SlideShare uma empresa Scribd logo

Mb openstack-nov2013v7

Transferir como PPTX, PDF
Mohammad Banikazemi
Mohammad Banikazemi

This is the slides I used for the talk I gave at the OpenStack Summit in Hong Kong, November 2013. In this presentation/talk I argue that we need to have a more application-centric and policy oriented set of abstractions in Neutron, the OpenStack networking project.

Tecnologia
1 de 28
Network Abstractions at Different Layers of the Stack Mohammad Banikazemi November 2013 IBM Research
Outline IBM Research Network Abstractions at Different Layers  Neutron: The OpenStack Networking  Application-centric Abstractions for Neutron: Policy Extension Framework  Application-centric Network Policies  Conclusion 
Different Layers IBM Research    Neutron is the OpenStack networking Higher layers consume networking resources through the Neutron API Lower layers realize these networking resources through a pluggable architecture App App App App Cloud Orchestrator Heat Nova Neutron Network Controller
Abstractions at Higher Layers IBM Research   Simple and application centric Non-network centric: Interested in the needed network functions and not how they are Tier 2 realized Tier 1 Tier 3 External Network Internet Firewall Load Balancer QoS
Abstractions in Lower Layers IBM Research Network centric  Device oriented (switches/routers)  Topology aware  Packet forwarding/routing, Path computation  No standard northbound API  * M. Banikazemi, D. Olshefski, A. Shaikh, J. Tracey, and G. Wang, Meridian: An SDN Platform for Cloud Network Services, IEEE Communications Magazine, Feb
Neutron: A Quantum Approach IBM Research  Defines a minimal set of interfaces required for setting up networks for users Network •network: isolated layer-2 broadcast domain; private/shared Subnet •Subnet: CIDR IP address block associated with a network; optionally associated gateway, DNS/DHCP servers •port: virtual switch port on a network; has MAC and IP address properties Port  Extendable
Neutron Expansion throughExtensions    IBM Research Physical networks Layer 3 networking Layers 4-7 services Router NAT, Floating IP Network Provider Network Multi-Provider Network Subnet Port Binding LBaaS, FWaaS VPNaaS, Port Security Group
Neutron: The 3-tier App Example  IBM Research One possible implementation using a single router External Network Router Network/subnet Network/subnet Network/subnet Port
Realizing the Application IBM Research Consider part of the 3-tier app: GROUP:WEB GROUP:Inet FW LB (Not including calls for creation of Security Groups, FW and LB) neutron net-create inet --router:external=True neutron subnet-create inet 172.16.1.0/24 --disable-dhcp – name inet neutron net-create web neutron subnet-create web 10.0.0.0/24 web –name web neutron router-create router1 neutron router-interface-add router1 web neutron router-gateway-set router1 inet
The Problem IBM Research Neutron abstractions are closer to physical devices  Not easily understood and consumed by higher layers and users  The Policy Extension Framework adds application centric abstractions to Neutron 
Neutron: Policy Extension Framework  IBM Research Basic abstractions we need:  Connectivity Groups: Grouping of endpoints  Policy: Specifying the network functions governing connectivity of these groups Extending the current Neutron object model  Using the existing Neutron resources  * Icehouse Design Summit Session (IBM and Cisco joint proposal) : ” Groupbased Policy Abstractions” aka “Connectivity Group Extension API” or “Policy Extension Framework”
Policy Extension Framework IBM Research  Simple, application-oriented network model group logical grouping of VMs • traditional: MAC, IP, port • abstract/cloud: virtual network, application group policy • • • • between pairs of groups establish communication attach properties to the communication e.g., ACLs, middleboxes, QoS, reliability, etc.
Policy Rules and Policy Sets IBM Research    Policy: made of Policy Rules Policy Rule: applies actions to selected net traffic Policy Set: An aggregation of policies; Can represent an application pattern Policyrule Traffic: Http Action: Allow Policyset Policies: [policy_web, policy_db]
