How to Configure OpenStack Networks for Internet Access

Kifarunix
|
Last Updated:
|
HowTos, OpenStack, Virtualization
|
2 Comments
How to Configure OpenStack Networks for Internet Access

How would you configure OpenStack networks for Internet access? Internet access is crucial for various reasons within an OpenStack environment. VMs may need to download updates, access external repositories, or communicate with external services. Additionally, users and administrators often require internet connectivity for management and monitoring tasks. Therefore, establishing a robust network configuration that allows for secure and efficient internet access is fundamental to the overall functionality and usability of an OpenStack deployment. The purpose of this guide is to offer a comprehensive step-by-step explanation of the process involved in configuring OpenStack networks to enable Internet access, thereby guaranteeing complete connectivity and accessibility within your cloud infrastructure.

Configuring OpenStack Networks for Internet Access

Key Components Involved:

  1. Neutron Networking Service:
    • OpenStack Neutron is the networking component responsible for managing the networks and IP addresses used by VMs. Understanding Neutron’s features and capabilities is essential for effective network configuration.
    • In an OpenStack deployment architecture, you have seperate nodes dedicated to host the OpenStack networking services. In our demo setup, we are hosting our OpenStack neutron on the controller node.
  2. Router Setup:
    • Routers in OpenStack play a pivotal role in connecting internal networks to external networks, including the internet. This guide will delve into configuring routers to enable traffic flow between internal networks and the internet.
  3. Floating IPs:
    • Floating IPs are public IP addresses assigned to VMs, enabling them to communicate with external networks. Proper allocation and management of floating IPs are crucial for internet connectivity.
  4. Security Groups:
    • Security Groups act as virtual firewalls for VMs, controlling inbound and outbound traffic. Configuring security groups is integral to ensuring secure internet access while protecting the VMs from unauthorized access.

Deploy OpenStack

For the purposes of demo, we are running a three node Openstack in our environment deployed using Kolla-Ansible.

Check the guides below if you need setup OpenStack using Kolla-Ansible.

How to deploy OpenStack using Kolla-Ansible

Network Topology

In our basic multinode deployment, our architecture is depicted by the screenshot below;

openstack networking

We have the management network as 192.168.200.0/24 and the network we will use to provide floating IPs as 10.100.0.0/24.

See our previous post on how deploy multinode OpenStack using Kolla-Ansible for the network configuration on nodes.

Note that, we have also configured the controller node to act as a Linux router. If you are looking at how to configure a Linux system to function as Linux router, check our guide below;

Configure Linux as a Linux Router

Create OpenStack Networks

There are different types of OpenStack networks each serving different purpose.

  1. Provider Networks:
    • Provider networks, also known as external networks, are connected to the physical network infrastructure outside the OpenStack environment. These networks are typically used for connecting VMs to the external world, such as the internet or other networks.
    • Provider networks are essential for enabling VMs to access external resources, download updates, or communicate with external services.
  2. Tenant (Project) Networks:
    • Tenant networks are internal networks created by users or projects within OpenStack. Each project can have its own set of isolated networks. These networks are often associated with private IP address ranges, allowing VMs within the same project to communicate while being isolated from other projects.
    • Tenant networks provide isolation between different projects or tenants within the OpenStack environment. They are suitable for creating segregated environments for different users or applications.
  3. Flat Networks:
    • In a flat network, all devices share the same network segment and address space. VMs in a flat network can communicate with each other without the need for network address translation (NAT).
    • Flat networks can be suitable for specific use cases where simplicity and flat addressing are preferred, such as in testing environments.
  4. VLAN (Virtual LAN) Networks:
    • VLAN networks use IEEE 802.1Q VLAN tagging to segment network traffic on the physical network. Each VLAN represents a separate logical network within a physical network, allowing multiple isolated networks to coexist on the same physical infrastructure.
    • VLAN networks are commonly used when there is a need for network segmentation to enhance security and performance. They are widely used in enterprise environments.
  5. VXLAN (Virtual Extensible LAN) Networks:
    • VXLAN is a network virtualization technology that allows the creation of logical networks over an existing physical network. It extends Layer 2 networks beyond their traditional boundaries, providing network isolation for VMs.
    • VXLAN networks are often used in scenarios where a large number of isolated networks are required, such as in multi-tenant environments. They help overcome the limitations of VLANs.
  6. GRE (Generic Routing Encapsulation) Networks:
    • GRE is another network encapsulation protocol that creates tunnels for carrying network traffic between different locations. It allows the creation of overlay networks, similar to VXLAN.
    • GRE networks are used when there is a need for overlay networks that can span across physical network boundaries. They are commonly used in virtual private cloud (VPC) setups.

