The Metacloud Networking service (Neutron) lets you define network connectivity and addressing in the cloud using the command-line interface. Using the CLI, you can create, update, and delete a variety of network services including L3 forwarding and NAT and IPsec VPN.
To configure network topologies, you can create and configure networks and subnets and instruct other services, like Compute, to attach virtual devices to ports on these networks. Refer to the Metacloud Controller Installation Guide for networking diagrams.
The Compute service is a prominent consumer of networking resources to provide connectivity for its instances. Networking supports each project having multiple private networks and enables projects to choose their own IP addressing scheme, even if those IP addresses overlap with those that other projects use. There are two types of networks, project and provider networks. It is possible to share any of these types of networks among projects as part of the network creation process.
- Project Network—A virtual network that a project or an administrator creates. The physical details of the network are not exposed to the project.
- Provider Network—A virtual network created to map to a specific network in the data center, typically to enable direct access to non-Metacloud resources on that network. Projects can be given access to provider networks.
The primary difference between project networks and provider networks involves the provisioning. Provider networks are created by administrators on behalf of projects and can be dedicated to a particular project, shared by a subset of projects, or shared by all projects. Project networks are created by projects for use by their instances and cannot be shared.
You can create multiple provider or project networks using VLAN IDs (802.1Q tagged) that correspond to VLANs present in the physical network. This allows instances to communicate with each other across your environment. They can also communicate with dedicated servers, firewalls, load balancers, and other networking infrastructure on the same layer 2 VLAN.
Project (Tenant) Networks
The term tenant is used interchangeably with the more current term project. In a private cloud, a given project may be mapped to a particular business unit, a specific multi-tier application, or even a single application tier. In a public cloud, individual projects generally represent separate organizations.
A project network provides connectivity to a project. You can create, delete, and modify project networks. Each project network is isolated from other project networks by a VLAN.
A provider network maps to existing physical networks in the data center.
Networking services like Compute connect to provider networks by requesting virtual ports. Networking supports each project having multiple private networks and enables projects to choose their own IP addressing scheme, even if those IP addresses overlap with those that other projects use. See Managing Provider Networks for information about defining your provider network.
To add a provider network to your existing configuration, you must contact Metacloud Support and file a Change-Maintenence Request to edit your configuration files. Include your network configuration settings and the IP addresses for included routers.
Subnets contain a block of IP addresses and associated configuration state. This is also known as the native IPAM (IP Address Management) provided by the networking service for both project and provider networks. Subnets are used to allocate IP addresses when new ports are created on a network.
A port is a connection point for attaching a single device, such as the NIC of a virtual server, to a virtual network. Also describes the associated network configuration, such as the MAC and IP addresses to be used on that port.
This is a logical component that forwards data packets between networks. It also provides L3 and NAT forwarding to provide external network access for VMs on project networks.
A security group acts as a virtual firewall for your Compute instances to control inbound and outbound traffic. Security groups act at the port level, not the subnet level. Each port in a subnet could be assigned to a different set of security groups. If you don’t specify a particular group at launch time, the instance is automatically assigned to the default security group for that network.
Security groups and security group rules give administrators and projects the ability to specify the type of traffic and direction (ingress/egress) that is allowed to pass through a port. A security group is a container for security group rules. When a port is created, it is associated with a security group. If a security group is not specified, the port is associated with a ‘default’ security group. The default group allows all ingress traffic for all other instances in the same project that are assigned to the default group and allows all egress. Rules can be added to this group to change the behavior.