Policy: The Hierarchy IBM Research Policy Policy Set Connectivity Groups Policy Policy Policy (Source & Destination) Policy Rule Traffic Classifier Action Policy Rules Policy Rules Policy Rules Policy Rule
Policy Rule: Action Types IBM Research    Basic connectivity ACL Service chaining (Middleboxes)  List of services  Neutron services (*aaS) and/or other services  Service configuration   QoS and Monitoring Logical middleboxes
Proposed Neutron CLI IBM Research GROUP:WEB Policy:Web GROUP:Inet FW1 LB1 neutron connectivitygroup-create inet –external neutron connectivitygroup-create web neutron policy-rule-create policyrule-web --protocol http,https --action fw1,lb1 neutron policy-create policy-web-ingress --policy-endpoints inet,web --policyrule policyrule-web
The 3-tier App Example: Revisited IBM Research GROUP:LOGIC GROUP:Web Policy:Web Policy:DB GROUP:DB GROUP:Inet
Heat Template Sketch for 3-tier App IBM Research Policy_web_ingress: cg_inet: Type: OS::Neutron::policy Type: OS::Neutron::connectivity_group Properties: Properties: connectivity_groups: {“cg_inet”, “cg_web”} endpoints: {“inet”} Policy_rules: [“policy_rule_web”] configuration: “external” Policy_rule_web: cg_web: Type: OS::Neutron::policy_rule Type: OS::Neutron::connetivity_group Properties: traffic_spec: ports: 80,443 Properties: endpoints: { “webserver1”, “webserver2”, webserver3”} protocol: “tcp” action_type: service_chain: {FW1, LB1} service_conf: {}  Endpoints:   Current Neutron resources Neutron resource creation can be explicit or implicit; Can be automated at higher layers
Extending Heat IBM Research  Expanding the role of Heat  Open Specifications: TOSCA Software Orchestration Infrastructure Orchestration Heat Nova Cinder Neutron
Application-centric Network Services IBM Research With the basic abstractions in place, we can build on how networking resources are used  Provide interesting application-centric functionalities  Let us look at a few example use cases 
Dynamic Updates IBM Research  Updating the Connectivity Group will also notify components of the associated policy
Logical Middlebox: Monitoring IBM Research     Monitoring defined as policy Collecting network specific statistics for applications Aggregate based on flows, endpoint, groups of endpoints, applications Feeds to the comprehensive closed-loop processing
Closed-loop Processing IBM Research  Standard MAPE (Monitor, Analyze, Plan, Execute) model with application-centric network monitoring  Application specifies the service level required  Application publishes the service level it is experiencing  If service level is not met, application level monitoring data is analyzed  If the problem is deemed to be network related, actions are taken by modifying the network policies  Rerouting paths  Bandwidth reservation and throttling
Topology Based Policies IBM Research   Network controllers provide a wide selection of topology related information and features Make those available at higher layers through policies  Colocation/Anti-colocation  for network routes Non-overlapping routes  Asymmetric  Separate  Network routes routes on each direction hop-count limit
Beyond Single Tenant Policies IBM Research The policy extension is defined for a given tenant  Can be extended such that network functions can be provided by a tenant to one or more tenants and/or external users  Require to setup the networks across tenants  Admin based vs. tenant centric 
Conclusion IBM Research  Different abstractions are useful at different layers  OpenStack Networking needs to be able to support and use these  The framework for new applicationcentric network abstractions being proposed  Let us discuss the details at the design session “Connectivity Group Extension” (“Group-based Policy Abstractions for Neutron”) on Friday Nov. 8th @ 3:10pm
Acknowledgement IBM Research    Anees Shaikh David Olshefski and John Tracey Marcio Silva
Thank You IBM Research * Photo credit: wikiHow