Create OpenStack External Network

You can create a network from Horizon dashboard or from the command line. To create an external network from horizon;

  • Login to the horizon dashboard
  • Select the appropriate project from the drop down menu at the top left. Since we are creating an external network, we will use admin project.
  • Thus, navigate to Admin > Network > Networks > Create Network.
  • In the Create Network Wizard;
    • Network tab
      • Network Name: define the name of the network
      • Shared: Define whether the network can be shared with other projects. Only admin users are allowed to create shared networks.
      • Provider network type. Various types of networks are stated above. So here, we will use flat network type.
      • Physical network: Here, you need to define a physical network defined in the neutron. For example, we will use physnet1. This physical network (physnet1) is associated with our Linux bridge interface, br-ex, which we will use to provide floating IPs. See diagram above. This is also defined under the neutron /etc/kolla/neutron-openvswitch-agent/openvswitch_agent.ini config file, under [ovs] section as bridge_mappings = physnet1:br-ex.
      • Admin State: The state to start the network in.
      • Create Subnet: Select this check box to create a subnet.
      • Specify the availability zone (nova by default).
      • Leave MTU blank to use the default values.
        How to Configure OpenStack Networks for Internet Access
    • Subnet tab
      • Creates a subnet associated with the network. You need to enter subnet name, a valid “Network Address” and “Gateway IP“.
      • If you did not enter the “Gateway IP“, the first value of a network will be assigned by default. Remember we are using our controller node, which also doubles up as the internal router as the gateway for this network.
      • If you do not want gateway please check the “Disable Gateway” checkbox. For internet access, you definitely will need this!
        How to Configure OpenStack Networks for Internet Access
      • If you noticed, we set the gateway to our controller node ip. Remember we had set our controller to also act as a Linux route. Thus, ensure you configure the right gateway for your provider network.
    • Subnet Details tab
      • Enable DHCP and define IP addresses allocation pool
      • Set the DNS Name Servers
      • If you have any custom routes, then define Host Routes.
        How to Configure OpenStack Networks for Internet Access
  • Click Create to create the network.

Your network will now appear under your networks section.

openstack external networks

Click on the network name to view more details.

You can confirm the same from command line;

source $HOME/kolla-ansible/bin/activate
source /etc/kolla/admin-openrc.sh

List available networks;

openstack network list
+--------------------------------------+---------+--------------------------------------+
| ID                                   | Name    | Subnets                              |
+--------------------------------------+---------+--------------------------------------+
| 6c6bc33b-73ba-4d6f-af80-e8ae6bafcb41 | EXT_NET | f28bf31f-65d4-4ba0-b933-aa6e48366fb0 |
+--------------------------------------+---------+--------------------------------------+

To see more details, get the ID of the network and show the details using openstack network show <ID> command.

openstack network show 6c6bc33b-73ba-4d6f-af80-e8ae6bafcb41
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | UP                                   |
| availability_zone_hints   |                                      |
| availability_zones        | nova                                 |
| created_at                | 2023-10-31T18:51:14Z                 |
| description               |                                      |
| dns_domain                | None                                 |
| id                        | 6c6bc33b-73ba-4d6f-af80-e8ae6bafcb41 |
| ipv4_address_scope        | None                                 |
| ipv6_address_scope        | None                                 |
| is_default                | False                                |
| is_vlan_transparent       | None                                 |
| mtu                       | 1500                                 |
| name                      | EXT_NET                              |
| port_security_enabled     | True                                 |
| project_id                | b06556ca186746ff97b6b51faf83129b     |
| provider:network_type     | flat                                 |
| provider:physical_network | physnet1                             |
| provider:segmentation_id  | None                                 |
| qos_policy_id             | None                                 |
| revision_number           | 2                                    |
| router:external           | External                             |
| segments                  | None                                 |
| shared                    | True                                 |
| status                    | ACTIVE                               |
| subnets                   | f28bf31f-65d4-4ba0-b933-aa6e48366fb0 |
| tags                      |                                      |
| tenant_id                 | b06556ca186746ff97b6b51faf83129b     |
| updated_at                | 2023-10-31T18:51:14Z                 |
+---------------------------+--------------------------------------+

