2. Agenda
Overview and use case of Network
virtualization
Quantum Overview
Network Isolation at Layer 2 in Quantum
Quantum L3 isolation
Security groups
3. Overview and use case of
Network virtualization
“network virtualization is the process of combining hardware and
software network resources and network functionality into a single,
software-based administrative entity, a virtual network. Network
virtualization involves platform virtualization, often combined with
resource virtualization.” -Wikipedia
4. Single tier deployment
All VMs connect to a Linux bridge, which is uplinked to the switch using a
physical NIC on the server
Physical Server
VM
Bridge NIC
5. 2 tier deployment Use Case
We have a web server and a DB server and don’t want to provide direct
access to DB server
Physical Server
Database
WWW
Bridge
Bridge NIC
6. VMs on multiple Physical servers
Private Network
Physical Server Physical Server
Database WWW
NIC NIC
Bridge
Bridge
Bridge NIC Bridge NIC
Public Network
7. Multi Tenants VMs on multiple
Physical servers
Private Network
Physical Server Physical Server
NIC
NIC
VM VM
VM VM VM VM
VM VM VM
VM
Switch
Switch
8. Introduction to Quantum
Features Implementation
Provides network as a service to Exposes REST APIs
connect the VMs in the cloud
Self-service API for virtual provides plug-in based
network creation architecture to support different
vendor provided networking
It provides features like equipments.
L2 isolation
L3 isolation
Extensions are supported to add
Firewalls
functionality in addition to core
Load Balancer etc.
APIs
Supports various networking
modes
13. Quantum Core APIs
Network Network. An isolated virtual
Create network layer-2 domain. A network can
Update network also be a virtual, or logical,
switch
Delete network
List network
Show network Subnet. An IP version 4 or
version 6 address block from
Subnet which IP addresses that are
Create Subnet assigned to VMs on a specified
Update Subnet network are selected.
Delete Subnet
List Subnet Port. A virtual, or logical, switch
Show Subnet port on a specified network
Port
Create Port
Update Port
Delete Port
List Port
Show Port
14. Network Isolation at Layer 2 in
Quantum
Quantum creates a isolated L2 domain per virtual network
On the backend it uses a combination of the following to
provide the isolated l2 domain
VLANs
GRE tunnels
Linux Bridges
OVS
CLI
quantum net-create net1
quantum subnet-create net1 10.0.0.0/24
quantum port-create --fixed-ip subnet_id=<subnet-
id>,ip_address=192.168.57.101 <net-id>
15. Linux Bridge based virtual
networks
A sub interface is created per virtual network (virtual network being
represented by vlan)
A separate bridge is used to connect the VMs to each other
VLAN Sub-Interface
Nova Compute
Nova Compute
Linux Bridge
vlan10 Linux Bridge
vlan10
Linux Bridge vlan20 NIC
Linux Bridge vlan20 NIC
vlan30
Linux Bridge vlan30
Linux Bridge
16. OVS based virtual network
A vlan is created in OVS per virtual network
Nova Compute Nova Compute
OVS OVS
Vlan 10 NIC Vlan 10 NIC
Vlan 20 Vlan 20
Vlan 30 Vlan 30
17. Quantum Plug-in and Extensions
Plug-ins Extensions
Quantum plug-ins are used Extensions provide a way to
to configure vendor provided extend the APIs provided by
switch for virtual networking. quantum. E.g. L3
functionality in quantum is
provided as extension.
Extensions are used to
provide new/ experimental
functionality in quantum.
19. Quantum L3 networking
extension
L3 extension allows to creation of routers to
connect 2 or more networks
NIC
Layer 3 Router1
Gateway
Layer 2 Net1 Net2 Net3
VM VM VM
20. Quantum L3 isolation
Layer 3 networking :Virtual Default implementation of
Routers router is done using Linux
network namespaces
Router can also be used to
Physical Server provide external
Database connectivity and NAT
functionality
WWW
Bridge
Router NIC
Bridge
22. Security group
Security groups and security group rules allows administrators and
tenants the ability to specify the type of traffic and direction
(ingress/egress) that is allowed to pass through a port. A Security Group
is a named set of rules that get applied to the incoming packets for the
instances
By default this group will drop all ingress traffic and allow all egress
Physical Server
Database
WWW
Bridge
Router NIC
Bridge