Ask Your Question
4

How to isolate tenant networks connected to a shared router?

asked 2015-02-12 06:27:07 -0500

Michael Steffens gravatar image

updated 2015-02-23 07:46:10 -0500

Is it possible to isolate tenant networks connected to a shared router? The idea is to minimize the number of routers and router IPs allocated in the external subnet, while still blocking any traffic between tenant networks.

I have tried a configuration as shown in the diagram below

Shared router wi

ext-net, ext-subnet, and the shared router are assigned to the admin or service tenant. The tenant networks and subnets belong to their respective tenants. I am aware that this configuration can't separate on a namespace level owned by the router, so tenant CIDR's must not overlap. This would be the price to pay for sharing a router and its external IP.

The setup works fine. Tenant instances can be attached to their respective network, can get floating IPs assigned, and can communicate both inbound and outbound. Unfortunately they can also talk to private IPs in the other tenant, just as if they were connected to a shared network. With the exception of broadcast probably not being propagated between them.

Is there a possibility to block traffic between tenant networks entirely? The solution should not depend on VLANs being configured on physical switches. It should also not depend on security groups applied to instance interfaces (which would be available as well in a shared network), to avoid tenant "cross-talk" caused by tenant internal misconfiguration.

Example: commands below create a configuration as described here, assuming

  • there is an external network named "ext-net" (created according to installation guide)
  • there are two tenants named "tenant-a" and "tenant-b"
  • Environment variables OS_USER_NAME and OS_TENANT_NAME are set to log into the admin tenant, where the user is configured to be admin (again, like described in the installation guide)

then run

neutron router-create shared-router
neutron router-gateway-set shared-router ext-net

tenant_a_id=$(keystone tenant-list|awk '/tenant-a/ {print $2}')
neutron net-create --tenant-id $tenant_a_id tenant-a-net
neutron subnet-create --tenant-id $tenant_a_id --name tenant-a-subnet tenant-a-net 192.168.1.0/24
neutron router-interface-add shared-router tenant-a-subnet

tenant_b_id=$(keystone tenant-list|awk '/tenant-b/ {print $2}')
neutron net-create --tenant-id $tenant_b_id tenant-b-net
neutron subnet-create --tenant-id $tenant_b_id --name tenant-b-subnet tenant-b-net 192.168.2.0/24
neutron router-interface-add shared-router tenant-b-subnet
edit retag flag offensive close merge delete

Comments

I tried to replicate this setup. But while loged in as tenant-a or tenant-b i cant asign floating ip's to any instance ports. Did you encounter the same problem? Is there a way to fix this?

mischa gravatar imagemischa ( 2015-06-18 11:10:32 -0500 )edit

maybe fwaas with provider rules that only allow north-south traffic. Or maybe the new address-scopes feature can be used.

darragh-oreilly gravatar imagedarragh-oreilly ( 2016-10-18 12:06:57 -0500 )edit

Did anyone come up with a solution to this. We want to avoid having to use up ips for a router for every project on our cloud. We are currently using shared router setup and would like to create isolation.

colby gravatar imagecolby ( 2017-03-06 16:01:26 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-02-23 04:30:51 -0500

Vinoth gravatar image

updated 2015-02-23 04:32:17 -0500

I wonder, is it possible to share same router across two tenants ?

I have seen

1) one tenant, one router , two network configuration.

2) two tenant, two router , one network (shared) configuration.

But two tenant, one router, two network is ODD. I don't think we can share Router across the tenants!

Apologize, if I am wrong. Could you please share any link related to shared router configuration?

edit flag offensive delete link more

Comments

Quite straightforward to set up. The router was created in the admin tenant. Tenant (sub)nets were also created by a user logged into the admin tenant, but were placed in their respective tenants using the --tenant-id option for create commands. You can then add router interfaces to these subnets.

Michael Steffens gravatar imageMichael Steffens ( 2015-02-23 06:19:09 -0500 )edit

Thanks @michael

Vinoth gravatar imageVinoth ( 2015-02-23 06:56:54 -0500 )edit

I have appended example commands how to reproduce the odd configuration. I was kind of surprised that it works myself. If we could (re)establish isolation between tenant networks while sharing the router, this would be really great.

Michael Steffens gravatar imageMichael Steffens ( 2015-02-23 07:55:38 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-02-12 06:27:07 -0500

Seen: 4,197 times

Last updated: Feb 23 '15