Check the subnets;

openstack subnet list
+--------------------------------------+------------+--------------------------------------+---------------+
| ID                                   | Name       | Network                              | Subnet        |
+--------------------------------------+------------+--------------------------------------+---------------+
| f28bf31f-65d4-4ba0-b933-aa6e48366fb0 | EXT_SUBNET | 6c6bc33b-73ba-4d6f-af80-e8ae6bafcb41 | 10.100.0.0/24 |
+--------------------------------------+------------+--------------------------------------+---------------+

To see more details, use the command, openstack subnet show <ID>

openstack subnet show f28bf31f-65d4-4ba0-b933-aa6e48366fb0
+----------------------+--------------------------------------+
| Field                | Value                                |
+----------------------+--------------------------------------+
| allocation_pools     | 10.100.0.150-10.100.0.250            |
| cidr                 | 10.100.0.0/24                        |
| created_at           | 2023-10-31T18:51:14Z                 |
| description          |                                      |
| dns_nameservers      | 8.8.8.8                              |
| dns_publish_fixed_ip | None                                 |
| enable_dhcp          | True                                 |
| gateway_ip           | 10.100.0.100                         |
| host_routes          |                                      |
| id                   | f28bf31f-65d4-4ba0-b933-aa6e48366fb0 |
| ip_version           | 4                                    |
| ipv6_address_mode    | None                                 |
| ipv6_ra_mode         | None                                 |
| name                 | EXT_SUBNET                           |
| network_id           | 6c6bc33b-73ba-4d6f-af80-e8ae6bafcb41 |
| project_id           | b06556ca186746ff97b6b51faf83129b     |
| revision_number      | 0                                    |
| segment_id           | None                                 |
| service_types        |                                      |
| subnetpool_id        | None                                 |
| tags                 |                                      |
| updated_at           | 2023-10-31T18:51:14Z                 |
+----------------------+--------------------------------------+

Create OpenStack Internal Project Network

Next, you need to create internal networks for your respective projects. Project networks provide isolation between different projects or tenants. This ensures that the resources (e.g., instances, routers, and networks) created within a project are segregated from those in other projects.

To create an internal network:

  • Select your appropriate project
  • Navigate to Networks > Network > Create Network.
  • Network tab:
    • Define the name of the network
    • Check the “Enable admin state” to enable the network
    • Leave shared as unchecked.
    • Enable Create Subnet.
    • Leave MTU blank to use defaults.
      How to Configure OpenStack Networks for Internet Access
  • Subnet tab
    • Define the subnet
    • The network address CIDR
    • IP version
    • Default gateway. We leave this blank so it uses .1 of the network automatically.
      create internal network subnet
  • Subnet Details tab
    • Enable DHCP and define IP addresses allocation pool
    • Set the DNS Name Servers
    • If you have any custom routes, then define Host Routes.
      create internal network subnet details
  • Click Create to create the network.

The network will now appear under Networks section.

networks

You can check the details from the command line as shown above.

Create OpenStack Network Router

Next, we need a router to connect internal networks to the external network.

Thus:

  • Select your appropriate project and navigate to project > Networks > Routers > Create Router.
  • Enter the name of the router and enable it.
  • Select the external network and enable SNAT.
  • Create the router.
    create a network router
  • Click Create to create the network router.

Your router should now be listed under routers section.

routers

Click on the name of the router to view more details.

router details

Similarly, you can use command line to get a list of routers you have;

openstack router list
+--------------------------------------+---------+--------+-------+----------------------------------+-------------+-------+
| ID                                   | Name    | Status | State | Project                          | Distributed | HA    |
+--------------------------------------+---------+--------+-------+----------------------------------+-------------+-------+
| 1dd5ffa8-3a81-47ce-af13-c61eb5511f2a | DEMO_R1 | ACTIVE | UP    | b06556ca186746ff97b6b51faf83129b | False       | False |
+--------------------------------------+---------+--------+-------+----------------------------------+-------------+-------+

