yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1808594] [NEW] [RFE] Limit Geneve to within Neutron availability zones

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dan Sneddon <dsneddon@xxxxxxxxxx>
Date: Fri, 14 Dec 2018 22:04:07 -0000
Reply-to: Bug 1808594 <1808594@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Creating multiple Neutron availability zones allows the operator to
schedule DHCP and L3 agents within a single AZ. Neutron OVN will still
try to form a Geneve mesh between all nodes in all availability zones,
which creates inter-AZ dependencies and may not work when strict
firewalls are placed between AZs.

Note that this RFE is a clone of
https://bugs.launchpad.net/neutron/+bug/1808062 but applies to Neutron
OVN instead of ML2/OVS.

This behavior should be configurable, so that L2 may be limited to a
particular AZ, and no tunnels are formed between different AZs. This
will prevent Neutron from trying to form tunnels when the tunnel cannot
function, and may enhance security when AZs are in different security
zones.

The desired end-state configuration would have separate DHCP and L3
agents hosted in each AZ, along with tunnels formed only inside the AZ.
This would allow, for instance, multiple edge sites within a single
deployment that each performed local networking only. Any particular
Neutron network would be limited to one AZ. A new flag would allow AZs
to be truly autonomous and remove cross-AZ dependencies.

Note that it appears that NSX-T has a concept called "Transport Zones"
that enables the feature that is being requested here. Compute nodes
within a given transport zone will only be able to communicate with
compute nodes within that same transport zone. This prevents network
traffic from being sent between zones. More information here:

https://docs.vmware.com/en/VMware-NSX-T-Data-
Center/2.3/com.vmware.nsxt.install.doc/GUID-F47989B2-2B9D-4214-B3BA-
5DDF66A1B0E6.html

NSX-T also supports Availability Zones, but it appears that those are
separate from the Transport Zone functionality:

https://docs.vmware.com/en/VMware-Integrated-
OpenStack/5.0/com.vmware.openstack.admin.doc/GUID-37F0E9DE-BD19-4AB0
-964C-D1D12B06345C.html

It's possible that limiting tunneling traffic to a particular AZ may be
outside the intended functions of Neutron AZs, but I think this is a
valid use case.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1808594

Title:
  [RFE] Limit Geneve to within Neutron availability zones

Status in neutron:
  New

Bug description:
  Creating multiple Neutron availability zones allows the operator to
  schedule DHCP and L3 agents within a single AZ. Neutron OVN will still
  try to form a Geneve mesh between all nodes in all availability zones,
  which creates inter-AZ dependencies and may not work when strict
  firewalls are placed between AZs.

  Note that this RFE is a clone of
  https://bugs.launchpad.net/neutron/+bug/1808062 but applies to Neutron
  OVN instead of ML2/OVS.

  This behavior should be configurable, so that L2 may be limited to a
  particular AZ, and no tunnels are formed between different AZs. This
  will prevent Neutron from trying to form tunnels when the tunnel
  cannot function, and may enhance security when AZs are in different
  security zones.

  The desired end-state configuration would have separate DHCP and L3
  agents hosted in each AZ, along with tunnels formed only inside the
  AZ. This would allow, for instance, multiple edge sites within a
  single deployment that each performed local networking only. Any
  particular Neutron network would be limited to one AZ. A new flag
  would allow AZs to be truly autonomous and remove cross-AZ
  dependencies.

  Note that it appears that NSX-T has a concept called "Transport Zones"
  that enables the feature that is being requested here. Compute nodes
  within a given transport zone will only be able to communicate with
  compute nodes within that same transport zone. This prevents network
  traffic from being sent between zones. More information here:

  https://docs.vmware.com/en/VMware-NSX-T-Data-
  Center/2.3/com.vmware.nsxt.install.doc/GUID-F47989B2-2B9D-4214-B3BA-
  5DDF66A1B0E6.html

  NSX-T also supports Availability Zones, but it appears that those are
  separate from the Transport Zone functionality:

  https://docs.vmware.com/en/VMware-Integrated-
  OpenStack/5.0/com.vmware.openstack.admin.doc/GUID-37F0E9DE-BD19-4AB0
  -964C-D1D12B06345C.html

  It's possible that limiting tunneling traffic to a particular AZ may
  be outside the intended functions of Neutron AZs, but I think this is
  a valid use case.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1808594/+subscriptions
Follow ups

[Bug 1808594] Re: [RFE] Limit Geneve to within Neutron availability zones
From: Bernard Cafarelli, 2018-12-17