IaaS V1
IaaS v1 documentation
Main API / Additional information
| API | Description | Comments |
|---|---|---|
| Zone | Provide information on the OINIS SDN POP. | Informational |
| Volume | A volume is a detachable block storage device, similar to a USB hard drive. You can attach a volume to only one instance. | Should be Optional but is mandatory for the moment |
| VirtualNetwork | Openstack/Contrail virtual-network to interconnect VM together via a layer 2 and/or to implement an IP/MPLS VPN (internet / customer VPN..) | Required |
| VirtualMachine | Main API to create virtual-machine | Required |
| ServerGroup | In case of a VNF based on several VM, ServerGroup provide the capability to group VM on the same compute or to separate them according to certain policy - affinity : VM in the same server group will be created on the same compute. If not possible, will generate a failure. - anti-affinity : VM in the same server group will be created on different compute. If not possible, will generate a failure. - soft-[affinity|anti-affinity] : try to comply with the policy but will not fail if not possible | Should be Optional but is mandatory for the moment |
| SecurityRule | Rule part of a SecurityGroup | Optional |
| SecurityGroup | List of ACL to protect a VM interface | Optional. Only available if the forwarding mode on the interface is set to flow. This feature depend on Contrail. |
| PublicIPAddress | Reserve and release public IP address for internet connectivity | Optional. Currently supported only through FloatingIPAddress (1:1 address translation between the public IP address reserved through the API and the "private" IP address of an interface plugged in a private virtual-network |
| KeyPair | SSH key pair generator to be used at VM creation moment to push secret to the VM thank to cloud-init mechanism. It provides a secure way to generate a SSH key directly on the IaaS instead of pushing a password via cloud-init | Should be Optional but is mandatory for the moment |
| Interface | Used to manipulate VirtualMachine Interface without going through the whole VirtualMachine API | Shortcut |
| Image | OS image used by VM End user will be able to upload its own image with a specific quota mechanism to avoid misuse | |
| Flavor | Pre-defined flavors are available on the OINIS SDN POP to fit major use case. On a per service basis, additional flavor could be created, depending on the marketing/business needs. | Informational. Precise list of flavor are still to be discussed in NGH Indus teams. It's not planned to let "end user" create its own flavor. |
VirtualNetwork
Virtual-Network API is the main one to configure the network attached to your VM. Currently only local private virtual-network can be created.
- Private: not shared between projects
- Local: no IP/MPLS VPN attachment
This API provides the capabilities to configure the addressing scheme. All specific VM things related to the port configuration, the static routing for which it is considered as next hop or the advanced feature such as the floating IP address and VRRP enabler feature are done through the virtual-machine API.
| Parameters | Info |
|---|---|
| subnet | Mandatory. Subnet in CIDR format, can be either IPv4 and IPv6 |
| enableDhcp | Optional. true | false. Default value is set to true |
| allocateIpAddressFromStart | Optional. true | false. DHCP process will assign VM address sequentially, from the first available to the last one. default value is set to true. |
| dnsPrimary dnsSecondary | Optional. DNS server to provide in the DHCP answer when a VM request an address via DHCP. No default value |
| gatewayIpAddress | Optional. Specify the address of Contrail vRouter to be used for its "gateway" role. Default : Contrail use the very first usable address of the subnet. To be confirmed by OINIS: there is no way to make vRouter acting as DHCP server and provide another address as gateway in the DHCP answer, it will be the vRouter GW address. |
| serviceIpAddress | Optional. Specify the address the vRouter must used to configure its interface in this VN. Default : Contrail use the second usable address of the subnet. |
Routing Policy
Used by contrail to manipulate route when advertised to BGP:
- To VNF, using BGPaaS
- To backbone, using PE SDN
Welknown BGP Community Tag
Some standard Community Tags (CT) are defined to influence routing behavior. When setting such CT via the routing policy you can influence the routing:
| CT Value | Behavior |
|---|---|
| 999:10001 | Route is not advertised to the backbone, it will be usable only on the local SDN POP |
| 999:10002 | Route will be advertised to the backbone but will be rejected by other SDN POP |
VirtualMachine
Interface
Floating IP address
The floating IP address is a mechanism that aims to make reachable a VM port connected to a private virtual-network from Internet. The mechanism relies on source and destination address translation on Contrail vRouter. A stateful NAT 1:1 is implement on the contrail vRouter that mangles relevant inbound and outbound traffic.
