SlideShare una empresa de Scribd logo

Open stackatlantagrouppolicy

Descargar como PPTX, PDF
Mohammad Banikazemi
Mohammad Banikazemi

This is the slides for the talk Network Policy Abstractions in Neutron given at OpenStack Summit, Atlanta, May 2014.

Tecnología
1 de 20
May 2014 Network Policy Abstractions in Neutron Mohammad Banikazemi Sumit Naiksatam Stephen Wong
Outline ❖ Introduction ❖ Neutron Abstractions ❖ Group Policy Extension ❖ PoC Implementation and Demo ❖ Future Directions ❖ Q&A
Networking in the Cloud ❖ Current API: network centric ❖ Need a more application centric set of abstractions as well ❖ More easily understood/utilized by higher layers ❖ Declarative model ❖ Separation of concerns
Desired Features ❖ Provide policy-based connectivity between application tiers ❖ Support dynamic application of policies ❖ Redirection to Network services and chains ❖ Policies defined by administrators and users
Current Neutron API ❖ Network centric, close to physical devices ❖ Network: isolated layer-2 broadcast domain; private/shared ❖ Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers ❖ Port: virtual switch port on a network; has MAC and IP address properties ❖ Router: connects networks, supports SNAT
Example: Multi Tier Apps Q Web Application DB Firewall Load Balancer QoS External Network (Internet)
Neutron Representation Q Network/ subnet Network/ subnet Network/ subnet Router External Network Port Q neutron net-create web_tier neutron subnet-create web_tier 10.0.0.0/24 neutron router-create router1 neutron router-add-interface router1 web_subnet . . .
Group Policy e x t e n s i o n
The Basic Idea ❖ Endpoint (EP): Lowest unit of abstraction where policy is applied ❖ Endpoint Group (EPG): Logical grouping of endpoints ❖ Policy Rule: Network policies to access EPGs ❖ Contract: Collection of policy rules
EPG-Contract Relationship ❖ An EPG may provide one or more contracts ❖ An EPG may consume one or more contracts Endpoint Group Contract ❖ Application deployer focused
Policy Rules ❖ Action is applied to traffic specified by Classifier Policy Rule Classifier Protocol Ports Direction Action Type Value Action Type Allow Redirect QoS Log Copy Mark Value None Service/Chain QoS args Log args Copy args Mark args
Group Policy - Workflow neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN neutron policy-rule insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web ❖ Create contract ❖ Create EPGs and provide/consume contracts neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract neutron ep-create --endpoint-group Web-Server-EPG neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract
Putting It All Together – 3 Tier App Web Application DB Firewall Load Balancer External Network (Internet)
Group Policy Realization EPG Web EPG Application EPG DB Firewall EPG External Network (Internet) Contract Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN ProvidesConsumes Protocol:TCP Port:3306 Action:ALLOW Protocol:TCP Port:9080 Action:ALLOW EPG EPG
Optional Constructs in Model ❖ Scopes: put constraints around how provider and consumer EPGs are matched ❖ Policy Rule Filters: allow for tagging Policy Rules with Labels such that subsets can be created in a Contract ❖ Contract hierarchy: infra admin constraints can be achieved by Contract hierarchical composition ❖ Endpoint labels: policies get triggered automatically when labels are added or removed
Proof of Concept i m p l e m e n t a t i o n
PoC Implementation ❖ Team has worked on a PoC implementation ❖ Considering various model and implementation alternatives ❖ Using legacy driver ❖ CLI, Horizon, and Heat CLI Neutron Heat Horizon Policy Manager Legacy Policy Driver ODL Policy Driver others
The Group Policy PoC Team ❖ Sumit Naiksatam, Robert Kukura, Mandeep Dhami (Cisco) ❖ Mohammad Banikazemi (IBM) ❖ Stephen Wong (Midokura) ❖ Ronak Shah (Nuage Networks) ❖ Hemanth Ravi, Susaant Kondapaneni, Prasad Vellanki (One Convergence) ❖ Rudra Rugge (Juniper)
State of Implementation ❖ The blueprint for Group Policy has been reviewed/approved ❖ Working PoC available (install from: https://github.com/noironetworks/devstack/tree/group- policy-poc) ❖ Neutron reference implementation for Group Policy is in progress ❖ Complementary work on network services framework is in progress
More Information ❖ Neutron Group-based Policy design session May 16 • 10:50am - 11:30am • B304 ❖ Wiki page: https://wiki.openstack.org/wiki/Neutron/GroupPolicy ❖ Neutron Group Policy Sub-Team Meeting IRC weekly meetings: https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy

Recomendados

Vivpn pp tfinal
Vivpn pp tfinalVivpn pp tfinal
Vivpn pp tfinal
sangusajjan
 
ElasticISP
ElasticISPElasticISP
ElasticISP
KHNOG
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
Ram Bharosh Raut
 
New features in PMTA 5.0
New features in PMTA 5.0New features in PMTA 5.0
New features in PMTA 5.0
SparkPost
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
Mohamed Shishtawy
 
Power Mta 4.0
Power Mta 4.0Power Mta 4.0
Power Mta 4.0
powerMta
 
12 Understanding V P Ns
12 Understanding V P Ns12 Understanding V P Ns
12 Understanding V P Ns
AamirAziz
 
Neutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and ChainsNeutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and Chains
Daniel Krook
 

Recomendados

Vivpn pp tfinal
Vivpn pp tfinalVivpn pp tfinal
Vivpn pp tfinal
sangusajjan
 
ElasticISP
ElasticISPElasticISP
ElasticISP
KHNOG
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
Ram Bharosh Raut
 
New features in PMTA 5.0
New features in PMTA 5.0New features in PMTA 5.0
New features in PMTA 5.0
SparkPost
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
Mohamed Shishtawy
 
Power Mta 4.0
Power Mta 4.0Power Mta 4.0
Power Mta 4.0
powerMta
 
12 Understanding V P Ns
12 Understanding V P Ns12 Understanding V P Ns
12 Understanding V P Ns
AamirAziz
 
Neutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and ChainsNeutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and Chains
Daniel Krook
 
Traffic Control as a Service
Traffic Control as a ServiceTraffic Control as a Service
Traffic Control as a Service
Ofer Ben Yaacov
 
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr WojciechowskiPLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PROIDEA
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
MyNOG
 
Rolling out Baya V3 with ConnectXF
Rolling out Baya V3 with ConnectXF Rolling out Baya V3 with ConnectXF
Rolling out Baya V3 with ConnectXF
Mithi SkyConnect
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service Providers
BAKOTECH
 
The Stories of IXP Development and the Way Forward by Che-Hoo Cheng
The Stories of IXP Development and the Way Forward by Che-Hoo ChengThe Stories of IXP Development and the Way Forward by Che-Hoo Cheng
The Stories of IXP Development and the Way Forward by Che-Hoo Cheng
MyNOG
 
Group-based Policy for Networking
Group-based Policy for NetworkingGroup-based Policy for Networking
Group-based Policy for Networking
Sumit Naiksatam
 
V P N
V P NV P N
V P N
bhathiji
 
PMTA Success Story - J2 Martech
PMTA Success Story - J2 MartechPMTA Success Story - J2 Martech
PMTA Success Story - J2 Martech
SparkPost
 
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALA
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALAVIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALA
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALA
Saikiran Panjala
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
C4Media
 
Virtual private network, vpn presentation
Virtual private network, vpn presentationVirtual private network, vpn presentation
Virtual private network, vpn presentation
Amjad Bhutto
 
Ir.34 v14.0
Ir.34 v14.0Ir.34 v14.0
Ir.34 v14.0
Pascalo
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methods
Utpal Sinha
 
Virtual private network 03
Virtual private network 03Virtual private network 03
Virtual private network 03
Noman khan
 
Vpn
VpnVpn
Vpn
Nure Alam
 
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP BusinessVPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
Safar Safarov
 
Daily livestock report apr 15 2013
Daily livestock report apr 15 2013Daily livestock report apr 15 2013
Daily livestock report apr 15 2013
joseleorcasita
 
Rakesh_Gupta
Rakesh_GuptaRakesh_Gupta
Rakesh_Gupta
Rakesh Gupta
 
About meimmersion abw
About meimmersion abwAbout meimmersion abw
About meimmersion abw
labecvar
 