Recomendados

Presentation short 2012
Presentation short 2012Presentation short 2012
Presentation short 2012IIT CNR
 
A Network and Position Proposal Scheme using a Link-16 based C3I System
A Network and Position Proposal Scheme using a Link-16 based C3I SystemA Network and Position Proposal Scheme using a Link-16 based C3I System
A Network and Position Proposal Scheme using a Link-16 based C3I SystemUniversity of Piraeus
 
Last mile mobile hybrid optical wireless access network routing enhancement
Last mile mobile hybrid optical wireless access network routing enhancementLast mile mobile hybrid optical wireless access network routing enhancement
Last mile mobile hybrid optical wireless access network routing enhancementjournalBEEI
 
Bit Error Rate Analysis in WiMAX Communication at Vehicular Speeds using mod...
Bit Error Rate Analysis in WiMAX Communication at Vehicular Speeds using mod...Bit Error Rate Analysis in WiMAX Communication at Vehicular Speeds using mod...
Bit Error Rate Analysis in WiMAX Communication at Vehicular Speeds using mod...IJMER
 
802.15.5 mesh topology
802.15.5 mesh topology802.15.5 mesh topology
802.15.5 mesh topologysunil raj kumar
 
K1802036171
K1802036171K1802036171
K1802036171IOSR Journals
 
71 338-347
71 338-34771 338-347
71 338-347idescitation
 
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...IJNSA Journal
 

Recomendados

Presentation short 2012
Presentation short 2012Presentation short 2012
Presentation short 2012IIT CNR
 
A Network and Position Proposal Scheme using a Link-16 based C3I System
A Network and Position Proposal Scheme using a Link-16 based C3I SystemA Network and Position Proposal Scheme using a Link-16 based C3I System
A Network and Position Proposal Scheme using a Link-16 based C3I SystemUniversity of Piraeus
 
Last mile mobile hybrid optical wireless access network routing enhancement
Last mile mobile hybrid optical wireless access network routing enhancementLast mile mobile hybrid optical wireless access network routing enhancement
Last mile mobile hybrid optical wireless access network routing enhancementjournalBEEI
 
Bit Error Rate Analysis in WiMAX Communication at Vehicular Speeds using mod...
Bit Error Rate Analysis in WiMAX Communication at Vehicular Speeds using mod...Bit Error Rate Analysis in WiMAX Communication at Vehicular Speeds using mod...
Bit Error Rate Analysis in WiMAX Communication at Vehicular Speeds using mod...IJMER
 
802.15.5 mesh topology
802.15.5 mesh topology802.15.5 mesh topology
802.15.5 mesh topologysunil raj kumar
 
K1802036171
K1802036171K1802036171
K1802036171IOSR Journals
 
71 338-347
71 338-34771 338-347
71 338-347idescitation
 
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...IJNSA Journal
 
Enabling active flow manipulation in silicon-based network forwarding engines
Enabling active flow manipulation in silicon-based network forwarding enginesEnabling active flow manipulation in silicon-based network forwarding engines
Enabling active flow manipulation in silicon-based network forwarding enginesTal Lavian Ph.D.
 
2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...
2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...
2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...IEEEMEMTECHSTUDENTSPROJECTS
 
Self Organizing Network
Self Organizing NetworkSelf Organizing Network
Self Organizing NetworkSachidananda Sahu
 
A dhoc networks
A dhoc networksA dhoc networks
A dhoc networksSattar kayani
 
E-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi Radios
E-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi RadiosE-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi Radios
E-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi RadiosUniversitasGadjahMada
 
Performance evaluation of qos in
Performance evaluation of qos inPerformance evaluation of qos in
Performance evaluation of qos incaijjournal
 
NEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5G
NEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5GNEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5G
NEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5Gijwmn
 
Heterogeneous Network Project Topics
Heterogeneous Network Project TopicsHeterogeneous Network Project Topics
Heterogeneous Network Project TopicsNetwork Simulation Tools
 
Efficient P2P data dissemination in integrated optical and wireless networks ...
Efficient P2P data dissemination in integrated optical and wireless networks ...Efficient P2P data dissemination in integrated optical and wireless networks ...
Efficient P2P data dissemination in integrated optical and wireless networks ...TELKOMNIKA JOURNAL
 
method for enhancement of coexistence between e gsm and cdma systems in borde...
method for enhancement of coexistence between e gsm and cdma systems in borde...method for enhancement of coexistence between e gsm and cdma systems in borde...
method for enhancement of coexistence between e gsm and cdma systems in borde...INFOGAIN PUBLICATION
 
ViPMesh
ViPMeshViPMesh
ViPMeshNimi T
 
Ijartes v1-i3-001
Ijartes v1-i3-001Ijartes v1-i3-001
Ijartes v1-i3-001IJARTES
 
International Journal on AdHoc Networking Systems (IJANS)
International Journal on AdHoc Networking Systems (IJANS)International Journal on AdHoc Networking Systems (IJANS)
International Journal on AdHoc Networking Systems (IJANS)pijans
 
Load balancing in_5_g_networks
Load balancing in_5_g_networksLoad balancing in_5_g_networks
Load balancing in_5_g_networksCatherineProtas
 
Group 7.3 - Infrastructure Design
Group 7.3 - Infrastructure DesignGroup 7.3 - Infrastructure Design
Group 7.3 - Infrastructure DesignKweku Ocran
 
Experimental assessment of abno driven multicast connectivity in flexgrid net...
Experimental assessment of abno driven multicast connectivity in flexgrid net...Experimental assessment of abno driven multicast connectivity in flexgrid net...
Experimental assessment of abno driven multicast connectivity in flexgrid net...ieeepondy
 