To list more details (Replace the ID accordingly);

openstack router show 1dd5ffa8-3a81-47ce-af13-c61eb5511f2a
+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                   | Value                                                                                                                                                                                    |
+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up          | UP                                                                                                                                                                                       |
| availability_zone_hints |                                                                                                                                                                                          |
| availability_zones      | nova                                                                                                                                                                                     |
| created_at              | 2023-10-31T19:18:51Z                                                                                                                                                                     |
| description             |                                                                                                                                                                                          |
| distributed             | False                                                                                                                                                                                    |
| enable_ndp_proxy        | None                                                                                                                                                                                     |
| external_gateway_info   | {"network_id": "6c6bc33b-73ba-4d6f-af80-e8ae6bafcb41", "external_fixed_ips": [{"subnet_id": "f28bf31f-65d4-4ba0-b933-aa6e48366fb0", "ip_address": "10.100.0.176"}], "enable_snat": true} |
| flavor_id               | None                                                                                                                                                                                     |
| ha                      | False                                                                                                                                                                                    |
| id                      | 1dd5ffa8-3a81-47ce-af13-c61eb5511f2a                                                                                                                                                     |
| interfaces_info         | []                                                                                                                                                                                       |
| name                    | DEMO_R1                                                                                                                                                                                  |
| project_id              | b06556ca186746ff97b6b51faf83129b                                                                                                                                                         |
| revision_number         | 3                                                                                                                                                                                        |
| routes                  |                                                                                                                                                                                          |
| status                  | ACTIVE                                                                                                                                                                                   |
| tags                    |                                                                                                                                                                                          |
| tenant_id               | b06556ca186746ff97b6b51faf83129b                                                                                                                                                         |
| updated_at              | 2023-10-31T19:18:51Z                                                                                                                                                                     |
+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Attach OpenStack Networks to OpenStack Router

Next, you need to attach internal network interface to the route. As you can see above, an IP in the external network has already been assigned to the router.

To attach an internal network interface with an IP from that network to the router,

  • Click the name of the respective router to open more settings.
  • Click on Interfaces tab > Add Interface.
  • Select the network subnet on which to attach an interface
  • Set the IP address of the interface. If you don’t specify an IP address here, the gateway’s IP address of the selected subnet will be used as the IP address of the newly created interface of the router.
  • Submit when done.
attach internal network to the router

So, you now have a router that can connect internal OpenStack instances and external network.

From the command line, you can confirm that the routers/networks and their respective namespaces have been created.

List the routers;

openstack router list
openstack router show <ROUTER_ID>
+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                   | Value                                                                                                                                                                                    |
+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up          | UP                                                                                                                                                                                       |
| availability_zone_hints |                                                                                                                                                                                          |
| availability_zones      | nova                                                                                                                                                                                     |
| created_at              | 2023-10-31T19:18:51Z                                                                                                                                                                     |
| description             |                                                                                                                                                                                          |
| distributed             | False                                                                                                                                                                                    |
| enable_ndp_proxy        | None                                                                                                                                                                                     |
| external_gateway_info   | {"network_id": "6c6bc33b-73ba-4d6f-af80-e8ae6bafcb41", "external_fixed_ips": [{"subnet_id": "f28bf31f-65d4-4ba0-b933-aa6e48366fb0", "ip_address": "10.100.0.176"}], "enable_snat": true} |
| flavor_id               | None                                                                                                                                                                                     |
| ha                      | False                                                                                                                                                                                    |
| id                      | 1dd5ffa8-3a81-47ce-af13-c61eb5511f2a                                                                                                                                                     |
| interfaces_info         | [{"port_id": "735cb47e-e814-47d4-a8a0-1cf5de673fb2", "ip_address": "192.168.50.1", "subnet_id": "568de42e-89ab-40df-86f4-5b99fd95014a"}]                                                 |
| name                    | DEMO_R1                                                                                                                                                                                  |
| project_id              | b06556ca186746ff97b6b51faf83129b                                                                                                                                                         |
| revision_number         | 4                                                                                                                                                                                        |
| routes                  |                                                                                                                                                                                          |
| status                  | ACTIVE                                                                                                                                                                                   |
| tags                    |                                                                                                                                                                                          |
| tenant_id               | b06556ca186746ff97b6b51faf83129b                                                                                                                                                         |
| updated_at              | 2023-10-31T19:47:20Z                                                                                                                                                                     |
+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

OpenStack Network Namespaces

When you create networks/routers, associated namespaces are created as well. In OpenStack, network namespaces are used to provide network isolation for different projects, users, or services. They are a crucial feature for achieving multi-tenancy and ensuring that each project or user’s network resources are isolated from others. They allow you to create separate network environments within a shared OpenStack infrastructure.