Fcv hum mach_belongie
Fcv hum mach_belongieFcv hum mach_belongie
Fcv hum mach_belongie
zukun
 
Reddottherapy
ReddottherapyReddottherapy
Reddottherapy
Robert Frampton
 

Más contenido relacionado

La actualidad más candente

Virtual private network 03
Virtual private network 03Virtual private network 03
Virtual private network 03
Noman khan
 

La actualidad más candente (17)

Traffic Control as a Service
Traffic Control as a ServiceTraffic Control as a Service
Traffic Control as a Service
 
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr WojciechowskiPLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
 
Rolling out Baya V3 with ConnectXF
Rolling out Baya V3 with ConnectXF Rolling out Baya V3 with ConnectXF
Rolling out Baya V3 with ConnectXF
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service Providers
 
The Stories of IXP Development and the Way Forward by Che-Hoo Cheng
The Stories of IXP Development and the Way Forward by Che-Hoo ChengThe Stories of IXP Development and the Way Forward by Che-Hoo Cheng
The Stories of IXP Development and the Way Forward by Che-Hoo Cheng
 
Group-based Policy for Networking
Group-based Policy for NetworkingGroup-based Policy for Networking
Group-based Policy for Networking
 
V P N
V P NV P N
V P N
 
PMTA Success Story - J2 Martech
PMTA Success Story - J2 MartechPMTA Success Story - J2 Martech
PMTA Success Story - J2 Martech
 
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALA
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALAVIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALA
VIRTUAL PRIVATE NETWORKS BY SAIKIRAN PANJALA
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
Virtual private network, vpn presentation
Virtual private network, vpn presentationVirtual private network, vpn presentation
Virtual private network, vpn presentation
 
Ir.34 v14.0
Ir.34 v14.0Ir.34 v14.0
Ir.34 v14.0
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methods
 
Virtual private network 03
Virtual private network 03Virtual private network 03
Virtual private network 03
 
Vpn
VpnVpn
Vpn
 
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP BusinessVPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
 

Destacado

Daily livestock report apr 15 2013
Daily livestock report apr 15 2013Daily livestock report apr 15 2013
Daily livestock report apr 15 2013
joseleorcasita
 
About meimmersion abw
About meimmersion abwAbout meimmersion abw
About meimmersion abw
labecvar
 
Fcv hum mach_belongie
Fcv hum mach_belongieFcv hum mach_belongie
Fcv hum mach_belongie
zukun
 
A Dualistic Sub-Image Histogram Equalization Based Enhancement and Segmentati...
A Dualistic Sub-Image Histogram Equalization Based Enhancement and Segmentati...A Dualistic Sub-Image Histogram Equalization Based Enhancement and Segmentati...
A Dualistic Sub-Image Histogram Equalization Based Enhancement and Segmentati...
inventy
 

Destacado (7)

Daily livestock report apr 15 2013
Daily livestock report apr 15 2013Daily livestock report apr 15 2013
Daily livestock report apr 15 2013
 
Rakesh_Gupta
Rakesh_GuptaRakesh_Gupta
Rakesh_Gupta
 
About meimmersion abw
About meimmersion abwAbout meimmersion abw
About meimmersion abw
 
Fcv hum mach_belongie
Fcv hum mach_belongieFcv hum mach_belongie
Fcv hum mach_belongie
 
Reddottherapy
ReddottherapyReddottherapy
Reddottherapy
 
A Dualistic Sub-Image Histogram Equalization Based Enhancement and Segmentati...
A Dualistic Sub-Image Histogram Equalization Based Enhancement and Segmentati...A Dualistic Sub-Image Histogram Equalization Based Enhancement and Segmentati...
A Dualistic Sub-Image Histogram Equalization Based Enhancement and Segmentati...
 
