-
Notifications
You must be signed in to change notification settings - Fork 51
Networking Design
Nuwan Goonasekera edited this page Aug 29, 2017
·
11 revisions
All cloudbridge deployed VMs must be deployed into a particular subnet. Once a VM is deployed, cloudbridge's networking capabilities must address several common scenarios.
-
Allowing internet access from a launched VM
In the simplest scenario, a user may simply want to launch an instance and allow the instance to access the internet.
-
Allowing internet access to a launched VM
Alternatively, the user may want to allow the instance to be contactable from the internet. In a more complex scenario, a user may want to deploy VMS into several subnets, and deploy a gateway, jump host or bastion host to access other VMs which are not directly connected to the internet. In the latter scenario, the gateway/jump host/bastion host will need to be contactable over the internet.
-
Secure access between subnets for n-tier applications
In this second scenario, a multi-tier app may be deployed into several subnets depending on their tier. It will combine capabilities from scenarios 1 and 2 to achieve its ends. For example, consider the following scenario:
- Tier 1/Subnet 1 - Web Server Needs to be externally accessible over the internet. However, in this particular scenario, the web server itself does not need access to the internet.
- Tier 2/Subnet 2 - Application Server The Application server must only be able to communicate with the database server in Subnet 3, and receive communication from the Web Server in Subnet 1. However, we assume a special case here where the application server needs to access the internet.
- Tier 3/Subnet 3 - Database Server The database server must only be able to receive incoming traffic from Tier 2, but must not be able to make outgoing traffic outside of its subnet.
net = provider.networking.networks.create('cloudbridge-net', '10.0.0.0/16')
sn = net.create_subnet('cloudbridge-subnet', '10.0.0.0/28')
vm1 = provider.compute.instances.create('my-inst', subnet=sn, ...)
router = provider.networking.routers.create('cloudbridge-intro')
router.attach_network(sn.id)
gateway = provider.networking.gateways.get_or_create_internet_gateway()
router.attach_gateway(gateway) # is this for ingress or egress?
# later
gateway.delete()
net = provider.networking.networks.create('cloudbridge-net', '10.0.0.0/16')
sn = net.create_subnet('cloudbridge-subnet', '10.0.0.0/28')
vm1 = provider.compute.instances.create('my-inst', subnet=sn, ...)
# Something is missing here. We don't allow ingress traffic to the subnet
# Yet, add_floating_ip works.
router = provider.networking.routers.create('cloudbridge-intro')
router.attach_network(sn)
gateway = provider.networking.gateways.get_or_create_internet_gateway()
router.attach_gateway(gateway) # is this for ingress or egress?
vm1.add_floating_ip('149.165.168.143')
net = provider.network.create('cloudbridge-net', '10.0.0.0/16')
sn_db = net.create_subnet('cb-subnet-db', '10.0.0.0/24')
sn_app = net.create_subnet('cb-subnet-app', '10.0.1.0/24')
sn_web = net.create_subnet('cb-subnet-web', '10.0.2.0/24')
vm_db = provider.compute.instances.create('my-db', subnet=sn1, ...)
vm_app = provider.compute.instances.create('my-app', subnet=sn2, ...)
vm_web = provider.compute.instances.create('my-web', subnet=sn3, ...)
# Configure web tier routing
router = provider.networking.routers.create('cb-router-web')
router.attach_network(sn_web)
gateway = provider.networking.gateways.get_or_create_internet_gateway()
router.attach_gateway(gateway) # is this for ingress or egress?
# Configure firewalls (will not be implemented till firewall support becomes widespread in OpenStack)
firewall_db = provider.networking.firewalls.create('firewall_sn_db')
firewall_db.attach_network(sn_db)
firewall_app = provider.networking.firewalls.create('firewall_sn_app')
firewall_app.attach_network(sn_app)
firewall_web = provider.networking.firewalls.create('firewall_sn_web')
firewall_web.attach_network(sn_web)
# deny all traffic initially
for firewall in [firewall_db, firewall_app, firewall_web]:
firewall.add_rule(type=INGRESS_AND_EGRESS, priority=..., protocol=..., port_range..., source=..., action=DENY)
# explicitly allow subnet to subnet comms
firewall_db.add_rule(type=INGRESS, priority=..., protocol=..., port_range..., source=sn_app.CIDR_RANGE, action=ALLOW)
firewall_app.add_ingress_rule(type=INGRESS, priority=..., protocol=..., port_range..., source=sn_web.CIDR_RANGE, action=ALLOW)
firewall_app.add_ingress_rule(priority=..., protocol=..., port_range..., source=sn_web.CIDR_RANGE, action=ALLOW)
| AWS | OS | GCE | ||
|---|---|---|---|---|
| Network | VPC | Network | VPC | |
| Subnet | Subnet | Subnet | Subnet | |
| NIC | ENI | Port | Network Interface | |
| Router | Route Table | Router | Route Table | |
| Firewall | Network ACL | FwaaS | Firewall rules | |
| External Internet | Internet Gateway | Network marked external | Global internet gateway |
- Routers can allow for traffic from subnet1 to go to subnet2. However, firewall rules may restrict whether subnet2 can receive traffic from subnet1.
- We also have security groups, which adds a layer of defence in depth. Security groups can restrict ingress/egress traffic both on CIDR and port at an individual VM level.
- OpenStack Neutron firewalls not available on NeCTAR and JetStream at present
- NIC is assigned a floating IP and connects to a particular subnet. We don't model this or the multiple NICS connected to different subnets case at the moment.
- Subnets within a network have automatic routing between each other by default in above clouds.