CL110 - ch07s03

Bookmark this page

Managing Routers and Floating IPs

Objectives

After completing this section, you should be able to describe the use cases and configuration choices when selecting a router configuration and floating IPs for tenant network instances.

Hosting Public Instances on Tenant Networks

To make an instance on a tenant network publicly available, several requirements for routers and floating IP addresses must be satisfied:

The tenant network must be connected to a router.
The router must have an external network configured using the --external-gateway option.
The external network must have an IP address allocation pool to create floating IP addresses from.
A floating IP address must be added to the instance.

Introduction to Routers

As the domain operator, you will advise cloud users about routers as a resource for specific application use cases. For example, a web server exposes a presentation layer, or an API is exposed for consumption by services outside of OpenStack.

Routers are logical OpenStack components that forward packets between different networks. They also provide NAT forwarding to give external network access. Routers are necessary when there is a need to communicate with other networks, whether external or not. An external network must have an allocation pool to provide floating IP addresses to be used for public access path for tenant networks using routers.

For the instances to communicate with any external subnet, a router must be deployed. Red Hat OpenStack Platform (RHOSP) provides such routing capabilities using Software-defined Networking (SDN). SDN-based virtual routers are similar to physical routers, and they require one interface for each subnet. The traffic received by the router uses the router's default gateway as the next hop, which is one portion of the path between the source and the destination. In OpenStack, routers have as many interfaces as the subnets for which they route traffic.

Open Virtual Network (OVN) offers layer 3 (L3) routing that is distributed by default and replaces the Neutron L3 agent from earlier versions of OpenStack.

Managing Routers in OpenStack

RHOSP allows cloud users to create and use routers to grant communication with other subnets. Use the openstack router create command to create routers.

[root@demo ~(admin)]# openstack router create demo-router
+-------------------------+------------------------------------------------------+
| Field                   | Value                                                |
+-------------------------+------------------------------------------------------+
| admin_state_up          | UP                                                   |
| availability_zone_hints | None                                                 |
| availability_zones      | None                                                 |
| created_at              | 2020-07-06T20:54:22Z                                 |
| description             |                                                      |
| external_gateway_info   | null                                                 |
| flavor_id               | None                                                 |
| id                      | 9b8832f6-4e2c-4547-a051-a3ed0d9a442c                 |
| location                | cloud='', project.domain_id=,                        |
|                         | project.domain_name='Example',                       |
|                         | project.id='3fe4ec06f5654a4d906a640d7f1a0457',       |
|                         | project.name='demo', region_name='regionOne',        |
|                         | zone=                                                |
| name                    | demo-router                                          |
| project_id              | 3fe4ec06f5654a4d906a640d7f1a0457                     |
| revision_number         | 0                                                    |
| routes                  |                                                      |
| status                  | ACTIVE                                               |
| tags                    |                                                      |
| updated_at              | 2020-07-06T20:54:22Z                                 |
+-------------------------+------------------------------------------------------+

To provide external access a gateway needs to be configured in the router. Use the openstack router set command with --external-gateway to configure the gateway. This step, referred to as set gateway, connects a router interface to the external network and takes an IP address from the allocation pool.

[root@demo ~(admin)]# openstack router set /
> --external-gateway provider-datacentre demo-router

Run the openstack router add subnet command to connect the router to a private network. This step connects a router interface to the private internal network, and uses the gateway IP address that was reserved during the creation of the subnet.

[root@demo ~(admin)]# openstack router add subnet demo-router demo-subnet

Run the openstack router list command to list the routers.

[root@demo ~(admin)]# openstack router list
+------------------------+-------------+--------+-------+------------------------+
| ID                     | Name        | Status | State | Project                |
+------------------------+-------------+--------+-------+------------------------+
| 9b8832f6-4e2c-4547-a05 | demo-router | ACTIVE | UP    | 3fe4ec06f5654a4d906a64 |
| 1-a3ed0d9a442c         |             |        |       | 0d7f1a0457             |
+------------------------+-------------+--------+-------+------------------------+

To view the router's details, use the openstack router show command.