BACnet Networking Guide
BACnet Networking GuideBACnet Networking Guide
BACnet Networking GuideRich Johnson
 
Network Topologies
Network Topologies Network Topologies
Network Topologies Ali Haider
 
Neutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and ChainsNeutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and ChainsDaniel Krook
 
Docker meetup oct14
Docker meetup oct14Docker meetup oct14
Docker meetup oct14Vipin Jain
 
Netkit
NetkitNetkit
Netkitdambatbul
 
Configurable Monitoring For Multi-Domain Networks
Configurable Monitoring For Multi-Domain NetworksConfigurable Monitoring For Multi-Domain Networks
Configurable Monitoring For Multi-Domain NetworksIJMER
 

Mais conteúdo relacionado

Mais procurados

Enabling active flow manipulation in silicon-based network forwarding engines
Enabling active flow manipulation in silicon-based network forwarding enginesEnabling active flow manipulation in silicon-based network forwarding engines
Enabling active flow manipulation in silicon-based network forwarding enginesTal Lavian Ph.D.
 
2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...
2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...
2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...IEEEMEMTECHSTUDENTSPROJECTS
 
E-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi Radios
E-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi RadiosE-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi Radios
E-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi RadiosUniversitasGadjahMada
 
Performance evaluation of qos in
Performance evaluation of qos inPerformance evaluation of qos in
Performance evaluation of qos incaijjournal
 
NEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5G
NEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5GNEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5G
NEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5Gijwmn
 
Efficient P2P data dissemination in integrated optical and wireless networks ...
Efficient P2P data dissemination in integrated optical and wireless networks ...Efficient P2P data dissemination in integrated optical and wireless networks ...
Efficient P2P data dissemination in integrated optical and wireless networks ...TELKOMNIKA JOURNAL
 
method for enhancement of coexistence between e gsm and cdma systems in borde...
method for enhancement of coexistence between e gsm and cdma systems in borde...method for enhancement of coexistence between e gsm and cdma systems in borde...
method for enhancement of coexistence between e gsm and cdma systems in borde...INFOGAIN PUBLICATION
 
ViPMesh
ViPMeshViPMesh
ViPMeshNimi T
 
Ijartes v1-i3-001
Ijartes v1-i3-001Ijartes v1-i3-001
Ijartes v1-i3-001IJARTES
 
International Journal on AdHoc Networking Systems (IJANS)
International Journal on AdHoc Networking Systems (IJANS)International Journal on AdHoc Networking Systems (IJANS)
International Journal on AdHoc Networking Systems (IJANS)pijans
 
Load balancing in_5_g_networks
Load balancing in_5_g_networksLoad balancing in_5_g_networks
Load balancing in_5_g_networksCatherineProtas
 
Group 7.3 - Infrastructure Design
Group 7.3 - Infrastructure DesignGroup 7.3 - Infrastructure Design
Group 7.3 - Infrastructure DesignKweku Ocran
 
Experimental assessment of abno driven multicast connectivity in flexgrid net...
Experimental assessment of abno driven multicast connectivity in flexgrid net...Experimental assessment of abno driven multicast connectivity in flexgrid net...
Experimental assessment of abno driven multicast connectivity in flexgrid net...ieeepondy
 
BACnet Networking Guide
BACnet Networking GuideBACnet Networking Guide
BACnet Networking GuideRich Johnson
 
Network Topologies
Network Topologies Network Topologies
Network Topologies Ali Haider
 

Mais procurados (18)

Enabling active flow manipulation in silicon-based network forwarding engines
Enabling active flow manipulation in silicon-based network forwarding enginesEnabling active flow manipulation in silicon-based network forwarding engines
Enabling active flow manipulation in silicon-based network forwarding engines
 
2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...
2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...
2014 IEEE DOTNET DATA MINING PROJECT Converged architecture for broadcast and...
 
