Does Neutron provide an application layer firewall?

asked 2014-04-15 10:19:04 -0500

ogzy gravatar image

updated 2014-04-19 01:37:19 -0500

darragh-oreilly gravatar image

I am working on a service structure that i plan to run on openstack. It is designed as a prevention mechanism so the traffic will flow through the servers that i installed. I want this service assignable per-tenant. Documentation says that it is possible to define per-tenant routers. I wonder whether i can define a security-router, and deploy my service so as to any defined tenant will use this router and the service automatically, and the web request for ex (can be some other application layer protocol) will go through the defined servers for being analyzed before reaching to the tenant's machine.

Or some other solution is also welcomed.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2014-04-19 01:30:43 -0500

darragh-oreilly gravatar image

updated 2014-04-22 07:10:27 -0500

For the per-tenant router use-case, Neutron provides an API that allows tenants to create and manage their own routers. It also provides an L3-agent that implements the API using the Linux network stack.

I believe you are looking to coerce all tenant traffic to flow through a service VM (Nova managed instance?) that runs some application layer security stuff and is possibly managed by the admin and transparent to the tenants? OpenStack and Neutron does not provide anything like this today, but there is this blueprint. Also there is a tread about "Service VMs" and Neutron here.

edit flag offensive delete link more


Hence we need to use SDN over Openstack.

SGPJ gravatar imageSGPJ ( 2014-04-19 08:44:41 -0500 )edit

I don't see a SDN connection here. Currently I'm not aware of an implementation for the question - SDN based or otherwise - in OpenStack today.

darragh-oreilly gravatar imagedarragh-oreilly ( 2014-04-20 09:17:08 -0500 )edit

I wonder whether there is a sample work that i can investigate.

ogzy gravatar imageogzy ( 2014-04-21 01:00:40 -0500 )edit

answered 2014-04-18 12:24:24 -0500

SGPJ gravatar image

updated 2014-04-18 12:26:14 -0500

Yes, It is possible with advance solution. You may need to use SDN (Software Defined Networking) to achieve this. You can program SDN controller to direct traffic (flows) to defined servers first (for analysis) and then re-route same packets to actual destination.

Also there are many SDN that can be integrated with Openstack.


edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-04-15 10:19:04 -0500

Seen: 433 times

Last updated: Apr 22 '14