[root@demo ~(admin)]# openstack router show demo-router
+-------------------------+------------------------------------------------------+
| Field                   | Value                                                |
+-------------------------+------------------------------------------------------+
...output omitted...
| external_gateway_info   | {"network_id":                                       |
|                         | "ef95203b-7c9f-46c0-b328-e51aa7729798",              |
|                         | "external_fixed_ips": [{"subnet_id":                 |
|                         | "655df137-b2e3-4e3d-9b52-98221b7abf24",              |
|                         | "ip_address": "172.25.250.141"}], "enable_snat":     |
|                         | true}                                                |
| flavor_id               | None                                                 |
| id                      | 9b8832f6-4e2c-4547-a051-a3ed0d9a442c                 |
| interfaces_info         | [{"port_id": "aa212dc0-a9ff-46d7-b4fa-30fd4d050e54", |
|                         | "ip_address": "182.168.0.1", "subnet_id":            |
|                         | "a3b87f53-366f-4dc4-bd41-7fc0bfeda1c5"}]             |
...output omitted...
| name                    | demo-router                                          |
...output omitted...

Introduction to Floating IP Addresses

In OpenStack terminology, a floating IP address is an IP address allocated from a pool for a network marked as external. The floating IP address allocation pool is created at the same time as the external network. A floating IP address is a routable IP address that is publicly reachable. Floating IP addresses enable communication from the external network to the instance. Cloud users can associate a floating IP address with an instance after it is launched. After a floating IP address is associated with an instance, cloud users can manage it on the fly. They can, for example, disassociate the floating IP address and associate a new one. The OpenStack Networking service automatically updates the related entries, such as the routing rules, the ports, and the Netfilter rules.

When a floating IP address is disassociated, it becomes available in the pool of floating IP addresses allocated with the external network, and can be attached to another instance.

Note

In order to deallocate a floating IP address from a project, the IP address must be disassociated from an instance and released from the pool. When a floating IP is released, there is no guarantee that the same IP address will be allocated to the project again.

Floating IP addresses provide the following benefits:

Exposing a service running inside an instance, such as for a web server.
Managing security groups to create advanced network access management. Cloud users can allocate floating IP addresses to a pool of database servers and create rules to restrict access to the replication network.
Floating IP addresses can be dynamically associated and disassociated with instances, so cloud users can both provide and remove access to a public service in seconds.
A high-availability solution by programmatically interacting with the OpenStack networking service API to associate and disassociate floating IP addresses.

Managing Floating IP Addresses in OpenStack

In OpenStack, domain operators can allocate a specific floating IP, whereas cloud users can only create floating IP addresses that are randomly assigned. OpenStack reads the allocation pool specified during the creation of the subnet to determine the floating IP address to allocate. If a domain operator requests an explicit floating IP address that is already allocated or outside the allocation pool, OpenStack networking triggers an error. The OpenStack Networking service uses an internal database to maintain the state of the available and allocated floating IP addresses.

Red Hat OpenStack Platform allows cloud users to create a floating IP address that is selected randomly from the allocation pool of the external network. This floating IP address can then be associated with an instance. Use the openstack floating ip create command to create a floating IP address. Domain operators can use the --floating-ip-address option to create a specific floating IP address from an external network.

