Difference between revisions of "Blueprint-aws-vpc-support"

Latest revision as of 22:45, 12 November 2013

Overview

Havana release of Openstack, supports EC2 API translation to Nova, Quantum, Keystone calls. Using EC2 APIs user can launch VMs, assign IP addresses to VMs and so on. This blueprint enhances the EC2 APIs to support the amazon VPC APIs.

Who/Why/What

Who

This feature will be used by tenants for creating a VPC environment equivalent to Amazon VPC. Within the VPC the tenant can create multiple subnets, associate DHCP options. Tenant can also create network ACLs to control traffic flow. Tenant can create nat and vpn gateways to access the internet or data center.

Why

Customers will use this feature so that they can reuse the existing scripts written for Amazon VPC. This will make it easy for them to move or extend their Amazon workloads to an Openstack cluster. This also helps customers in transitioning to Openstack based cloud or Openstack based private datacenters.

What

Customers have CLI or scripts written to use Amazon VPC APIs. They can directly use their scripts with this feature. In addition euca2ools have been extended to support VPC CLI. A pull request is in progress of euca2ools related changes. The examples are all listed below.

VPC maps to Openstack Project

VPC represents a virtual private cloud. It’s a container where all the networking resides – subnets, security groups, instance association to subnets, DHCP configuration, routing tables, gateway (vpn, nat, regular).

VPC would closely match to a Project in Openstack. Project is a container for all the items listed in a VPC. VPC level cidr_block would need to be stored in the project – this information is passed through to the relevant plugins.

CreateVpc

Request contains CidrBlock as required params.

InstanceTenancy as optional params

Return value is a VpcId and state of the VPC

In Openstack the request would translate into the following actions:

• Create a unique id for the project such as vpc-a23aad23
• Create the project with this name using keystone API
• Use cidr_block then create an IPAM object in the project using Quantum API.
• Use Quantum API to create default network ACL, default route table and default security group
• Return VpcId and state as "available" if all steps are successful

DescribeVpc

Optional params: vpcid and filters

Return value is all VPC related information [state, cidrblock, dhcp, etc]

In Openstack the request would translate into the following actions:

• Use keystone APIs to fetch all project information
• Apply filters to create list of only requested information
• Return VPC details

DeleteVpc

Required params: vpcid

Return true if deleted else false

In Openstack the request would translate into the following actions:

• Use keystone API to delete the project
• Return true if successful else false

VPC Subnet maps to Openstack Network

Subnets in VPC are equivalent to defining networks with a cidr block.

CreateSubnet

Request contains VpcId and CidrBlock as required params

Return value is a SubnetId

In Openstack the request would translate into the following actions:

• Select a UUID and map it to an VPC id such as subnet-abcd1234
• Get the project based on the passed VpcId
• Get the Network IPAM object for the project to read the VPC level CidrBlock.
• Ensure that the passed subnet level CidrBlock is valid in the VPC level CidrBlock.
• Use Quantum APIs to create a network with this SubnetId and CidrBlock
• Return SubnetId and state as available if all steps are successful

DescribeSubnets

Optional params: subnetid and filters

Return value is all subnet related information [state, address-count]

In Openstack the request would translate into the following actions:

• Use quantum APIs to read the networks
• Return network information to be returned based on filters

DeleteSubnet

Required param: subnetid

Return value is true or false

In Openstack the request would translate into the following actions:

• Use quantum APIs to get the list of networks
• For each network map its UUID to subnetID and compare with passed subnetid.
• If match succesful then delete network else return false.

VPC DHCP Options maps to Openstack Network IPAM

These APIs are dependent on the Network IPam objects to be added at a domain level. Network IPAM object needs to be added to Quantum/Openstack. This can be done as part of this blueprint or a separate Network IPAM blueprint.

CreateDhcpOptions

Request contains DHCP key, value pairs as params

Return value is a DhcpOptionsId and list of options

In Openstack the request would translate into the following actions:

• Create UUID and map to DhcpOptionsId such as dopt-abcd1234
• Use Quantum APIs to create network IPAM with DHCP options. This network IPAM object can be created at the domain level.
• Return DhcpOptionsId and list of DHCP options

AssociateDhcpOptions

Request contains DhcpOptionsId and VpcId to associate with

Return value is a DhcpOptionsId and list of options

In Openstack the request would translate into the following actions:

• Get the project based on the passed VpcId
• Get the network IPAM which contains the passed DhcpOptionsId
• Associate these dhcp options to the project

DescribeDhcpOptions

Optional params: DhcpOptionsId and filters

Return value is a list of dhcp options information

In Openstack the request would translate into the following actions:

• Use quantum API to get all dhcp options
• Match based on filters and id
• Return the list

DeleteDhcpOptions

Required param: DhcpOptionsId

Return value is true or false

In Openstack the request would translate into the following actions:

• Use quantum APIs to get the list of ipams
• For each ipam map its UUID to DhcpOptionsId and compare with passed DhcpOptionsId.
• If match succesful then delete network else return false.

EC2 Instance API changes

EC2 Instance level APIs already exist in the Openstack Grizzly release. There is one change required to add support for launching instance with a particular VPC subnet.