Git basics
Git basicsGit basics
Git basics
 

Similar a Open stackatlantagrouppolicy

Network Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack NeutronNetwork Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack Neutron
Sumit Naiksatam
 
Network Rightsizing Best Practices Guide
Network Rightsizing Best Practices GuideNetwork Rightsizing Best Practices Guide
Network Rightsizing Best Practices Guide
Aruba, a Hewlett Packard Enterprise company
 
Managing infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike CohenManaging infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike Cohen
buildacloud
 
csevpnppt-170905123948 (1).pdf
csevpnppt-170905123948 (1).pdfcsevpnppt-170905123948 (1).pdf
csevpnppt-170905123948 (1).pdf
HirazNor
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
Raphaël PINSON
 

Similar a Open stackatlantagrouppolicy (20)

Network Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack NeutronNetwork Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack Neutron
 
Vp npresentation 2
Vp npresentation 2Vp npresentation 2
Vp npresentation 2
 
Vpn
VpnVpn
Vpn
 
TFI2014 Session I - State of SDN - Scott Sneddon
TFI2014 Session I - State of SDN - Scott SneddonTFI2014 Session I - State of SDN - Scott Sneddon
TFI2014 Session I - State of SDN - Scott Sneddon
 
Network Convergence of Mobile, Broadband and Wi-Fi
Network Convergence of Mobile, Broadband and Wi-FiNetwork Convergence of Mobile, Broadband and Wi-Fi
Network Convergence of Mobile, Broadband and Wi-Fi
 
Docker meetup oct14
Docker meetup oct14Docker meetup oct14
Docker meetup oct14
 
Network Rightsizing Best Practices Guide
Network Rightsizing Best Practices GuideNetwork Rightsizing Best Practices Guide
Network Rightsizing Best Practices Guide
 
Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014
Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014
Nuage Networks, A Policy Driven Approach to SDN - Interop Tokyo 2014
 
5 maximazing networkcapacity_v4-jorge_alvarado
5 maximazing networkcapacity_v4-jorge_alvarado5 maximazing networkcapacity_v4-jorge_alvarado
5 maximazing networkcapacity_v4-jorge_alvarado
 
PLNOG14: The benefits of "OPEN" in networking for operators - Joerg Ammon, Br...
PLNOG14: The benefits of "OPEN" in networking for operators - Joerg Ammon, Br...PLNOG14: The benefits of "OPEN" in networking for operators - Joerg Ammon, Br...
PLNOG14: The benefits of "OPEN" in networking for operators - Joerg Ammon, Br...
 
Security and Transport Performance in 5G
Security and Transport Performance in 5GSecurity and Transport Performance in 5G
Security and Transport Performance in 5G
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xEMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
 
Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron
Group Based Policy: Open Source Policy in OpenDaylight and OpenStack NeutronGroup Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron
Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron
 
Managing infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike CohenManaging infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike Cohen
 
csevpnppt-170905123948 (1).pdf
csevpnppt-170905123948 (1).pdfcsevpnppt-170905123948 (1).pdf
csevpnppt-170905123948 (1).pdf
 
Virtual Private Networks (VPN) ppt
Virtual Private Networks (VPN) pptVirtual Private Networks (VPN) ppt
Virtual Private Networks (VPN) ppt
 
Group-based Policy For OpenStack Networking
Group-based Policy For OpenStack NetworkingGroup-based Policy For OpenStack Networking
Group-based Policy For OpenStack Networking
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
 
QoS in IP Network.pptx
QoS in IP Network.pptxQoS in IP Network.pptx
QoS in IP Network.pptx
 

Último

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Último (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 

