This document discusses network policy abstractions in Neutron called Group Policy. It outlines the current network-centric Neutron API and proposes new abstractions including endpoint groups, contracts between groups, and policy rules defining network access. A proof-of-concept implementation separates concerns by allowing administrators to define contracts while users work with application-oriented groups and contracts. Future directions include integrating with network services and advanced policy frameworks.
3. Networking in the Cloud
❖ Current API: network centric
❖ Need a more application centric set of abstractions
as well
❖ More easily understood/utilized by higher layers
❖ Declarative model
❖ Separation of concerns
4. Desired Features
❖ Provide policy-based connectivity between
application tiers
❖ Support dynamic application of policies
❖ Redirection to Network services and chains
❖ Policies defined by administrators and users
5. Current Neutron API
❖ Network centric, close to physical devices
❖ Network: isolated layer-2 broadcast domain; private/shared
❖ Subnet: CIDR IP address block associated with a network;
optionally associated with gateway, DNS/DHCP servers
❖ Port: virtual switch port on a network; has MAC and IP
address properties
❖ Router: connects networks, supports SNAT
6. Example: Multi Tier Apps
Q
Web
Application
DB
Firewall Load
Balancer
QoS
External Network
(Internet)
9. The Basic Idea
❖ Endpoint (EP): Lowest unit of
abstraction where policy is applied
❖ Endpoint Group (EPG): Logical
grouping of endpoints
❖ Policy Rule: Network policies to
access EPGs
❖ Contract: Collection of policy rules
10. EPG-Contract Relationship
❖ An EPG may provide one or more contracts
❖ An EPG may consume one or more contracts
Endpoint
Group
Contract
❖ Application deployer focused
11. Policy Rules
❖ Action is applied to traffic specified by Classifier
Policy Rule
Classifier
Protocol Ports Direction
Action
Type Value
Action
Type
Allow
Redirect
QoS
Log
Copy
Mark
Value
None
Service/Chain
QoS args
Log args
Copy args
Mark args
15. Optional Constructs in Model
❖ Scopes: put constraints around how provider and consumer
EPGs are matched
❖ Policy Rule Filters: allow for tagging Policy Rules with Labels
such that subsets can be created in a Contract
❖ Contract hierarchy: infra admin constraints can be achieved
by Contract hierarchical composition
❖ Endpoint labels: policies get triggered automatically when
labels are added or removed
17. PoC Implementation
❖ Team has worked on a PoC
implementation
❖ Considering various model and
implementation alternatives
❖ Using legacy driver
❖ CLI, Horizon, and Heat
CLI
Neutron
Heat Horizon
Policy Manager
Legacy
Policy Driver
ODL
Policy Driver
others
18. The Group Policy PoC Team
❖ Sumit Naiksatam, Robert Kukura, Mandeep Dhami (Cisco)
❖ Mohammad Banikazemi (IBM)
❖ Stephen Wong (Midokura)
❖ Ronak Shah (Nuage Networks)
❖ Hemanth Ravi, Susaant Kondapaneni, Prasad Vellanki (One
Convergence)
❖ Rudra Rugge (Juniper)
19. State of Implementation
❖ The blueprint for Group Policy has been
reviewed/approved
❖ Working PoC available (install from:
https://github.com/noironetworks/devstack/tree/group-
policy-poc)
❖ Neutron reference implementation for Group Policy is in
progress
❖ Complementary work on network services framework is in
progress
20. More Information
❖ Neutron Group-based Policy design session
May 16 • 10:50am - 11:30am • B304
❖ Wiki page:
https://wiki.openstack.org/wiki/Neutron/GroupPolicy
❖ Neutron Group Policy Sub-Team Meeting IRC weekly meetings:
https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy
23. Separation of Concerns
❖ Different aspect of operations
performed by different agents
❖ Administrators specify the more
network specific requirements
❖ Other tenants specify app
specific
30. Contract Scopes
❖ Contracts are provided and consumed through contract scopes
Contract Scope
Selector
Provider-
Capability/Consumer-
Role
Selector
Scope
Global
Tenant
EPG
Value
None
Tenant ID
EPG ID
❖ Selectors specify the scope: Global/Tenant/EPG
❖ Provider-Capabilities/Consumer-Roles: Policy labels, which allow
defining granular constraints within the contract
32. Policy Rules
❖ Filters/Labels used to limit policy rules provided/consumed
Policy Rule
Filter
Provider
Capability
Consumer
Role
Classifier
Protocol Ports Direction
Action
Type Value
33. Contract
Hierarchy of Contracts
❖ Contracts can refer to other contracts
❖ Specifying base contracts by administrators
Provide /
Consume
Endpoint
Group
34. Using Neutron Advanced Services
To fully take advantage of Group Policy:
❖ Defining a policy container for services
Leveraging advanced services:
❖ Unified, generic and flexible service definition
❖ Support for various service insertion modes
❖ Support for various service manifestations
❖ Service chaining and traffic steering
38. Multiple Providers with Failover
Group
Policy
Manager
ProviderA
Provide contract
Set scope to Global
ProviderB
Users
Consume contract
Provide contract
Set scope to Global
Administrator
Create contracts
40. Heat Implementation
❖ Native Neutron heat resources
❖ WIP patch available on Gerrit
❖ Provides richer and simpler abstraction
❖ Allows for complex topology declaration
❖ Demo HOT template
❖ Publishes secure web service