This document discusses proposed extensions to the OpenStack Neutron networking service API to add higher-level abstractions for application developers. The current API focuses on physical network constructs like ports and subnets. The extensions define logical groupings of endpoints (EPGs) and policy rules specifying allowed network access between EPGs. This provides a more declarative and application-centric model, separating application and infrastructure concerns. An example shows how a multi-tier application could be defined using these new abstractions.

1. IBM T. J. Watson Research Center
Neutron Networking:
Service Groups, Policies and Chains
OpenStack Meetup - IBM OpenStack Lightning Talks
© 2014 IBM Corporation
John M. Tracey for Mohammad Banikazemi
October 7, 2014

2. © 2013 IBM Corporation
Agenda
§ Current Neutron application programming interface
§ Example multi tier application with current API
§ Application centric abstraction
§ Group based policy constructs
§ Example multi tier application with policy extension
§ For more information
2

3. © 2013 IBM Corporation
Abstract
§ Neutron is OpenStack’s networking service. It
defines an API, but allows different implementations
to be plugged in.
§ The current OpenStack Neutron API provides
constructs that are closely tied to physical network
entities.
§ To better support application developers and allow
better separation of application and infrastructure
concerns, a Neutron blueprint is well underway that
adds a set of higher-level abstractions to Neutron,
known as group-based policy.
3

4. Neutron application programming interface
• Current Neutron API is somewhat low-level
• Neutron constructs mirror physical devices
• Network: layer-2 broadcast domain; private/shared
• Port: virtual switch port on a network; has MAC and IP address properties
• Subnet: CIDR IP address block associated with a network; optionally
associated with gateway, DNS/DHCP servers
• Router: provides IP routing among networks, supports source NAT
4 © 2013 IBM Corporation

5. Example multi tier application
Web
Application
Database
External
Network
(Internet)
Firewall Load
Balancer
5 © 2013 IBM Corporation

6. Example multi tier application with current neutron CLI
neutron net-create web_tier
neutron subnet-create web_tier 10.0.0.0/24
neutron router-create router1
neutron router-interface-add router1 web_tier
External Network
Router
Q
sNuebtnweot rk/
sNuebtnweot rk/
sNuebtnweot rk/
Port
Q
6 © 2013 IBM Corporation

7. Application centric abstraction
• Need a more application centric set of abstractions as well
• More easily understood/utilized by higher layers
• Declarative model
• Separation of concerns (application/infrastructure)
• Provide policy-based connectivity between application tiers
• Enable redirection to network services and service chains
• Support dynamic application of policies
7 © 2013 IBM Corporation

8. Group based policy constructs
• Endpoint (EP)
• Lowest unit of abstraction to which policy is applied
• Endpoint Group (EPG)
• Logical grouping of endpoints
• Policy Rule
• Specifies allowed/disallowed network access to EPGs
• Policy (a.k.a. contract)
• Collection of policy rules
8 © 2013 IBM Corporation

9. Example multi tier application with GBP extension
neutron classifier-create Insecure-Web-Access --port 80
--protocol TCP --direction IN
neutron policy-rule-create insecure-web --policy-classifier
Insecure-Web-Access --actions ALLOW
neutron contract-create Web-Server-Contract --policy-rule
insecure-web
EPG
Web
EPG
Application
EPG
Database
Firewall
9 © 2013 IBM Corporation
EPG
External
Network
(Internet)
Policy
Protocol:TCP
Port:80
Action:Redirect
To FW_LB_CHAIN
Protocol:TCP
Port:3306
Action:ALLOW
Protocol:TCP
Port:9080
Action:ALLOW
EPG EPG (Endpoint Group)

10. For further information
• Neutron wiki
• https://wiki.openstack.org/wiki/Neutron
• https://ibm.biz/BdFyZu
• Blueprints for Neutron
• https://blueprints.launchpad.net/neutron
• https://ibm.biz/BdE4dC
• Group-based policy abstractions for Neutron
• https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
• https://ibm.biz/BdE4dQ
10 © 2013 IBM Corporation

11. 11 © 2013 IBM Corporation