Self Organizing Network
Self Organizing NetworkSelf Organizing Network
Self Organizing Network
 
A dhoc networks
A dhoc networksA dhoc networks
A dhoc networks
 
E-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi Radios
E-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi RadiosE-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi Radios
E-MICE: Energy-Efficient Concurrent Exploitation of Multiple Wi-Fi Radios
 
Performance evaluation of qos in
Performance evaluation of qos inPerformance evaluation of qos in
Performance evaluation of qos in
 
NEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5G
NEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5GNEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5G
NEW TECHNOLOGY FOR MACHINE TO MACHINE COMMUNICATION IN SOFTNET TOWARDS 5G
 
Heterogeneous Network Project Topics
Heterogeneous Network Project TopicsHeterogeneous Network Project Topics
Heterogeneous Network Project Topics
 
Efficient P2P data dissemination in integrated optical and wireless networks ...
Efficient P2P data dissemination in integrated optical and wireless networks ...Efficient P2P data dissemination in integrated optical and wireless networks ...
Efficient P2P data dissemination in integrated optical and wireless networks ...
 
method for enhancement of coexistence between e gsm and cdma systems in borde...
method for enhancement of coexistence between e gsm and cdma systems in borde...method for enhancement of coexistence between e gsm and cdma systems in borde...
method for enhancement of coexistence between e gsm and cdma systems in borde...
 
ViPMesh
ViPMeshViPMesh
ViPMesh
 
Ijartes v1-i3-001
Ijartes v1-i3-001Ijartes v1-i3-001
Ijartes v1-i3-001
 
International Journal on AdHoc Networking Systems (IJANS)
International Journal on AdHoc Networking Systems (IJANS)International Journal on AdHoc Networking Systems (IJANS)
International Journal on AdHoc Networking Systems (IJANS)
 
Load balancing in_5_g_networks
Load balancing in_5_g_networksLoad balancing in_5_g_networks
Load balancing in_5_g_networks
 
Group 7.3 - Infrastructure Design
Group 7.3 - Infrastructure DesignGroup 7.3 - Infrastructure Design
Group 7.3 - Infrastructure Design
 
Experimental assessment of abno driven multicast connectivity in flexgrid net...
Experimental assessment of abno driven multicast connectivity in flexgrid net...Experimental assessment of abno driven multicast connectivity in flexgrid net...
Experimental assessment of abno driven multicast connectivity in flexgrid net...
 
BACnet Networking Guide
BACnet Networking GuideBACnet Networking Guide
BACnet Networking Guide
 
Network Topologies
Network Topologies Network Topologies
Network Topologies
 

Semelhante a Mb openstack-nov2013v7

Neutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and ChainsNeutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and ChainsDaniel Krook
 
Docker meetup oct14
Docker meetup oct14Docker meetup oct14
Docker meetup oct14Vipin Jain
 
Configurable Monitoring For Multi-Domain Networks
Configurable Monitoring For Multi-Domain NetworksConfigurable Monitoring For Multi-Domain Networks
Configurable Monitoring For Multi-Domain NetworksIJMER
 
Systems and network architectures
Systems and network architecturesSystems and network architectures
Systems and network architecturescsk selva
 
Towards a Framework for Monitoring and Analyzing QoS Metrics of Grid Services
Towards a Framework for Monitoring and Analyzing QoS Metrics of Grid ServicesTowards a Framework for Monitoring and Analyzing QoS Metrics of Grid Services
Towards a Framework for Monitoring and Analyzing QoS Metrics of Grid ServicesHong-Linh Truong
 
Internet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detectionInternet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detectionGyan Prakash
 
ESTABLISHMENT OF VIRTUAL POLICY BASED NETWORK MANAGEMENT SCHEME BY LOAD EXPER...
ESTABLISHMENT OF VIRTUAL POLICY BASED NETWORK MANAGEMENT SCHEME BY LOAD EXPER...ESTABLISHMENT OF VIRTUAL POLICY BASED NETWORK MANAGEMENT SCHEME BY LOAD EXPER...
ESTABLISHMENT OF VIRTUAL POLICY BASED NETWORK MANAGEMENT SCHEME BY LOAD EXPER...IJCNCJournal
 
IRJET- Comparative Study on Embedded Feature Selection Techniques for Interne...
IRJET- Comparative Study on Embedded Feature Selection Techniques for Interne...IRJET- Comparative Study on Embedded Feature Selection Techniques for Interne...
IRJET- Comparative Study on Embedded Feature Selection Techniques for Interne...IRJET Journal
 
Final PhD Defense Presentation
Final PhD Defense PresentationFinal PhD Defense Presentation
Final PhD Defense PresentationDr Piyush Charan
 
Current issues - International Journal of Network Security & Its Applications...
Current issues - International Journal of Network Security & Its Applications...Current issues - International Journal of Network Security & Its Applications...
Current issues - International Journal of Network Security & Its Applications...IJNSA Journal
 
