Neutron Networking: Service Groups, Policies and Chains

2 likes1,622 views

This document discusses proposed extensions to the OpenStack Neutron networking service API to add higher-level abstractions for application developers. The current API focuses on physical network constructs like ports and subnets. The extensions define logical groupings of endpoints (EPGs) and policy rules specifying allowed network access between EPGs. This provides a more declarative and application-centric model, separating application and infrastructure concerns. An example shows how a multi-tier application could be defined using these new abstractions.

Technology

IBM T. J. Watson Research Center
Neutron Networking:
Service Groups, Policies and Chains
OpenStack Meetup - IBM OpenStack Lightning Talks
© 2014 IBM Corporation
John M. Tracey for Mohammad Banikazemi
October 7, 2014

© 2013 IBM Corporation
Agenda
§ Current Neutron application programming interface
§ Example multi tier application with current API
§ Application centric abstraction
§ Group based policy constructs
§ Example multi tier application with policy extension
§ For more information
2

© 2013 IBM Corporation
Abstract
§ Neutron is OpenStack’s networking service. It
defines an API, but allows different implementations
to be plugged in.
§ The current OpenStack Neutron API provides
constructs that are closely tied to physical network
entities.
§ To better support application developers and allow
better separation of application and infrastructure
concerns, a Neutron blueprint is well underway that
adds a set of higher-level abstractions to Neutron,
known as group-based policy.
3

Neutron application programming interface
• Current Neutron API is somewhat low-level
• Neutron constructs mirror physical devices
• Network: layer-2 broadcast domain; private/shared
• Port: virtual switch port on a network; has MAC and IP address properties
• Subnet: CIDR IP address block associated with a network; optionally
associated with gateway, DNS/DHCP servers
• Router: provides IP routing among networks, supports source NAT
4 © 2013 IBM Corporation

Example multi tier application
Web
Application
Database
External
Network
(Internet)
Firewall Load
Balancer
5 © 2013 IBM Corporation

Example multi tier application with current neutron CLI
neutron net-create web_tier
neutron subnet-create web_tier 10.0.0.0/24
neutron router-create router1
neutron router-interface-add router1 web_tier
External Network
Router
Q
sNuebtnweot rk/
sNuebtnweot rk/
sNuebtnweot rk/
Port
Q
6 © 2013 IBM Corporation

Application centric abstraction
• Need a more application centric set of abstractions as well
• More easily understood/utilized by higher layers
• Declarative model
• Separation of concerns (application/infrastructure)
• Provide policy-based connectivity between application tiers
• Enable redirection to network services and service chains
• Support dynamic application of policies
7 © 2013 IBM Corporation

Group based policy constructs
• Endpoint (EP)
• Lowest unit of abstraction to which policy is applied
• Endpoint Group (EPG)
• Logical grouping of endpoints
• Policy Rule
• Specifies allowed/disallowed network access to EPGs
• Policy (a.k.a. contract)
• Collection of policy rules
8 © 2013 IBM Corporation

Example multi tier application with GBP extension
neutron classifier-create Insecure-Web-Access --port 80
--protocol TCP --direction IN
neutron policy-rule-create insecure-web --policy-classifier
Insecure-Web-Access --actions ALLOW
neutron contract-create Web-Server-Contract --policy-rule
insecure-web
EPG
Web
EPG
Application
EPG
Database
Firewall
9 © 2013 IBM Corporation
EPG
External
Network
(Internet)
Policy
Protocol:TCP
Port:80
Action:Redirect
To FW_LB_CHAIN
Protocol:TCP
Port:3306
Action:ALLOW
Protocol:TCP
Port:9080
Action:ALLOW
EPG EPG (Endpoint Group)

For further information
• Neutron wiki
• https://wiki.openstack.org/wiki/Neutron
• https://ibm.biz/BdFyZu
• Blueprints for Neutron
• https://blueprints.launchpad.net/neutron
• https://ibm.biz/BdE4dC
• Group-based policy abstractions for Neutron
• https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction
• https://ibm.biz/BdE4dQ
10 © 2013 IBM Corporation

More Related Content

What's hot (20)

PPTX

How Red Hat ran a global OpenVPN offer during the COVID-19 pandemic with 99% ...All Things Open

