
Service Chain Spec
Policy Action
Policy Rule

23 of 30

Developing - Service Developer Workflow

BYOF - Bring Your Own Function!

24 of 30

Develop Firewall Service on a VM

fw-

consumer

fw-

provider

FW

(allow icmp + ssh)

TCP

PRS

Service Chain

Internal Group

VM

25 of 30

Service Lifecycle Management Framework - NFP

Service VM

Service VM

Service VM

GBP

Service Chaining

Network Function Orchestrator

Tenant (Over-the-cloud)

RPC

Namespace

Proxy

Network Plugin Framework (NFP)

Infra (Under-the-Cloud)

RPC

REST

26 of 30

NFP Framework Features

Provides orchestration, configuration and visibility for Network Functions
Rendering of Service Chains via GBP NB APIs

NFP orchestrates Network Function Devices
NFP renders Network Functions

Network Function Management South Bound REST APIs

Service Insertion for configuring Interfaces & Routes
Service Configuration
Service Health Monitoring

Any L2, L3, L4-7 Network Function can be supported

BYOF! (“Bring your own Function”)

27 of 30

HA for Services

28 of 30

Sungard Availability Services

Target Market

80% mid-to-large enterprise customers

Typical Customer

Shrink wrapped applications
Looking for a mix of self-managed and Sungard AS managed offerings

Platform Expectations

Cloud Native & Traditional Networking models
Above the hypervisor services (per tenant FW, LB, VPN)
Service-chaining

29 of 30

Thank You

30 of 30

Legal Notices and Disclaimers by Intel Author - Igor Duarte Cardoso

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at intel.com, or from the OEM or retailer.
No computer system can be absolutely secure.
Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. For more complete information about performance and benchmark results, visit http://www.intel.com/performance.
Intel, the Intel logo and others are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others.
© 2016 Intel Corporation.