Research Challenges and Opportunities in the Era of the Internet of Everythin...
Research Challenges and Opportunities in the Era of the Internet of Everythin...Research Challenges and Opportunities in the Era of the Internet of Everythin...
Research Challenges and Opportunities in the Era of the Internet of Everythin...Stenio Fernandes
 
Efficiency Management in P2P Systems - 2007
Efficiency Management in P2P Systems - 2007Efficiency Management in P2P Systems - 2007
Efficiency Management in P2P Systems - 2007Kalman Graffi
 
SELF-ORGANIZATION AND AUTONOMOUS NETWORK SURVEY
SELF-ORGANIZATION AND AUTONOMOUS NETWORK SURVEYSELF-ORGANIZATION AND AUTONOMOUS NETWORK SURVEY
SELF-ORGANIZATION AND AUTONOMOUS NETWORK SURVEYIJNSA Journal
 
Network Simulators Comparison Research Help
Network Simulators Comparison Research HelpNetwork Simulators Comparison Research Help
Network Simulators Comparison Research HelpMatlab Simulation
 

Semelhante a Mb openstack-nov2013v7 (20)

Neutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and ChainsNeutron Networking: Service Groups, Policies and Chains
Neutron Networking: Service Groups, Policies and Chains
 
Docker meetup oct14
Docker meetup oct14Docker meetup oct14
Docker meetup oct14
 
Netkit
NetkitNetkit
Netkit
 
Configurable Monitoring For Multi-Domain Networks
Configurable Monitoring For Multi-Domain NetworksConfigurable Monitoring For Multi-Domain Networks
Configurable Monitoring For Multi-Domain Networks
 
TFI2014 Session I - State of SDN - Scott Sneddon
TFI2014 Session I - State of SDN - Scott SneddonTFI2014 Session I - State of SDN - Scott Sneddon
TFI2014 Session I - State of SDN - Scott Sneddon
 
Middleware para IoT basado en analítica de datos
Middleware para IoT basado en analítica de datosMiddleware para IoT basado en analítica de datos
Middleware para IoT basado en analítica de datos
 
Systems and network architectures
Systems and network architecturesSystems and network architectures
Systems and network architectures
 
Towards a Framework for Monitoring and Analyzing QoS Metrics of Grid Services
Towards a Framework for Monitoring and Analyzing QoS Metrics of Grid ServicesTowards a Framework for Monitoring and Analyzing QoS Metrics of Grid Services
Towards a Framework for Monitoring and Analyzing QoS Metrics of Grid Services
 
Internet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detectionInternet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detection
 
ESTABLISHMENT OF VIRTUAL POLICY BASED NETWORK MANAGEMENT SCHEME BY LOAD EXPER...
ESTABLISHMENT OF VIRTUAL POLICY BASED NETWORK MANAGEMENT SCHEME BY LOAD EXPER...ESTABLISHMENT OF VIRTUAL POLICY BASED NETWORK MANAGEMENT SCHEME BY LOAD EXPER...
ESTABLISHMENT OF VIRTUAL POLICY BASED NETWORK MANAGEMENT SCHEME BY LOAD EXPER...
 
IRJET- Comparative Study on Embedded Feature Selection Techniques for Interne...
IRJET- Comparative Study on Embedded Feature Selection Techniques for Interne...IRJET- Comparative Study on Embedded Feature Selection Techniques for Interne...
IRJET- Comparative Study on Embedded Feature Selection Techniques for Interne...
 
Final PhD Defense Presentation
Final PhD Defense PresentationFinal PhD Defense Presentation
Final PhD Defense Presentation
 
Current issues - International Journal of Network Security & Its Applications...
Current issues - International Journal of Network Security & Its Applications...Current issues - International Journal of Network Security & Its Applications...
Current issues - International Journal of Network Security & Its Applications...
 
Unit 4 for PG PAWSN
Unit 4 for PG PAWSNUnit 4 for PG PAWSN
Unit 4 for PG PAWSN
 
Research Challenges and Opportunities in the Era of the Internet of Everythin...
Research Challenges and Opportunities in the Era of the Internet of Everythin...Research Challenges and Opportunities in the Era of the Internet of Everythin...
Research Challenges and Opportunities in the Era of the Internet of Everythin...
 