PDF

Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit kimw001

PPTX

Midokura Enterprise MidoNet Overview Midokura

PPT

CCNA Discovery 4 - Chapter 8Irsandi Hasan

PPTX

Docker meetup oct14Vipin Jain

PDF

IPv6 cross border communication challengesGovernments ENabled with IPv6

PPT

Chapter 6ali raza

PPTX

Design and Deploy Secure Clouds for Financial Services Use CasesPLUMgrid

PPT

CCNA Discovery 4 - Chapter 5Irsandi Hasan

PPTX

Monitoring Security Policies for Container and OpenStack CloudsPLUMgrid

PPT

Chapter 7 ali raza

PPT

Chapter 8 ali raza

PDF

F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summitkimw001

PDF

Intelligent IoT gateway on openwrtMateusz Babiarz

PDF

Model-driven Telemetry: The Foundation of Big Data AnalyticsCisco Canada

PPT

Chapter 1ali raza

PPT

CCNA Discovery 4 - Chapter 6Irsandi Hasan

PPTX

Supporting Virtualized Telco Applications with OpenStackBruce Davie

PDF

OpenStackDay - XIFI FederationAlessandro Martellone

PPT

CCNA Discovery 4 - Chapter 9Irsandi Hasan

How Red Hat ran a global OpenVPN offer during the COVID-19 pandemic with 99% ...All Things Open

Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit kimw001

Midokura Enterprise MidoNet Overview Midokura

CCNA Discovery 4 - Chapter 8Irsandi Hasan

Docker meetup oct14Vipin Jain

IPv6 cross border communication challengesGovernments ENabled with IPv6

Chapter 6ali raza

Design and Deploy Secure Clouds for Financial Services Use CasesPLUMgrid

CCNA Discovery 4 - Chapter 5Irsandi Hasan

Monitoring Security Policies for Container and OpenStack CloudsPLUMgrid

Chapter 7 ali raza

Chapter 8 ali raza

F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summitkimw001

Intelligent IoT gateway on openwrtMateusz Babiarz

Model-driven Telemetry: The Foundation of Big Data AnalyticsCisco Canada

Chapter 1ali raza

CCNA Discovery 4 - Chapter 6Irsandi Hasan

Supporting Virtualized Telco Applications with OpenStackBruce Davie

OpenStackDay - XIFI FederationAlessandro Martellone

CCNA Discovery 4 - Chapter 9Irsandi Hasan

Similar to Neutron Networking: Service Groups, Policies and Chains (20)

PPTX

Mb openstack-nov2013v7Mohammad Banikazemi

PPTX

TFI2014 Session I - State of SDN - Scott SneddonColorado Internet Society (CO ISOC)

PPTX

Open stackatlantagrouppolicyMohammad Banikazemi

PPTX

Network Policy Abstractions in OpenStack NeutronSumit Naiksatam

PDF

Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014Scott Sneddon

PPTX

Multi tier-app-network-topology-neutron-finalSadique Puthen

PDF

Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutronmestery

PDF

OpenStack networking (Neutron) CREATE-NET

PDF

neutron_icehouse_updateAkihiro Motoki

PDF

OpenStack Neutron 201 1hr David Lenwell

PDF

Openstack Neutron and SDNinakipascual

PDF

BGP Dynamic Routing and Neutronrktidwell

PDF

OpenStack Neutron: What's New In Kilo and a Look Toward Libertymestery

PPTX

Networking in Openstack - Neutron 101Mochamad Taufik Romdony

PDF

Inside neutron 2Robin Gong

PDF

Neutron-to-Neutron: interconnecting multiple OpenStack deploymentsThomas Morin

PPTX

Developing, Deploying, and Consuming L4-7 Network Services in an OpenStack CloudIgor D.C.

PPTX

OpenStack Neutron behind the ScenesAnil Bidari ( CEO , Cloud Enabled)

PPTX

OpenStack Neutron Behind The Senesopenstackindia

PDF

Openstack Workshop (Networking/Storage)Affan Syed

Mb openstack-nov2013v7Mohammad Banikazemi

TFI2014 Session I - State of SDN - Scott SneddonColorado Internet Society (CO ISOC)

Open stackatlantagrouppolicyMohammad Banikazemi

Network Policy Abstractions in OpenStack NeutronSumit Naiksatam

Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014Scott Sneddon

Multi tier-app-network-topology-neutron-finalSadique Puthen

Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutronmestery

OpenStack networking (Neutron) CREATE-NET

neutron_icehouse_updateAkihiro Motoki

OpenStack Neutron 201 1hr David Lenwell

Openstack Neutron and SDNinakipascual

BGP Dynamic Routing and Neutronrktidwell

OpenStack Neutron: What's New In Kilo and a Look Toward Libertymestery

Networking in Openstack - Neutron 101Mochamad Taufik Romdony

Inside neutron 2Robin Gong

Neutron-to-Neutron: interconnecting multiple OpenStack deploymentsThomas Morin

Developing, Deploying, and Consuming L4-7 Network Services in an OpenStack CloudIgor D.C.

