This blog post details how one can use their existing Amazon VPC/EC2 APIs and move to an Openstack/OpenContrail cluster. With support for handling of Amazon APIs, users can now reuse their existing Amazon API scripts and get the same functionality in an Openstack/OpenContrail cluster.
1. Overview Amazon VPC (Virtual Private Cloud)
Amazon EC2 provides elastic compute functionality for its tenants – ability to create virtual machines, assign floating IPs and security groups to these virtual machine interfaces. Advanced networking services are not available in the EC2 model since the focus has been mainly to provide elastic compute.
Amazon VPC provides a virtual private cloud to its tenants. This product supports many advanced networking features such as network access control lists, routing, NAT services, Internet gateway, and VPN gateway. VPC provides a contained environment for applications to access resources over the networking services provided by the VPC.
All Amazon services provide public APIs that customers use to automate their usage of the services.
2. Amazon APIs and OpenStack APIs
An OpenStack deployment also provides similar services as Amazon EC2 and Amazon VPC. For existing users of Amazon services, it’s easier to reuse their scripts based on Amazon APIs on an OpenStack deployment rather than rewrite their code for OpenStack APIs. Hence, for ease of use, OpenStack added support to translate Amazon EC2 API calls to Nova API calls. Using Amazon EC2 APIs users can launch VMs, assign IP addresses to VMs and do basic compute level functionality on an OpenStack cluster.
As part of OpenContrail, we have extended the Amazon API support in OpenStack by adding Amazon VPC API compatbility/translation. The blueprint for this review is at:
https://blueprints.launchpad.net/nova/+spec/aws-vpc-support
This feature enhances the EC2 APIs to support the Amazon VPC APIs. Amazon VPC supports networking constructs like: subnets, dhcp options, elastic IPs, network acls, security groups, and route tables. Amazon VPC APIs will be supported on the OpenStack/Contrail distribution. Hence, users of Amazon VPC in AWS can use the same scripts to move to an OpenStack/Contrail solution.
Amazon VPC documentation:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html
Amazon VPC API list:
http://docs.aws.amazon.com/AWSEC2/latest/APIReference/query-apis.html
3. VPC to OpenStack/Contrail mappings
Amazon VPC constructs have been mapped to OpenStack constructs. Some of the constructs already exist in OpenStack. The new constructs marked with a (*) are being looked at as extensions in Neutron.
Amazon VPC | OpenStack/Contrail mapping |
VPC | Project |
Subnets | Networks (Virtual Networks) |
DHCP options | IPAM (*) |
Elastic IP | Floating IP |
Network ACLs | Network ACLs (*) |
Security Groups | Security Groups |
Route Table | Route Table (*) |
4. Euca2ools
Euca2ools have been extended to add support for Amazon VPC CLI similar to the support that already exists for Amazon EC2 CLI. A pull request has been submitted for the new CLIs.
https://github.com/eucalyptus/euca2ools/pull/31
5. VPC and subnets
To create a new VPC, users need to provide a CIDR block to be used for the VPC. All subnets in this VPC will be part of the CIDR block provided for the VPC. In the example below we create a VPC with CIDR block of 10.1.0.0/16. We also create a subnet within the VPC CIDR block. Subnet is created with CIDR block of 10.1.1.0/24.
When a VPC is created a default network acl called acl-default is created. All the subnets created in the VPC are automatically associated to the default network ACL. This association can be changed when a new network ACL is created.
The last command in the list below creates a VM using image (ami-00000003) and launches with an interface in subnet subnet-5eb34ed2.
# euca-create-vpc 10.1.0.0/16 VPC VPC:vpc-8352aa59 created # euca-describe-vpcs VpcId CidrBlock DhcpOptions ----- --------- ----------- vpc-8352aa59 10.1.0.0/16 None # euca-create-subnet -c 10.1.1.0/24 vpc-8352aa59 Subnet:
subnet-5eb34ed2 created # euca-describe-subnets Subnet-id Vpc-id CidrBlock --------- ------ --------- subnet-5eb34ed2 vpc-8352aa59 10.1.1.0/24 # euca-describe-network-acls AclId ----- acl-default(def) vpc-8352aa59 Rule Dir Action Proto Port Range Cidr ---- --- ------ ----- ---- ----- ---- 100 ingress allow -1 0 65535 0.0.0.0/0 100 egress allow -1 0 65535 0.0.0.0/0 32767 ingress deny -1 0 65535 0.0.0.0/0 32767 egress deny -1 0 65535 0.0.0.0/0 Assocation SubnetId AclId ---------- -------- ------------ aclassoc-0c549d66 subnet-5eb34ed2 acl-default # euca-run-instances -s subnet-5eb34ed2 ami-00000003
Euca2ools CLI for VPC and subnets
euca-create-vpc
euca-delete-vpc
euca-describe-vpcs
euca-create-subnet
euca-delete-subnet
euca-describe-subnets
6. Security in VPC
Security in VPC is provided using two mechanisms.