Camp finall
Camp finallCamp finall
Camp finall
 
Efficiency Management in P2P Systems - 2007
Efficiency Management in P2P Systems - 2007Efficiency Management in P2P Systems - 2007
Efficiency Management in P2P Systems - 2007
 
DNIS in SRC
DNIS in SRCDNIS in SRC
DNIS in SRC
 
SELF-ORGANIZATION AND AUTONOMOUS NETWORK SURVEY
SELF-ORGANIZATION AND AUTONOMOUS NETWORK SURVEYSELF-ORGANIZATION AND AUTONOMOUS NETWORK SURVEY
SELF-ORGANIZATION AND AUTONOMOUS NETWORK SURVEY
 
Network Simulators Comparison Research Help
Network Simulators Comparison Research HelpNetwork Simulators Comparison Research Help
Network Simulators Comparison Research Help
 

Último

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Último (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Mb openstack-nov2013v7

  • 1. Network Abstractions at Different Layers of the Stack Mohammad Banikazemi November 2013 IBM Research
  • 2. Outline IBM Research Network Abstractions at Different Layers  Neutron: The OpenStack Networking  Application-centric Abstractions for Neutron: Policy Extension Framework  Application-centric Network Policies  Conclusion 
  • 3. Different Layers IBM Research    Neutron is the OpenStack networking Higher layers consume networking resources through the Neutron API Lower layers realize these networking resources through a pluggable architecture App App App App Cloud Orchestrator Heat Nova Neutron Network Controller
  • 4. Abstractions at Higher Layers IBM Research   Simple and application centric Non-network centric: Interested in the needed network functions and not how they are Tier 2 realized Tier 1 Tier 3 External Network Internet Firewall Load Balancer QoS
  • 5. Abstractions in Lower Layers IBM Research Network centric  Device oriented (switches/routers)  Topology aware  Packet forwarding/routing, Path computation  No standard northbound API  * M. Banikazemi, D. Olshefski, A. Shaikh, J. Tracey, and G. Wang, Meridian: An SDN Platform for Cloud Network Services, IEEE Communications Magazine, Feb
  • 6. Neutron: A Quantum Approach IBM Research  Defines a minimal set of interfaces required for setting up networks for users Network •network: isolated layer-2 broadcast domain; private/shared Subnet •Subnet: CIDR IP address block associated with a network; optionally associated gateway, DNS/DHCP servers •port: virtual switch port on a network; has MAC and IP address properties Port  Extendable
  • 7. Neutron Expansion throughExtensions    IBM Research Physical networks Layer 3 networking Layers 4-7 services Router NAT, Floating IP Network Provider Network Multi-Provider Network Subnet Port Binding LBaaS, FWaaS VPNaaS, Port Security Group
  • 8. Neutron: The 3-tier App Example  IBM Research One possible implementation using a single router External Network Router Network/subnet Network/subnet Network/subnet Port
  • 9. Realizing the Application IBM Research Consider part of the 3-tier app: GROUP:WEB GROUP:Inet FW LB (Not including calls for creation of Security Groups, FW and LB) neutron net-create inet --router:external=True neutron subnet-create inet 172.16.1.0/24 --disable-dhcp – name inet neutron net-create web neutron subnet-create web 10.0.0.0/24 web –name web neutron router-create router1 neutron router-interface-add router1 web neutron router-gateway-set router1 inet
  • 10. The Problem IBM Research Neutron abstractions are closer to physical devices  Not easily understood and consumed by higher layers and users  The Policy Extension Framework adds application centric abstractions to Neutron 
  • 11. Neutron: Policy Extension Framework  IBM Research Basic abstractions we need:  Connectivity Groups: Grouping of endpoints  Policy: Specifying the network functions governing connectivity of these groups Extending the current Neutron object model  Using the existing Neutron resources  * Icehouse Design Summit Session (IBM and Cisco joint proposal) : ” Groupbased Policy Abstractions” aka “Connectivity Group Extension API” or “Policy Extension Framework”
  • 12. Policy Extension Framework IBM Research  Simple, application-oriented network model group logical grouping of VMs • traditional: MAC, IP, port • abstract/cloud: virtual network, application group policy • • • • between pairs of groups establish communication attach properties to the communication e.g., ACLs, middleboxes, QoS, reliability, etc.
  • 13. Policy Rules and Policy Sets IBM Research    Policy: made of Policy Rules Policy Rule: applies actions to selected net traffic Policy Set: An aggregation of policies; Can represent an application pattern Policyrule Traffic: Http Action: Allow Policyset Policies: [policy_web, policy_db]