Open stackatlantagrouppolicy

  • 1. May 2014 Network Policy Abstractions in Neutron Mohammad Banikazemi Sumit Naiksatam Stephen Wong
  • 2. Outline ❖ Introduction ❖ Neutron Abstractions ❖ Group Policy Extension ❖ PoC Implementation and Demo ❖ Future Directions ❖ Q&A
  • 3. Networking in the Cloud ❖ Current API: network centric ❖ Need a more application centric set of abstractions as well ❖ More easily understood/utilized by higher layers ❖ Declarative model ❖ Separation of concerns
  • 4. Desired Features ❖ Provide policy-based connectivity between application tiers ❖ Support dynamic application of policies ❖ Redirection to Network services and chains ❖ Policies defined by administrators and users
  • 5. Current Neutron API ❖ Network centric, close to physical devices ❖ Network: isolated layer-2 broadcast domain; private/shared ❖ Subnet: CIDR IP address block associated with a network; optionally associated with gateway, DNS/DHCP servers ❖ Port: virtual switch port on a network; has MAC and IP address properties ❖ Router: connects networks, supports SNAT
  • 6. Example: Multi Tier Apps Q Web Application DB Firewall Load Balancer QoS External Network (Internet)
  • 7. Neutron Representation Q Network/ subnet Network/ subnet Network/ subnet Router External Network Port Q neutron net-create web_tier neutron subnet-create web_tier 10.0.0.0/24 neutron router-create router1 neutron router-add-interface router1 web_subnet . . .
  • 8. Group Policy e x t e n s i o n
  • 9. The Basic Idea ❖ Endpoint (EP): Lowest unit of abstraction where policy is applied ❖ Endpoint Group (EPG): Logical grouping of endpoints ❖ Policy Rule: Network policies to access EPGs ❖ Contract: Collection of policy rules
  • 10. EPG-Contract Relationship ❖ An EPG may provide one or more contracts ❖ An EPG may consume one or more contracts Endpoint Group Contract ❖ Application deployer focused
  • 11. Policy Rules ❖ Action is applied to traffic specified by Classifier Policy Rule Classifier Protocol Ports Direction Action Type Value Action Type Allow Redirect QoS Log Copy Mark Value None Service/Chain QoS args Log args Copy args Mark args
  • 12. Group Policy - Workflow neutron classifier-create Insecure-Web-Access --port 80 --protocol TCP --direction IN neutron policy-rule insecure-web --policy-classifier Insecure-Web-Access --actions ALLOW neutron contract-create Web-Server-Contract --policy-rule insecure-web ❖ Create contract ❖ Create EPGs and provide/consume contracts neutron epg-create Web-Server-EPG --provides-contract Web-Server-Contract neutron ep-create --endpoint-group Web-Server-EPG neutron epg-create Outside-EPG --consumes-contract Web-Server-Contract
  • 13. Putting It All Together – 3 Tier App Web Application DB Firewall Load Balancer External Network (Internet)
  • 14. Group Policy Realization EPG Web EPG Application EPG DB Firewall EPG External Network (Internet) Contract Protocol:TCP Port:80 Action:Redirect To FW_LB_CHAIN ProvidesConsumes Protocol:TCP Port:3306 Action:ALLOW Protocol:TCP Port:9080 Action:ALLOW EPG EPG
  • 15. Optional Constructs in Model ❖ Scopes: put constraints around how provider and consumer EPGs are matched ❖ Policy Rule Filters: allow for tagging Policy Rules with Labels such that subsets can be created in a Contract ❖ Contract hierarchy: infra admin constraints can be achieved by Contract hierarchical composition ❖ Endpoint labels: policies get triggered automatically when labels are added or removed
  • 16. Proof of Concept i m p l e m e n t a t i o n
  • 17. PoC Implementation ❖ Team has worked on a PoC implementation ❖ Considering various model and implementation alternatives ❖ Using legacy driver ❖ CLI, Horizon, and Heat CLI Neutron Heat Horizon Policy Manager Legacy Policy Driver ODL Policy Driver others
  • 18. The Group Policy PoC Team ❖ Sumit Naiksatam, Robert Kukura, Mandeep Dhami (Cisco) ❖ Mohammad Banikazemi (IBM) ❖ Stephen Wong (Midokura) ❖ Ronak Shah (Nuage Networks) ❖ Hemanth Ravi, Susaant Kondapaneni, Prasad Vellanki (One Convergence) ❖ Rudra Rugge (Juniper)
  • 19. State of Implementation ❖ The blueprint for Group Policy has been reviewed/approved ❖ Working PoC available (install from: https://github.com/noironetworks/devstack/tree/group- policy-poc) ❖ Neutron reference implementation for Group Policy is in progress ❖ Complementary work on network services framework is in progress
  • 20. More Information ❖ Neutron Group-based Policy design session May 16 • 10:50am - 11:30am • B304 ❖ Wiki page: https://wiki.openstack.org/wiki/Neutron/GroupPolicy ❖ Neutron Group Policy Sub-Team Meeting IRC weekly meetings: https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy