Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Creating a three tiered network with neutron

In Summary: We are trying to build a classical 3-tiered network in Juno with Neutron using FWaas and have stumbled upon two separate problems: 1. If we use openstack routers (with only the top router setting a gateway on the external network) we find that the SNAT is only applied to the Tier-1 networks and therefore routing back to the inner tiers outside of the network container is not possible without manually adding routes to upstream devices. We need to be able to construct a VPN connection between Tier3 and a remote site so do need to be able to route to and from the Tier3 router. We are using REST to create static routes to the inner tier routers and networks (and for the default routes on the inner routers). 2. If we use an openstack router on the top tier and “service appliances” aka Linux routers for the inner tiers we can route to the internet by setting SNAT for each tier for outbound traffic. Now we have problems with port security for traffic that is routed between each tier is blocked because it is not originating on the service appliance.

It seems that we would be ok if we could selectively disable port security on the ports connected to the service appliances OR if we could have a masquerade on the router connected to the external network.

Is there anything that I have missed or that anyone could advise? Should I resign myself to a flattened logical architecture?

More details I know that you can use a flat network and security groups to achieve a similar end. You can also create 3 adjacent router instances and use firewall rules and static routes to achieve a similar logical topology but I am looking to have 3 separate namespaces and only one connection to the external network.

The steps I have used to create the 3-tiered are:

  1. Create router for top tier and set GW on external network. Create first tier network and attach to router.
  2. Create 2nd tier router, create port on first tier network and assign a route to 0.0.0.0/0 with nexthop of the top tier router interface. (you can't use "set gateway" for non-external networks)
  3. Create 2nd tier network, add route on top tiered router to 2nd tier network via port assigned to 2nd tier router in step 2.
  4. Create firewall rules as needed in FWaas. These rules are applied to both namespaces.
  5. Repeat steps for 2nd tier to build a 3rd tier. Add routes to inner tier on both 1st and 2nd tier routers.

Traffic and routing within the 3-tiered environment behaves as expected. As I mentioned above the top tier router creates an SNAT only for the top-tiered network. I thought of creating a linux router to SNAT the traffic from the tier 2 network (we need to create a VPN connection from the tier 3 router to handle MySQL replication to a remote non-openstack site). Port security blocks traffic originating from the tier 2 network when it traverses the 2nd tier linux router.

We also thought of making all of our network external networks but since you can't attach vms directly to external networks we wouldn't be able to deploy the application vms in each tier.

Any help appreciated.