yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1808062] [NEW] [RFE] Limit VXLAN to within Neutron availability zones

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dan Sneddon <dsneddon@xxxxxxxxxx>
Date: Tue, 11 Dec 2018 22:53:16 -0000
Reply-to: Bug 1808062 <1808062@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Creating multiple Neutron availability zones allows the operator to
schedule DHCP and L3 agents within a single AZ. Neutron will still try
to form a VXLAN mesh between all nodes in all availability zones, which
creates inter-AZ dependencies and may not work when strict firewalls are
placed between AZs.

This behavior should be configurable, so that L2 may be limited to a
particular AZ, and no tunnels are formed between different AZs. This
will prevent Neutron from trying to form tunnels when the tunnel cannot
function, and may enhance security when AZs are in different security
zones.

The desired end-state configuration would have separate DHCP and L3
agents hosted in each AZ, along with tunnels formed only inside the AZ.
This would allow, for instance, multiple edge sites within a single
deployment that each performed local networking only. Any particular
Neutron network would be limited to one AZ. A new flag would allow AZs
to be truly autonomous and remove cross-AZ dependencies.

Example: Suppose to AZs, AZ1 (control plane 10.1.1.0/24) and AZ2
(control plane 172.16.2.0/24).

Here is example output from a node in AZ1. It is forming tunnels between
members of both AZs. The desired configuration would have VXLAN tunnels
only formed between endpoints in the same AZ.

    Bridge br-tun

        Controller "tcp:127.0.0.1:6633"

            is_connected: true

        fail_mode: secure

        Port "vxlan-1e0094c8"

            Interface "vxlan-1e0094c8"

                type: vxlan

                options: {df_default="true", in_key=flow,
local_ip="10.1.1.20", out_key=flow, remote_ip="10.1.1.200"}

        Port br-tun

            Interface br-tun

                type: internal

        Port "vxlan-1e0094d6"

            Interface "vxlan-1e0094d6"

                type: vxlan

                options: {df_default="true", in_key=flow,
local_ip="10.1.1.20", out_key=flow, remote_ip="172.16.2.214"}

        Port patch-int

            Interface patch-int

                type: patch

                options: {peer=patch-tun}

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1808062

Title:
  [RFE] Limit VXLAN to within Neutron availability zones

Status in neutron:
  New

Bug description:
  Creating multiple Neutron availability zones allows the operator to
  schedule DHCP and L3 agents within a single AZ. Neutron will still try
  to form a VXLAN mesh between all nodes in all availability zones,
  which creates inter-AZ dependencies and may not work when strict
  firewalls are placed between AZs.

  This behavior should be configurable, so that L2 may be limited to a
  particular AZ, and no tunnels are formed between different AZs. This
  will prevent Neutron from trying to form tunnels when the tunnel
  cannot function, and may enhance security when AZs are in different
  security zones.

  The desired end-state configuration would have separate DHCP and L3
  agents hosted in each AZ, along with tunnels formed only inside the
  AZ. This would allow, for instance, multiple edge sites within a
  single deployment that each performed local networking only. Any
  particular Neutron network would be limited to one AZ. A new flag
  would allow AZs to be truly autonomous and remove cross-AZ
  dependencies.

  Example: Suppose to AZs, AZ1 (control plane 10.1.1.0/24) and AZ2
  (control plane 172.16.2.0/24).

  Here is example output from a node in AZ1. It is forming tunnels
  between members of both AZs. The desired configuration would have
  VXLAN tunnels only formed between endpoints in the same AZ.

      Bridge br-tun

          Controller "tcp:127.0.0.1:6633"

              is_connected: true

          fail_mode: secure

          Port "vxlan-1e0094c8"

              Interface "vxlan-1e0094c8"

                  type: vxlan

                  options: {df_default="true", in_key=flow,
  local_ip="10.1.1.20", out_key=flow, remote_ip="10.1.1.200"}

          Port br-tun

              Interface br-tun

                  type: internal

          Port "vxlan-1e0094d6"

              Interface "vxlan-1e0094d6"

                  type: vxlan

                  options: {df_default="true", in_key=flow,
  local_ip="10.1.1.20", out_key=flow, remote_ip="172.16.2.214"}

          Port patch-int

              Interface patch-int

                  type: patch

                  options: {peer=patch-tun}

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1808062/+subscriptions