Public bug reported:
Creating multiple Neutron availability zones allows the operator to
schedule DHCP and L3 agents within a single AZ. Neutron will still try
to form a VXLAN mesh between all nodes in all availability zones, which
creates inter-AZ dependencies and may not work when strict firewalls are
placed between AZs.
This behavior should be configurable, so that L2 may be limited to a
particular AZ, and no tunnels are formed between different AZs. This
will prevent Neutron from trying to form tunnels when the tunnel cannot
function, and may enhance security when AZs are in different security
zones.
The desired end-state configuration would have separate DHCP and L3
agents hosted in each AZ, along with tunnels formed only inside the AZ.
This would allow, for instance, multiple edge sites within a single
deployment that each performed local networking only. Any particular
Neutron network would be limited to one AZ. A new flag would allow AZs
to be truly autonomous and remove cross-AZ dependencies.
Example: Suppose to AZs, AZ1 (control plane 10.1.1.0/24) and AZ2
(control plane 172.16.2.0/24).
Here is example output from a node in AZ1. It is forming tunnels between
members of both AZs. The desired configuration would have VXLAN tunnels
only formed between endpoints in the same AZ.
Bridge br-tun
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port "vxlan-1e0094c8"
Interface "vxlan-1e0094c8"
type: vxlan
options: {df_default="true", in_key=flow,
local_ip="10.1.1.20", out_key=flow, remote_ip="10.1.1.200"}
Port br-tun
Interface br-tun
type: internal
Port "vxlan-1e0094d6"
Interface "vxlan-1e0094d6"
type: vxlan
options: {df_default="true", in_key=flow,
local_ip="10.1.1.20", out_key=flow, remote_ip="172.16.2.214"}
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1808062
Title:
[RFE] Limit VXLAN to within Neutron availability zones
Status in neutron:
New
Bug description:
Creating multiple Neutron availability zones allows the operator to
schedule DHCP and L3 agents within a single AZ. Neutron will still try
to form a VXLAN mesh between all nodes in all availability zones,
which creates inter-AZ dependencies and may not work when strict
firewalls are placed between AZs.
This behavior should be configurable, so that L2 may be limited to a
particular AZ, and no tunnels are formed between different AZs. This
will prevent Neutron from trying to form tunnels when the tunnel
cannot function, and may enhance security when AZs are in different
security zones.
The desired end-state configuration would have separate DHCP and L3
agents hosted in each AZ, along with tunnels formed only inside the
AZ. This would allow, for instance, multiple edge sites within a
single deployment that each performed local networking only. Any
particular Neutron network would be limited to one AZ. A new flag
would allow AZs to be truly autonomous and remove cross-AZ
dependencies.
Example: Suppose to AZs, AZ1 (control plane 10.1.1.0/24) and AZ2
(control plane 172.16.2.0/24).
Here is example output from a node in AZ1. It is forming tunnels
between members of both AZs. The desired configuration would have
VXLAN tunnels only formed between endpoints in the same AZ.
Bridge br-tun
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port "vxlan-1e0094c8"
Interface "vxlan-1e0094c8"
type: vxlan
options: {df_default="true", in_key=flow,
local_ip="10.1.1.20", out_key=flow, remote_ip="10.1.1.200"}
Port br-tun
Interface br-tun
type: internal
Port "vxlan-1e0094d6"
Interface "vxlan-1e0094d6"
type: vxlan
options: {df_default="true", in_key=flow,
local_ip="10.1.1.20", out_key=flow, remote_ip="172.16.2.214"}
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1808062/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