OpenStack Neutron behind the ScenesAnil Bidari ( CEO , Cloud Enabled)

OpenStack Neutron Behind The Senesopenstackindia

Openstack Workshop (Networking/Storage)Affan Syed

More from Daniel Krook (20)

PDF

Commit to the Cause, Push for Change: Contributing to Call for Code Open Sour...Daniel Krook

PDF

Engaging Open Source Developers to Develop Tech for Good through Code and Res...Daniel Krook

PDF

COVID-19 and Climate Change Action Through Open Source TechnologyDaniel Krook

PDF

Serverless APIs with Apache OpenWhiskDaniel Krook

PDF

Workshop: Develop Serverless Applications with IBM Cloud FunctionsDaniel Krook

PDF

Event specifications, state of the serverless landscape, and other news from ...Daniel Krook

PDF

Serverless Architectures in Banking: OpenWhisk on IBM Bluemix at SantanderDaniel Krook

PDF

The CNCF on ServerlessDaniel Krook

PDF

Building serverless applications with Apache OpenWhisk and IBM Cloud FunctionsDaniel Krook

PDF

Building serverless applications with Apache OpenWhiskDaniel Krook

PDF

Containers vs serverless - Navigating application deployment optionsDaniel Krook

PDF

Serverless architectures built on an open source platformDaniel Krook

PDF

Build a cloud native app with OpenWhiskDaniel Krook

PPTX

Cloud Native Architectures with an Open Source, Event Driven, Serverless Plat...Daniel Krook

PDF

Open Container Technologies and OpenStack - Sorting Through Kubernetes, the O...Daniel Krook

PDF

Serverless apps with OpenWhiskDaniel Krook

PDF

OpenWhisk - A platform for cloud native, serverless, event driven appsDaniel Krook

PDF

Containers, OCI, CNCF, Magnum, Kuryr, and You!Daniel Krook

PDF

Taking the Next Hot Mobile Game Live with Docker and IBM SoftLayerDaniel Krook

PDF

CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...Daniel Krook

Commit to the Cause, Push for Change: Contributing to Call for Code Open Sour...Daniel Krook

Engaging Open Source Developers to Develop Tech for Good through Code and Res...Daniel Krook

COVID-19 and Climate Change Action Through Open Source TechnologyDaniel Krook

Serverless APIs with Apache OpenWhiskDaniel Krook

Workshop: Develop Serverless Applications with IBM Cloud FunctionsDaniel Krook

Event specifications, state of the serverless landscape, and other news from ...Daniel Krook

Serverless Architectures in Banking: OpenWhisk on IBM Bluemix at SantanderDaniel Krook

The CNCF on ServerlessDaniel Krook

Building serverless applications with Apache OpenWhisk and IBM Cloud FunctionsDaniel Krook

Building serverless applications with Apache OpenWhiskDaniel Krook

Containers vs serverless - Navigating application deployment optionsDaniel Krook

Serverless architectures built on an open source platformDaniel Krook

Build a cloud native app with OpenWhiskDaniel Krook

Cloud Native Architectures with an Open Source, Event Driven, Serverless Plat...Daniel Krook

Open Container Technologies and OpenStack - Sorting Through Kubernetes, the O...Daniel Krook

Serverless apps with OpenWhiskDaniel Krook

OpenWhisk - A platform for cloud native, serverless, event driven appsDaniel Krook

Containers, OCI, CNCF, Magnum, Kuryr, and You!Daniel Krook

Taking the Next Hot Mobile Game Live with Docker and IBM SoftLayerDaniel Krook

CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...Daniel Krook

Recently uploaded (20)

PDF

Achieving Consistent and Reliable AI Code Generation - Medusa AImedusaaico

PDF

What Makes Contify’s News API Stand Out: Key Features at a GlanceContify

PDF

Presentation - Vibe Coding The Future of Techyanuarsinggih1

PDF

Smart Trailers 2025 Update with History and OverviewPaul Menig

PDF

"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...Fwdays

PDF

Chris Elwell Woburn, MA - Passionate About IT InnovationChris Elwell Woburn, MA

PDF

Bitcoin for Millennials podcast with Bram, Power Laws of BitcoinStephen Perrenod

PDF

Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...darshakparmar

PDF

Exolore The Essential AI Tools in 2025.pdfSrinivasan M

PPTX

Q2 FY26 Tableau User Group Leader Quarterly Calllward7

PDF

CIFDAQ Weekly Market Wrap for 11th July 2025CIFDAQ

PDF

Biography of Daniel Podor.pdfDaniel Podor

PDF

July Patch TuesdayIvanti

PDF

IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...Rejig Digital

PDF

Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025BookNet Canada

PDF

Mastering Financial Management in Direct SellingEpixel MLM Software

PPTX

AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptxsameeraaabegumm

PDF

How Startups Are Growing Faster with App Developers in Australia.pdfIndia App Developer

