Download - Group-based Policy for Networking
![Page 1: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/1.jpg)
OpenStack Neutron Group-based Policy (GBP)
GBP Team, Sept 18th 2014
![Page 2: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/2.jpg)
Agenda
o Introductions - GBP Team
o Motivation for GBP
o Solution, Demo
o Next Steps
![Page 3: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/3.jpg)
Introductions
o Group-based Policy Neutron sub-team13 code contributors + review participants
o Work Started in Havana (Oct 2013)
o Weekly IRC meeting
o Wiki page:
https://wiki.openstack.org/wiki/Neutron/GroupPolicy
![Page 4: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/4.jpg)
Motivationo Simplification of workflow
o Capture user intent
o Separation of concerns
o Consistency of deployment
o Scalable deployment and operations
o Policy-driven automation
o Declarative abstractions
o Reusable constructs
![Page 5: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/5.jpg)
Use casea) Application-developer: My 2-tier PCI app (database tier and web tier) can be deployed either for production or for development. When deployed for production, it needs
● solid-state storage for the DB tier● all ports but 80 closed on the web tier● no network communication to DB tier except from the web tier● no VM in the DB tier can be deployed on the same hypervisor as another VM in the DB tier;
same for the web tierb) Cloud operator.
● Applications deployed for production must have access to the internet.● Applications deployed for production must not be deployed in the DMZ cluster.● Applications deployed for production should scale based on load.● Applications deployed for development should have 1 VM instance per tier.● Every application must use VM images signed by an administrator
c) Compliance officer● No VM from a PCI app may be located on the same hypervisor as a VM from a non-PCI app.
![Page 6: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/6.jpg)
Use case - (connectivity constraints)a) Application-developer: My 2-tier PCI app (database tier and web tier) can be deployed either for production or for development.
● all ports but 80 closed on the web tier● no network communication to DB tier except from the web tier
b) Cloud operator. ● Applications deployed for production must have access to the internet.
![Page 7: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/7.jpg)
Use case (connectivity constraints)
Groups
Policy RulePolicy Rule
Policy Rules Set
a) Application-developer: My 2-tier PCI app (database tier and web tier) can be deployed either for production or for development. When deployed for production, it needs
● all ports but 80 closed on the web tier● no network communication to DB tier except from the web tier
![Page 8: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/8.jpg)
b) Cloud operator. ● Applications deployed for production must have access to the internet.● All traffic from internet must be inspected by IDS.
Use case (connectivity constraints)
Policy Tags
Service Chain
![Page 9: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/9.jpg)
Group-based Policy
GroupsPolicy Rules
Set
Policy Tags
Service Chain
Policy Rule
Groups Policy Rules Set
Policy TagsService Chain
Policy Rule
Connectivity between Groups is defined by Policy Rules Set
Introduce constraints with Policy Tags
Policy Rules Set is a collection of Policy Rules
Redirection
![Page 10: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/10.jpg)
Demo
![Page 11: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/11.jpg)
Policy framework
BusinessGovernance
Policy
InfrastructurePolicy
Compute Network Storage
![Page 12: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/12.jpg)
Next steps
o GBP with Juno
o Get community feedback
o Identify synergies with other
teams/components
![Page 13: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/13.jpg)
Thank You!
![Page 14: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/14.jpg)
Backup
![Page 15: Group-based Policy for Networking](https://reader038.vdocuments.us/reader038/viewer/2022100602/55855565d8b42a2d498b4e4b/html5/thumbnails/15.jpg)
* → [0..n]
Mapping to Neutron
Neutron existing non-policy constructs