6.1. Network ACL
Network ACLs support ingress and egress rules traffic classification and filtering. Network ACLs are applied at a subnet level. In this example a new ACL is created (acl-ba7158c) and an existing subnet is associated to the new ACL. The commands to create, edit, delete rules within the ACL are also listed.
# euca-create-network-acl vpc-8352aa59
acl-ba7158c
# euca-describe-network-acls
AclId
-----
acl-default(def)
vpc-8352aa59
Rule Dir Action Proto Port Range Cidr
---- --- ------ ----- ---- ----- ----
100 ingress allow -1 0 65535 0.0.0.0/0
100 egress allow -1 0 65535 0.0.0.0/0
32767 ingress deny -1 0 65535 0.0.0.0/0
32767 egress deny -1 0 65535 0.0.0.0/0
Assocation SubnetId AclId
---------- -------- ------------
aclassoc-0c549d66 subnet-5eb34ed2 acl-default
AclId
-----
acl-ba7158c
vpc-8352aa59
Rule Dir Action Proto Port Range Cidr
---- --- ------ ----- ---- ----- ----
32767 ingress deny -1 0 65535 0.0.0.0/0
32767 egress deny -1 0 65535 0.0.0.0/0
# euca-replace-network-acl-association -a aclassoc-0c549d66 acl-ba7158c
aclassoc-0c549d66
# euca-describe-network-acls
AclId
-----
acl-default(def)
vpc-8352aa59
Rule Dir Action Proto Port Range Cidr
---- --- ------ ----- ---- ----- ----
100 ingress allow -1 0 65535 0.0.0.0/0
100 egress allow -1 0 65535 0.0.0.0/0
32767 ingress deny -1 0 65535 0.0.0.0/0
32767 egress deny -1 0 65535 0.0.0.0/0
Assocation SubnetId AclId
---------- -------- ------------
AclId
-----
acl-ba7158c
vpc-8352aa59
Rule Dir Action Proto Port Range Cidr
---- --- ------ ----- ---- ----- ----
32767 ingress deny -1 0 65535 0.0.0.0/0
32767 egress deny -1 0 65535 0.0.0.0/0
Assocation SubnetId AclId
---------- -------- ------------
aclassoc-0c549d66 subnet-5eb34ed2 acl-ba7158c
Euca2ools CLI for Network ACLs
euca-create-network-acl
euca-delete-network-acl
euca-replace-network-acl-association
euca-describe-network-acls
euca-create-network-acl-entry
euca-delete-network-acl-entry
euca-replace-network-acl-entry
6.2. Security Groups
Security groups provide virtual machine level ingress/egress controls. Security groups are applied to virtual machine interfaces. In this example, a new security group is created. The rules can be added or removed for security group based on the commands listed for euca2ools. The last line launches a VM using the newly created security group.