RunInstances

Request contains one additional parameter called VPC SubnetId

Return value is regular response of RunInstances

In Openstack the request would translate into the following actions:

• Get the VpcId/Project associated with the passed SubnetId
• Get the Network associated with the associated SubnetId
• Launch the VM/Instance with the Network

VPC Network ACL maps to Openstack Network Policy

These APIs map to the quantum APIs for network policy. This is currently work in progress and is supported via Quantum extensions

CreateNetworkAcl

Required param: VpcId

Response contains NetworkAclId and ingress, egress default ACLs

In Openstack the request would translate into the following actions:

• Get the Project based on VpcId
• Create UUID and map to NetworkAclId such as acl-abcd1234
• Use Quantum APIs to create network policy using name as NetworkAclId
• Use Quantum APIs to add ingress and egress default rules with rule-id being 32767

DeleteNetworkAcl

Required param NetworkAclId

Response is true or false

In Openstack the request would translate into the following actions:

• Check if NetworkPolicy is attached to a network
• If still attached then return false
• Else use Quantum API to delete the Network Policy based on NetworkAclId
• Return true or false based on status

ReplaceNetworkAclAssociation

Required param AssociationId, NetworkAclId

Response is newAssociationId

In Openstack the request would translate into the following actions:

• Use Quantum to read  the network policy based on NetworkAclId
• Find the network based on AssociatedId that this policy is attached to. To do this we use network UUID as associated ID
• Use Quantum to remove the policy attachment
• Use Quantum to attach the new policy
• Return the new association ID

CreateNetworkAclEntry

Required params: NetworkAclId, RuleNumber, 5-tuple , direction

Response status with true or false

In Openstack the request would translate into the following actions:

• Use Quantum to get  the Network Policy using NetworkAclId
• Use Quantum APIs to read all the rules in the Network Policy.
• Insert the new rule at the correct location based on rule-number
• Write the complete list of rules back in the NetworkPolicy
• Return true if successful else false

DeleteNetworkAclEntry

Required params: NetworkAclId, RuleNumber

Optional params: Egress

Response status with true or false

In Openstack the request would translate into the following actions:

• Use Quantum to get  the Network Policy using NetworkAclId
• Use Quantum APIs to read all the rules in the Network Policy.
• Delete the rule that matches the rule number. If egress is specified then delete only egress rule else delete ingress rule
• Write the complete list of rules back in the NetworkPolicy
• Return true if successful else false

ReplaceNetworkAclEntry

Required params: NetworkAclId, RuleNumber, 5 tuple, direction

Response status with true or false

In Openstack the request would translate into the following actions:

• Use Quantum to get  the Network Policy using NetworkAclId
• Use Quantum APIs to read all the rules in the Network Policy.
• Update the rule that matches the rule number with the new information
• Write the complete list of rules back in the NetworkPolicy
• Return true if successful else false

VPC Allocate Address maps to Openstack Floating IPs

All VPC address APIs map to the Openstack floating IP APIs. These APIs have been enhanced by Amazon for VPC support in addition to the pre-existing EC2 support. When domain is passed as VPC then we will use Quantum floating IP APIs.

In addition administrator needs to pre-provision a network which can be used as a floating IP pool.

AllocateAddress

Required params: Domain - vpc

Response contains FloatingIP

In Openstack the request would translate into the following actions:

• Use Quantum APIs to get the list of networks
• For each network compare network name with “public” to get public network of FloatingIP.
• If match successful then use Quantum API to create a FloatingIP from public network pool.
• Return FloatingIP if successful else return Exception

ReleaseAddress

Required params: AllocationId or FloatingIp

Response is true or false

In Openstack the request would translate into the following actions:

• Use Quantum APIs to get the list of Floating IPs
• For each Floating IP If AllocationId is given then map the FloatingIp uuid to AllocationId and compare with given AllocationId else If FloatingIp is given compare it with FloatingIp
• If match successful then use Quantum API to delete the FloatingIp from public network pool.
• Return true if successful else exception

AssociateAddress

Required params: InstanceId, AllocationId or FloatingIp

Response is AllocationId

In Openstack the request would translate into the following actions:

• Map the given InstanceId to Instance uuid using ec2utils
• Use Compute APIs to fetch list of fixed Ips for using Instance uuid
• If multiple fixed IPs select the first fixed IP
• Use Quantum APIs to get the list of Floating IPs
• For each Public IP If AllocationId is given then map the FloatingIp uuid to AllocationId and compare with given AllocationId else If FloatingIp is given compare it with FloatingIp
• Use Quantum APIs to get the list of Ports using for the given instance using Instance uuid
• Use Quantum APIs to associate FloatingIp to all fetched ports
• Use ec2utils to generate AssociationId from FloatingIp uuid
• Return Association if successful else exception

DisassociateAddress

Required params: AllocationId or FloatingIp

Response is true or false

In Openstack the request would translate into the following actions:

• Use Quantum APIs to get the list of Floating IPs
• For each FloatingIp If AllocationId is given then map the FloatingIp uuid to AllocationId and compare with given AllocationId else If FloatingIp is given compare it with FloatingIp
• If match successful then use Quantum API to update the FloatingIp ports to None to disassociate FloatingIp
• Return true if successful else exception

DescribeAddress

Optional params: FloatingIp and filters

Return value is a list of Floating IP information

In Openstack the request would translate into the following actions:

• Use quantum API to get all FloatingIP
• Match based on filters and id
• Return the list

VPC Security Group maps to Openstack Security Group

All VPC security group APIs map to the Openstack security group APIs. A default security group is created when a VPC is created. All instances are associated with the default security group until the association is changed.

Amazon passed the keywork EC2-VPC for calls that need to be handled by Quantum.

CreateSecurityGroup

DescribeSecurityGroups

DeleteSecurityGroup

AuthoriseSecurityGroupIngress

RevokeSecurityGroupIngress

AuthoriseSecurityGroupEgress

RevokeSecurityGroupEgress

DescribeSecurityGroup

RunInstances

VPC route table [new changes needed in Openstack]

CreateRouteTable

DescribeRouteTables

DeleteRouteTable

ReplaceRouteTableAssociation

DisassociateRouteTable

CreateRoute

DeleteRoute

ReplaceRoute