[root@demo ~(admin)]# openstack floating ip create provider-datacentre
+---------------------+----------------------------------------------------------+
| Field               | Value                                                    |
+---------------------+----------------------------------------------------------+
| created_at          | 2020-07-08T15:48:13Z                                     |
| description         |                                                          |
| dns_domain          |                                                          |
| dns_name            |                                                          |
| fixed_ip_address    | None                                                     |
| floating_ip_address | 172.25.250.118                                           |
| floating_network_id | ef95203b-7c9f-46c0-b328-e51aa7729798                     |
| id                  | e11c2ca1-4e94-4d74-8302-33442eed8e63                     |
| location            | Munch({'cloud': '', 'region_name': 'regionOne', 'zone':  |
|                     | None, 'project': Munch({'id':                            |
|                     | '3fe4ec06f5654a4d906a640d7f1a0457', 'name': 'finance',   |
|                     | 'domain_id': None, 'domain_name': 'Example'})})          |
| name                | 172.25.250.118                                           |
| port_details        | None                                                     |
| port_id             | None                                                     |
| project_id          | 3fe4ec06f5654a4d906a640d7f1a0457                         |
| qos_policy_id       | None                                                     |
| revision_number     | 0                                                        |
| router_id           | None                                                     |
| status              | DOWN                                                     |
| subnet_id           | None                                                     |
| tags                | []                                                       |
| updated_at          | 2020-07-08T15:48:13Z                                     |
+---------------------+----------------------------------------------------------+

To associate a floating IP address with an instance, run the openstack server add floating ip command.

[root@demo ~(admin)]# openstack server add floating ip \
> demo-instance 172.25.250.118

To list the floating IP addresses, use the openstack floating ip list command.

[root@demo ~(admin)]# openstack floating ip list -f json
[
  {
    "ID": "e11c2ca1-4e94-4d74-8302-33442eed8e63",
    "Floating IP Address": "172.25.250.118",
    "Fixed IP Address": "182.168.0.57",
    "Port": "24814a2e-0af7-45a1-9422-ebdf7a8a8724",
    "Floating Network": "ef95203b-7c9f-46c0-b328-e51aa7729798",
    "Project": "3fe4ec06f5654a4d906a640d7f1a0457"
  }
]

Another way to verify the floating IP address association is to use the openstack server list command to list the servers.

[root@demo ~(admin)]# openstack server list -f json
[
  {
    "ID": "ba8195e7-b64e-425a-b87e-058337ae0931",
    "Name": "demo-instance",
    "Status": "ACTIVE",
    "Networks": "demo-network=182.168.0.57, 172.25.250.118",
    "Image": "rhel8",
    "Flavor": "default"
  }
]

Processing Network Packets

The layer 3 routing provides Network Address Translation (NAT) capabilities on the gateway to connect the router with the external network. The NAT router modifies the IP address of the sender in IP packets to enable hosts with private addresses to communicate with servers on the external network. The router supports floating IP addresses, which creates a static one-to-one mapping from a floating IP address on the external network to a private IP address on one of the other subnets attached to the router.

All distributed L3 routing traffic between compute nodes that traverse a virtual router goes directly to the compute nodes. It is not necessarily passing through the controller node over the ovn-tunnel.

A similar situation is when an instance with a floating IP address initiates traffic to the provider network; the packet reaches the router. The OpenFlow tables for the br-int bridge have flow rules that handle the source NAT for packet egress. The router applies the SNAT and uses the compute node's NIC through the specific provider network bridge. The OVN flow rules on br-int pass the packet across an L2 patch port to the provider network's interface on the compute host.

When an external client initiates a connection with a running instance with a floating IP, the packet reaches the Neutron system, which is the controller node in the below diagram. As you learned earlier, the OVN flow rules on br-int on every node will be updated to route the traffic correctly. In the diagram below, the external network is connected to eth2 on the compute node.

Figure 7.1: OVN logical flows

Managing Routers From the Dashboard

The following steps outline the process for managing routers in OpenStack using the Dashboard.

Log in to the Dashboard. On the Project tab, navigate to Network → Routers.
Click Create Router to create a new router. Give the router a name and click Create Router.
Click the name of the router to access its details. Click the Interfaces tab to manage the interfaces for the router.
Click Add Interface to add a new interface. Connect the router to a subnet by selecting it from the Subnet list, and then click Submit.
Click Delete Interface for each entry to disconnect the router from the subnet.
Click Set Gateway to define a gateway for the router. From the External Network list, select an external network and click Submit.
Click Clear Gateway on the Routers tab to remove the gateway. From the menu associated with the router, click Delete Router to delete the router.