  • 14. Policy: The Hierarchy IBM Research Policy Policy Set Connectivity Groups Policy Policy Policy (Source & Destination) Policy Rule Traffic Classifier Action Policy Rules Policy Rules Policy Rules Policy Rule
  • 15. Policy Rule: Action Types IBM Research    Basic connectivity ACL Service chaining (Middleboxes)  List of services  Neutron services (*aaS) and/or other services  Service configuration   QoS and Monitoring Logical middleboxes
  • 16. Proposed Neutron CLI IBM Research GROUP:WEB Policy:Web GROUP:Inet FW1 LB1 neutron connectivitygroup-create inet –external neutron connectivitygroup-create web neutron policy-rule-create policyrule-web --protocol http,https --action fw1,lb1 neutron policy-create policy-web-ingress --policy-endpoints inet,web --policyrule policyrule-web
  • 17. The 3-tier App Example: Revisited IBM Research GROUP:LOGIC GROUP:Web Policy:Web Policy:DB GROUP:DB GROUP:Inet
  • 18. Heat Template Sketch for 3-tier App IBM Research Policy_web_ingress: cg_inet: Type: OS::Neutron::policy Type: OS::Neutron::connectivity_group Properties: Properties: connectivity_groups: {“cg_inet”, “cg_web”} endpoints: {“inet”} Policy_rules: [“policy_rule_web”] configuration: “external” Policy_rule_web: cg_web: Type: OS::Neutron::policy_rule Type: OS::Neutron::connetivity_group Properties: traffic_spec: ports: 80,443 Properties: endpoints: { “webserver1”, “webserver2”, webserver3”} protocol: “tcp” action_type: service_chain: {FW1, LB1} service_conf: {}  Endpoints:   Current Neutron resources Neutron resource creation can be explicit or implicit; Can be automated at higher layers
  • 19. Extending Heat IBM Research  Expanding the role of Heat  Open Specifications: TOSCA Software Orchestration Infrastructure Orchestration Heat Nova Cinder Neutron
  • 20. Application-centric Network Services IBM Research With the basic abstractions in place, we can build on how networking resources are used  Provide interesting application-centric functionalities  Let us look at a few example use cases 
  • 21. Dynamic Updates IBM Research  Updating the Connectivity Group will also notify components of the associated policy
  • 22. Logical Middlebox: Monitoring IBM Research     Monitoring defined as policy Collecting network specific statistics for applications Aggregate based on flows, endpoint, groups of endpoints, applications Feeds to the comprehensive closed-loop processing
  • 23. Closed-loop Processing IBM Research  Standard MAPE (Monitor, Analyze, Plan, Execute) model with application-centric network monitoring  Application specifies the service level required  Application publishes the service level it is experiencing  If service level is not met, application level monitoring data is analyzed  If the problem is deemed to be network related, actions are taken by modifying the network policies  Rerouting paths  Bandwidth reservation and throttling
  • 24. Topology Based Policies IBM Research   Network controllers provide a wide selection of topology related information and features Make those available at higher layers through policies  Colocation/Anti-colocation  for network routes Non-overlapping routes  Asymmetric  Separate  Network routes routes on each direction hop-count limit
  • 25. Beyond Single Tenant Policies IBM Research The policy extension is defined for a given tenant  Can be extended such that network functions can be provided by a tenant to one or more tenants and/or external users  Require to setup the networks across tenants  Admin based vs. tenant centric 
  • 26. Conclusion IBM Research  Different abstractions are useful at different layers  OpenStack Networking needs to be able to support and use these  The framework for new applicationcentric network abstractions being proposed  Let us discuss the details at the design session “Connectivity Group Extension” (“Group-based Policy Abstractions for Neutron”) on Friday Nov. 8th @ 3:10pm
  • 27. Acknowledgement IBM Research    Anees Shaikh David Olshefski and John Tracey Marcio Silva
  • 28. Thank You IBM Research * Photo credit: wikiHow

Notas do Editor

  1. 1- Neutron is the openstacknetworking layer. 2- Higher layers … 3- Lower Layers … before we look at Neutron abstraction lets look at other layers.
  2. Now, let us focus on Neutron and see what abstractions it provides
  3. ---- physical network / device oriented Physical data center structureprovider network Layer 3 networking (router)NATfloating IPs (for externally accessible services)---- modeled after Amazon VPC Security groupsaccess control rules for ingress / egress traffic on Neutron ports---- vendor device modelsL4 – L7 servicesload balancer as a service (LBaaS)other service APIs being developed (firewall, VPN, …)