First, an IP address must be assigned from a specific pool and associated to a port of a virtual-machine . This pool is routed on Internet to the SDN POP where it can be used. The NAT configuration will be a bi-directionnal address translation between the booked floating IP address and the IP address configured on the port in the virtual-network.
- Only available if the forwarding mode on the interface is set to flow. This feature depends on Contrail.
- Can't be used with AllowedIPAdressPair mechanism
Forwarding mode
Two forwarding modes exist on the OINIS SDN POP :
- flow : Contrail vRouter maintains a flow table to keep track of every single flow traversing it. It allows advanced Contrail mechanism to be implemented such as
- security-group
- floating IP address
- other one but not exposed via API
- packet: configured on a per interface basis, disable the flow tracking mechanism and the related advanced feature that need flow mode.
Packet mode benefits:
- vRouter PPS is the only scaling factor since no flow setup
- no DDoS on the vRouter because of the TCP Syn flood for example (similar to the performance limit above)
Flow mode benefits:
- advanced feature such as security group to protect an interface exposed to untrust network such as Internet.
Comments:
- OINIS must confirm its recommendation in particular with potential SDN POP evolution in the next months and the default mode used by the interface.
Resiliency
OINIS SDN POP doesn't provide resiliency/HA infrastructure mechanism. Such mechanism must be bring by the service on top of the infrastructure. For example, one typical design is to deploy two instances of the service in two different POP. In case of issue on the nominal the service logic will switch to the backup one. However the IaaS behind the SDN POP provide a two mechanism that can help to create a first level of resiliency mechanism :
- Server group affinity to deploy the VM in different compute node
- Server"allowedIpAddressPairs" to use VRRP like mechanism
- Only available if the forwarding mode on the interface is set to flow. This feature depends on Contrail.
- Can't be used with floating IP address mechanism
Blue prints
Simple VNF only connected to Internet / Floating IP
Synopsis
A simple single VNF is created with :
- a single interface connected to a private network where DHCP is enabled. DHCP will provide
- dynamic address in the subnet
- default route to go beyond the subnet : internet or an attached VPN
- a DNS server
- floating IP is used to provide internet connectivity, a NAT 1:1 will be configured by the vRouter
Routing consideration
VM is connected to a single virtual-network and no dynamic routing is configured. When the VM get its network configuration via DHCP, it will learn the default route. Default route will be the vRouter contrail in the subnet (in this blue print, the first
Security consideration:
In the example, not security group is applied, all traffic from internet to the public IP address will be sent to the VM. Consequently security mechanisms must exists in the VM to prevent corruption.
Example of matching use case:
netskope publisher
API orchestration
Once the design is done, some parameters is needed
| Parameter | Recommandation |
|---|---|
| Project ID | Customer project ID |
| Zone | SDN POP public name on which we want to create the VNF |
| VN Name | Can be fixed by the engineering of the service. Basically we should not have two duplicate VN name in a project |
| Subnet of the VN | engineering parameters, depend of the service. In general must not overlaps customer addressing plan. It's a good thing to propose a default one that will fit 90% of case and let the customer customize it if needed |
| Public IP address | Can't be guessed, must be booked thanks to the API |
| VM Name | Can be fixed by the engineering of the service. Basically we should not have two duplicate VM name in a project |
| Forwarding mode | Engineering parameter, must be choose by engineering of the service |
Creation
| Action | Call | Answer |
|---|
line 1
line 2
line 3
TODO : Trouver comment mettre un block de code dans un tableau
Removal
To work correctly we need to follow a precise order. Indeed:
- to release the public IP address, no VM/interface must use it
- to remove the VN, no interface must be connected to it
- to remove a volume, no VM must use it
| Action | Call | Answer |
|---|---|---|
| Delete the VM | delete /projects/'projectId'/zones/'zoneName'/virtualmachines/dddd4444-44dd-44dd-44dd-44dd44dd44dd | |
| Release the public IP | delete /projects/'projectId'/zones/'zoneName'/publicipaddresses/bbbb2222-22bb-22bb-22bb-22bb22bb22bb | |
| Delete the VN | delete /projects/'projectId'/zones/'zoneName'/virtualnetworks/aaaa1111-11aa-11aa-11aa-11aa11aa11aa |
Resilient VNF on two compute
Synopsis
