Network traffic isolation with MAAS

MicroStack, in MAAS mode, supports network traffic isolation in a multi-network environment, where each of these cloud networks is coupled with specific cloud activity. It does this through the integration of Juju network spaces.

Network space:
A Juju object that abstracts away the OSI Layer 3 network concepts. A space is created on a backing cloud (e.g. MAAS) to represent one or more subnets. The purpose of a space is to allow for user-defined network traffic segmentation.

Traffic isolation is implemented at the discretion of the cloud architect, where the degree of isolation is dependent upon the number of subnets used. That is, no isolation results from using a sole subnet with a single space. Conversely, maximum isolation can be arrived at with unique subnet-space pairings. The subnet:space mappings are done within MAAS.

To finish, spaces are mapped to the cloud network names supported by MicroStack. The space:network mappings are done at the MicroStack level. In the case of an environment consisting of a sole subnet, each cloud network will be mapped to the same space.

Note: The Multi-node with MAAS page shows how to use MicroStack with MAAS.

Cloud networks

The cloud network names supported by MicroStack, their corresponding traffic types, and examples of such traffic is given here:

Cloud network Traffic type Example traffic
data hypervisor-to-hypervisor (East-West) intra-Project routing by OVN/OVS
internal control plane Nova to RabbitMQ queries
management cloud node management Juju
public service API endpoints Identity service via Keystone
storage instance-to-storage Ceph-based volumes
storage-cluster storage-to-storage Ceph data rebalancing

There are other types of traffic that don’t necessarily map to the above cloud networks. They are described below:

Other networking Traffic type Example traffic
“external networking” instance-to-external (North-South) instance remote access over SSH
“private networking” instance-to-openstack OpenStack internal

Machine access

Machines in the cloud environment require access to certain cloud networks.

Node roles

Machines identified by their MicroStack node roles, and their associated services, must have access to specific cloud networks. These access requirements are described here:

Node role Hosted service Cloud network access
juju-controller Juju controller and clusterd database management
control cloud control plane services management, internal, public, storage
compute Nova Compute (hypervisors) management, internal, data, storage
storage Ceph management, storage, storage-cluster

Client

The client machine will need access to the management and public cloud networks.

It will also need access to the cloud’s external networking in order to access cloud instances (e.g. over SSH).

Last updated a month ago. Help improve this document in the forum.