Managing Floating IP Addresses Using the Dashboard

The following steps outline the process for managing floating IP addresses using the Dashboard.

Log in to the Dashboard and navigate to Network → Floating IPs. To create a new floating IP address, click Allocate IP To Project. The external network is automatically selected as the pool. Click Allocate IP to create the floating IP address.
To manage the association of a floating IP address to an instance, click Associate for the row of the floating IP address. When the Manage Floating IP Associations window opens, select the network port attached to the instance from the Port to be associated list. Click Associate.
To disassociate a floating IP address from an instance, navigate to Compute → Instances. Click the arrow next to the Create Snapshot button for the row of the instance and select Disassociate Floating IP. When the Confirm Disassociate Floating IP window opens, click Disassociate Floating IP.
To release a floating IP address from a project, click the Floating IPs tab in the Network menu. Click the arrow next to the Associate button for the row of the floating IP address and select Release Floating IP to return the floating IP address to the pool. When the Confirm Release Floating IP window opens, click Release Floating IP.

The Dashboard is a graphical way to see and create instances, networks, and routers. In the Dashboard, navigate to Project → Network → Network Topology.

Figure 7.2: Displaying the network topology

References

Additional information is available in the Networking Guide for Red Hat OpenStack Platform, at https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.0/html-single/networking_guide/

Discuss Red Hat OpenStack Administration I: Core Operations for Domain Operators

Go to community

Red Hat OpenStack Administration I: Core Operations for Domain Operators (CL110)

Haley_Ruccio

1 sie 2023

Learn to operate a Red Hat® OpenStack Platform private cloud and manage domain resources to secure and deploy modern, scalable cloud applications, networks and storageRed Hat OpenStack Administration I: Core Operations for Domain Operators (CL110) teaches you how to operate and manage a production Red Hat OpenStack Platform (RHOSP) single-site overcloud. You will learn how to create secure project environments in which to provision resources and manage security privileges that cloud users need to deploy scalable cloud applications. You will learn about OpenShift integration with load balancers, identity management, monitoring, proxies, and storage. You will also develop more troubleshooting and Day 2 operations skills in this course.This course is based on Red Hat OpenStack Platform 16.1.Course content summaryStudents in the Red Hat OpenStack Administration I: Core Operations for Domain Operators (CL110) course will focus on performing both routine and specialized tasks that are necessary to manage a production OpenStack overcloud domain. Students will manage OpenStack using both web-based and command-line interfaces. Essential skills covered in the course include the following:Launch instances to satisfy various use case examples.Manage domains, projects, users, roles, and quota in a multitenant environment.Manage networks, subnets, routers, and floating IP addresses.Manage instance security with group rules and access keys.Create and manage block, object and shared storage within OpenStack.Perform instance launch customization with cloud-init.Deploy scalable applications using stack templates.Audience for this courseThis course is designed for cloud users who deploy application instances and stacks, domain operators who manage resources and security for cloud users, and any other cloud personnel interested in, or responsible for, maintaining applications on private or hybrid OpenStack clouds. Any cloud persona, or personnel with roles that include performing technology evaluation, should attend this course to learn RHOSP operation and application deployment methods.Prerequisites for this courseBecome a Red Hat Certified System Administrator (RHCSA) or demonstrate equivalent experienceIf you are not a RHCSA, you can take a skill assessment to gauge your level of knowledge.

Welcome to the Red Hat OpenStack Administration I (CL110) group in the Red Hat Learning Community!

Syed

31 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course CL110! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to CL110.Read more about Red Hat OpenStack Administration I: Core Operations for Domain Operators here.

Revision: cl110-16.1-4c76154