On May 1, 2014, at 7:48 PM, Stephen Balukoff
<[email protected]<mailto:[email protected]>>
wrote:
Hi Trevor,
I was the one who wrote that use case based on discussion that came out of the
question I wrote the list last week about SSL re-encryption: Someone had
stated that sometimes pool members are local, and sometimes they are hosts
across the internet, accessible either through the usual default route, or via
a VPN tunnel.
The point of this use case is to make the distinction that if we associate a
neutron_subnet with the pool (rather than with the member), then some members
of the pool that don't exist in that neutron_subnet might not be accessible
from that neutron_subnet. However, if the behavior of the system is such that
attempting to reach a host through the subnet's "default route" still works
(whether that leads to communication over a VPN or the usual internet routes),
then this might not be a problem.
The other option is to associate the neutron_subnet with a pool member. But in
this case there might be problems too. Namely:
* The device or software that does the load balancing may need to have an
interface on each of the member subnets, and presumably an IP address from
which to originate requests.
* How does one resolve cases where subnets have overlapping IP ranges?
In the end, it may be simpler not to associate neutron_subnet with a pool at
all. Maybe it only makes sense to do this for a VIP, and then the assumption
would be that any member addresses one adds to pools must be accessible from
the VIP subnet. (Which is easy, if the VIP exists on the same neutron_subnet.
But this might require special routing within Neutron itself if it doesn't.)
This topology question (ie. what is feasible, what do people actually want to
do, and what is supported by the model) is one of the more difficult ones to
answer, especially given that users of OpenStack that I've come in contact with
barely understand the Neutron networking model, if at all.
I would think we'd want to use a single subnet with a pool and if the user
specifies an pool member thats not routable theres not much we can do. Should
we introduces the concepts of routers into the pool object to bridge the
subnets if need be. Or we leave it up to the user to add the appropriate
host_routes on their loadbalancers subnet. and have an interface or
port_id(With an ip) specified on the pool object. I don't know if attaching a
neutron port to a pool and using host_routes makes the flow any easier. But
routing constructs in Neutron are available. I know networking but not a whole
lot of the neutron perspective on it. I've yet to look over how the VPN stuff
is handled. If the pools do happen to have IP collisions then the first match
in the LoadBalancer's subnet host_routes wins.
subnet.host_route = [{'destination': <CIDR>, "nexthop": <valid IP
address>}...]. according to
https://wiki.openstack.org/wiki/Neutron/APIv2-specification#High-level_flow
with the ip address being the pool neutron ports on your side of the
loadbalancer.
On Thu, May 1, 2014 at 1:52 PM, Trevor Vardeman
<[email protected]<mailto:[email protected]>> wrote:
Hello,
After going back through the use-cases to double check some of my
understanding, I realized I didn't quite understand the ones I had
already answered. I'll use a specific use-case as an example of my
misunderstanding here, and hopefully the clarification can be easily
adapted to the rest of the use-cases that are similar.
Use Case 13: A project-user has an HTTPS application in which some of
the back-end servers serving this application are in the same subnet,
and others are across the internet, accessible via VPN. He wants this
HTTPS application to be available to web clients via a single IP
address.
In this use-case, is the Load Balancer going to act as a node in the
VPN? What I mean here, is the Load Balancer supposed to establish a
connection to this VPN for the client, and simulate itself as a computer
on the VPN? If this is not the case, wouldn't the VPN have a subnet ID,
and simply be added to a pool during its creation? If the latter is
accurate, would this not just be a basic HTTPS Load Balancer creation?
After looking through the VPNaaS API, you would provide a subnet ID to
the create VPN service request, and it establishes a VPN on said subnet.
Couldn't this be provided to the Load Balancer pool as its subnet?
Forgive me for requiring so much distinction here, but what may be clear
to the creator of this use-case, it has left me confused. This same
type of clarity would be very helpful across many of the other
VPN-related use-cases. Thanks again!
-Trevor
_______________________________________________
OpenStack-dev mailing list
[email protected]<mailto:[email protected]>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Stephen Balukoff
Blue Box Group, LLC
(800)613-4305 x807
_______________________________________________
OpenStack-dev mailing list
[email protected]<mailto:[email protected]>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
