foreword
Recently, regarding the user network of the xx public cloud, due to the isolation problem, the security discussion was triggered, and everyone was suddenly interested in concepts such as "classic network" and "VPC". We don't know how AWS does it, but we can talk about OpenStack, after all, it has been imitating AWS.
What is "isolation"
First of all, let's figure out what the so-called "isolation" is.
We know that computer networks are implemented in layers. Different protocols work at different layers. The design and formulation of these layers have international standards. According to the OSI layered model, there are seven layers in total. The isolation that everyone is discussing is usually Refers to Layer 2, also known as the "Data Link Layer".
The network packet of the data link layer is also called "frame". The MAC address of the network card we often say is the address of the frame. MAC is actually the abbreviation of "media access control", which is the data link. A sublayer of a layer.
Then why do you want to isolate it on the second floor?
Because the addresses of some of the frames in Layer 2 are broadcast addresses, devices on the same Layer 2 can and must receive these frames. The switch generally thinks that it works at Layer 2, and these broadcast packets must also be forwarded, so The second floor is often referred to as a "broadcast domain", which is like everyone in a classroom can see each other unless they are separated into different classrooms.
How OpenStack works
Openstack's neutron is responsible for providing the network for virtual machines, and openstack assumes multi-tenancy. Of course, it must provide support for the isolation problem between multi-tenants. Let's take a look at how neutron is implemented.
The network created in the flat network
neutron has "types", and the most basic type is "flat". The machines are all on the same layer 2 and in the same broadcast domain.
I found a schematic diagram from the Internet:
this kind of "flat" large second-layer network, although the implementation and management are relatively simple, but there will also be many problems, in addition to security, there are also problems such as broadcast storms.
A single large second-floor network is like the entire school where people are in a large auditorium, and everyone can see it, and if anyone gets an infectious disease, everyone will be infected. If you want to isolate, you can spread people across classrooms.
The "vlan" type of network created in the VLAN isolation network neutron is the main layer-2 isolation solution. VLAN (Virtual Local Area Network) itself is a layer-2 isolation technology widely used by switches.
The schematic diagram is roughly like this:
This is like dividing the entire school from the auditorium into different classrooms. People in the same classroom can see each other, but people in different classrooms cannot.
However, this solution also has certain limitations. First of all, management is relatively troublesome, and physical switches need to be set up. In addition, the number of available VLANs is limited, and the ID numbers of VLANs are only more than 4,000. We assume that each tenant is assigned one VLAN. That would support up to 4,000 tenants.
OverLay network
overlay (overlay) network, the so-called "coverage", generally refers to "covering another layer on top of one layer, it can also be said to use one layer to carry another layer to move", VXLAN is the most common protocol, it is The layer 2 frame of the virtual machine is wrapped with UDP on the host machine, and then the IP of the host machine, if necessary, goes through the layer 3 route to the destination host machine, and then unpacked, and the inner wrapped layer 2 frame is reached. The frame is delivered to the destination virtual machine.
A bit abstract? Let's first look at the package structure of VXLAN to know what "package" means:
the "Inner Frame" is the second-layer package of the wrapped virtual machine.
In the final encapsulated packet, the source IP and destination IP address of the outer layer belong to the host, so as long as the hosts communicate with each other (layer 3 is reachable), the encapsulated inner frame can be transported:
So what are the advantages of this scheme?
Main:
- The scope of vxlan is large enough, more than 16 million, and tenants can use it casually
- Because it is completely isolated, tenants can define their own networks at will, even if they overlap with other tenants' IP segments. For example, in the above figure, tenant A's network and tenant B's network
- If layer 3 routers are supported through certain technologies, tenants can organize their own network topology at will. For example, in the above figure, the two networks of tenant A are connected to a router (which can be virtual).
Regarding the third point mentioned above, it is probably like this in neutron:
VPC
Finally, what exactly is a VPC?
It is very clear to tell you that the above picture is VPC!
VPC (virtual private cloud) is not a technical term, but a product-level term created by Amazon AWS.
Tenant networks are completely isolated, IP segments can overlap, routers, and network topologies can be defined by themselves. Isn't this a "virtual private cloud"!
Original link: https://addops.cn/post/network-isolation-in-openstack.html