# euca-describe-security-groups
GroupId VpcId Name Description
------- ----- ---- -----------
sg-6d89d7e2 vpc-8352aa59 default
Direction Proto Start End Remote
--------- ----- ----- --- ------
Ingress any 0 65535 [0.0.0.0/0]
Egress any 0 65535 [0.0.0.0/0]
# euca-create-security-group -d "TestGroup" -v vpc-8352aa59 testgroup
GROUP sg-c5b9d22a testgroup TestGroup
# euca-describe-security-groups
GroupId VpcId Name Description
------- ----- ---- -----------
sg-6d89d7e2 vpc-8352aa59 default
Direction Proto Start End Remote
--------- ----- ----- --- ------
Ingress any 0 65535 [0.0.0.0/0]
Egress any 0 65535 [0.0.0.0/0]
GroupId VpcId Name Description
------- ----- ---- -----------
sg-c5b9d22a vpc-8352aa59 testgroup TestGroup
Direction Proto Start End Remote
--------- ----- ----- --- ------
Egress any 0 65535 [0.0.0.0/0]
# euca-run-instances -s subnet-5eb34ed2 -g testgroup ami-00000003
Euca2ools CLI for Security Groups
euca-create-security-group
euca-delete-security-group
euca-describe-security-groups
euca-authorize-security-group-egress
euca-authorize-security-group-ingress
euca-revoke-security-group-egress
euca-revoke-security-group-ingress
7. Networking in VPC
7.1. Elastic IP
Elastic IP maps to the floating IPs in OpenStack/Contrail solution. In this case a floating IP can be requested from the system and then assigned to a particular VM. The expectation is that the provider or admin has provisioned a network named “public” and allocated a floating IP pool. This “public” floating IP pool is then internally used by the tenants to request public IP addresses that they can use and attach to VMs.
# euca-allocate-address --domain vpc
ADDRESS 10.84.14.253 eipalloc-78d9a8c9
# euca-describe-addresses --filter domain=vpc
Address Domain AllocationId InstanceId(AssociationId)
------- ------ ------------ -------------------------
10.84.14.253 vpc eipalloc-78d9a8c9
# euca-associate-address -a eipalloc-78d9a8c9 i-00000008
ADDRESS eipassoc-78d9a8c9
# euca-describe-addresses --filter domain=vpc
Address Domain AllocationId InstanceId(AssociationId)
------- ------ ------------ -------------------------
10.84.14.253 vpc eipalloc-78d9a8c9 i-00000008(eipassoc-78d9a8c9)
Euca2ools CLI for Elastic IPs
euca-allocate-address
euca-release-address
euca-describe-addresses
euca-associate-address
euca-disassociate-address
7.2. Route tables
Route tables can be created in Amazon VPC and associated with subnets. Traffic exiting a subnet is then looked up in the route table and, based on the route lookup result, the next hop is chosen. Supported next-hops in the release are listed below.
Euca2ools CLI for Route Tables
euca-create-route-table
euca-delete-route-table
euca-describe-route-tables
euca-associate-route-table
euca-disassociate-route-table
euca-replace-route-table-association
euca-create-route
euca-delete-route
euca-replace-route
7.2.1. Local
This nexthop means that all subnets in the VPC are reachable for the destination prefix
7.2.2. Internet Gateway
This nexthop is used for traffic destined to the internet. The requirement is that all VMs need to use an Elastic IP to reach the internet as the subnet IPs are private IPs.
Euca2ools CLI for Internet Gateway
euca-attach-internet-gateway
euca-create-internet-gateway
euca-delete-internet-gateway
euca-describe-internet-gateways
euca-detach-internet-gateway
7.2.3. NAT Instance
To create this next hop the user needs to launch a VM which provides NAT service. The VM has two interfaces – one internal interface and one external interface. Both interfaces are automatically created. The only requirement here is that a “public” network should have been provisioned by the admin. This was the second interface of the VM is created in the “public” network.
Euca2ools CLI for NAT instance
euca-run-instances
Euca-terminate-instances
In the example below we create a NAT instance and create a default route pointing to the NAT instance.
# euca-describe-route-tables
RouteTableId Main VpcId AssociationId SubnetId
------------ ---- ----- ------------- --------
rtb-default yes vpc-8352aa59 rtbassoc-0c549d66 subnet-5eb34ed2
Prefix NextHop
------ -------
10.1.0.0/16 local
# euca-describe-images
IMAGE ami-00000003 None (ubuntu) 2c88a895fdea4461a81e9b2c35542130
IMAGE ami-00000005 None (nat-service) 2c88a895fdea4461a81e9b2c35542130
# euca-run-instances ami-00000005
# euca-create-route --cidr 0.0.0.0/0 -i i-00000006 rtb-default
# euca-describe-route-tables
RouteTableId Main VpcId AssociationId SubnetId
------------ ---- ----- ------------- --------
rtb-default yes vpc-8352aa59 rtbassoc-0c549d66 subnet-5eb34ed2
Prefix NextHop
------ -------
10.1.0.0/16 local
0.0.0.0/0 i-00000006