You can list available network namespaces using the command ip netns or ip netns list. You need to execute these commands on the controller node;

ip netns

Sample output;

qrouter-1dd5ffa8-3a81-47ce-af13-c61eb5511f2a (id: 2)
qdhcp-58cd571f-4b2e-41ca-a836-8708c19a6d47 (id: 1)
qdhcp-6c6bc33b-73ba-4d6f-af80-e8ae6bafcb41 (id: 0)

See, qrouter-ROUTER-ID, or qdhcp-NETWORK-ID, as can be seen in the openstack commands above.

To check the router IP details from the namespace;

sudo ip netns exec qrouter-1dd5ffa8-3a81-47ce-af13-c61eb5511f2a ip a

Sample output;

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
18: qg-eace66fa-f1:  mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether fa:16:3e:b4:dd:f1 brd ff:ff:ff:ff:ff:ff
    inet 10.100.0.176/24 brd 10.100.0.255 scope global qg-eace66fa-f1
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:feb4:ddf1/64 scope link 
       valid_lft forever preferred_lft forever
19: qr-735cb47e-e8:  mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether fa:16:3e:db:d7:9b brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.1/24 brd 192.168.50.255 scope global qr-735cb47e-e8
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fedb:d79b/64 scope link 
       valid_lft forever preferred_lft forever

Try to ping outside from the router itself;

sudo ip netns exec qrouter-1dd5ffa8-3a81-47ce-af13-c61eb5511f2a ping -c 4 8.8.8.8

Sample output;

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=6.82 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=5.58 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=5.31 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=57 time=5.28 ms

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 5.284/5.749/6.823/0.630 ms

As you can see, the router has Internet access. As such, any instances that will be using this router as their gateway should as well have Internet access.

If you want to login to namespace router;

sudo ip netns exec qrouter-1dd5ffa8-3a81-47ce-af13-c61eb5511f2a bash

Verify OpenStack Instances Internet Access

Now, the networking part is done. Let’s create an a simple instance to verify external network connectivity.

Thus, select your respective project where you want to create an instance, and create an instance.

To create an instance, you need to have already uploaded an image you want to use and have flavors ready. You can check other guides on how to do that.

While creating an instance, we attached it to internal network;

image

When created, it is assigned an IP automatically from the DHCP pool defined on the network attached.

How to Configure OpenStack Networks for Internet Access

When the instance is running, open it and launch its console;

instance console networking

Let’s ping 8.8.8.8;

ping -c 4 8.8.8.8

or;

ping -c google.com
openstack instance internet access

And that is it!

Based on our deployment architecture, you have been able to configure OpenStack and enable internet access fort the instances.

That brings us to the end of our tutorial on configuring OpenStack networks for Internet access.

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
Kifarunix
Linux Certified Engineer, with a passion for open-source technology and a strong understanding of Linux systems. With experience in system administration, troubleshooting, and automation, I am skilled in maintaining and optimizing Linux infrastructure.

Related Posts

Install WPS Office on Ubuntu 20.04/Debian 11

Install and Setup NFS Server on Debian 12

Setup OpenVPN Server on CentOS 8

Install DokuWiki on CentOS 8

How to Install Docker Desktop on Kali Linux

Exploring API Authentication Methods for Digital Infrastructure Security in Business

2 thoughts on “How to Configure OpenStack Networks for Internet Access”

  1. Thank you for your guidance! Is it possible to add IPv6 to the router and assign a block IPv6 from the DHCP pool for VM ?
    I don’t find any instructions for it

    Reply

  2. Nice doc btw im tryin to replicate similar environment using x3 nodes ctrl compute &storage all based on vsphere vcenter VMs where i had a port group for Management and another that will serve as the provider network howevet im still gettin confused about all that. Any additional help is much appreciated. Thanks

    Reply

Leave a Comment

© 2024 kifarunix.com

Home Advertise with us Privacy Policy