PDF

From Code to Challenge: Crafting Skill-Based Games That Engage and Rewardaiyshauae

PDF

"AI Transformation: Directions and Challenges", Pavlo ShaternikFwdays

Achieving Consistent and Reliable AI Code Generation - Medusa AImedusaaico

What Makes Contify’s News API Stand Out: Key Features at a GlanceContify

Presentation - Vibe Coding The Future of Techyanuarsinggih1

Smart Trailers 2025 Update with History and OverviewPaul Menig

"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...Fwdays

Chris Elwell Woburn, MA - Passionate About IT InnovationChris Elwell Woburn, MA

Bitcoin for Millennials podcast with Bram, Power Laws of BitcoinStephen Perrenod

Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...darshakparmar

Exolore The Essential AI Tools in 2025.pdfSrinivasan M

Q2 FY26 Tableau User Group Leader Quarterly Calllward7

CIFDAQ Weekly Market Wrap for 11th July 2025CIFDAQ

Biography of Daniel Podor.pdfDaniel Podor

July Patch TuesdayIvanti

IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...Rejig Digital

Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025BookNet Canada

Mastering Financial Management in Direct SellingEpixel MLM Software

AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptxsameeraaabegumm

How Startups Are Growing Faster with App Developers in Australia.pdfIndia App Developer

From Code to Challenge: Crafting Skill-Based Games That Engage and Rewardaiyshauae

"AI Transformation: Directions and Challenges", Pavlo ShaternikFwdays

Neutron Networking: Service Groups, Policies and Chains

1. IBM T. J. Watson Research Center Neutron Networking: Service Groups, Policies and Chains OpenStack Meetup - IBM OpenStack Lightning Talks © 2014 IBM Corporation John M. Tracey for Mohammad Banikazemi October 7, 2014

2. © 2013 IBM Corporation Agenda § Current Neutron application programming interface § Example multi tier application with current API § Application centric abstraction § Group based policy constructs § Example multi tier application with policy extension § For more information 2

3. © 2013 IBM Corporation Abstract § Neutron is OpenStack’s networking service. It defines an API, but allows different implementations to be plugged in. § The current OpenStack Neutron API provides constructs that are closely tied to physical network entities. § To better support application developers and allow better separation of application and infrastructure concerns, a Neutron blueprint is well underway that adds a set of higher-level abstractions to Neutron, known as group-based policy. 3

4. Neutron application programming interface • Current Neutron API is somewhat low-level • Neutron constructs mirror physical devices • Network: layer-2 broadcast domain; private/shared • Port: virtual switch port on a network; has MAC and IP address properties • Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers • Router: provides IP routing among networks, supports source NAT 4 © 2013 IBM Corporation

6. Example multi tier application with current neutron CLI neutron net-create web_tier neutron subnet-create web_tier 10.0.0.0/24 neutron router-create router1 neutron router-interface-add router1 web_tier External Network Router Q sNuebtnweot rk/ sNuebtnweot rk/ sNuebtnweot rk/ Port Q 6 © 2013 IBM Corporation

7. Application centric abstraction • Need a more application centric set of abstractions as well • More easily understood/utilized by higher layers • Declarative model • Separation of concerns (application/infrastructure) • Provide policy-based connectivity between application tiers • Enable redirection to network services and service chains • Support dynamic application of policies 7 © 2013 IBM Corporation

8. Group based policy constructs • Endpoint (EP) • Lowest unit of abstraction to which policy is applied • Endpoint Group (EPG) • Logical grouping of endpoints • Policy Rule • Specifies allowed/disallowed network access to EPGs • Policy (a.k.a. contract) • Collection of policy rules 8 © 2013 IBM Corporation

9. Example multi tier application with GBP extension neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN neutron policy-rule-create insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web EPG Web EPG Application EPG Database Firewall 9 © 2013 IBM Corporation EPG External Network (Internet) Policy Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN Protocol:TCP Port:3306 Action:ALLOW Protocol:TCP Port:9080 Action:ALLOW EPG EPG (Endpoint Group)

10. For further information • Neutron wiki • https://wiki.openstack.org/wiki/Neutron • https://ibm.biz/BdFyZu • Blueprints for Neutron • https://blueprints.launchpad.net/neutron • https://ibm.biz/BdE4dC • Group-based policy abstractions for Neutron • https://blueprints.launchpad.net/neutron/+spec/group-based-policy-abstraction • https://ibm.biz/BdE4dQ 10 © 2013 IBM Corporation