Difference between revisions of "Heat/Blueprints/VPaaS Support"
< Heat
Line 246: | Line 246: | ||
"AWSTemplateFormatVersion" : "2010-09-09", | "AWSTemplateFormatVersion" : "2010-09-09", | ||
− | "Description" : " | + | "Description" : "", |
"Parameters" : { | "Parameters" : { | ||
− | + | ||
"ExternalNetworkId" : { | "ExternalNetworkId" : { | ||
"Description" : "External network id", | "Description" : "External network id", | ||
"Type" : "String", | "Type" : "String", | ||
− | "ConstraintDescription" : "must be a | + | "ConstraintDescription" : "must be a id of existing external network" |
}, | }, | ||
− | + | ||
"ExternalGatewayIPAddress" : { | "ExternalGatewayIPAddress" : { | ||
"Description" : "External Gateway IP address", | "Description" : "External Gateway IP address", | ||
"Type" : "String", | "Type" : "String", | ||
− | |||
"ConstraintDescription" : "must be an IP address of external gateway" | "ConstraintDescription" : "must be an IP address of external gateway" | ||
+ | }, | ||
+ | |||
+ | "SubnetCidr" : { | ||
+ | "Description" : "Subnet cidr", | ||
+ | "Type" : "String", | ||
+ | "ConstraintDescription" : "must be a cidr" | ||
+ | }, | ||
+ | |||
+ | "SubnetPoolStart" : { | ||
+ | "Description" : "Start of allocation pool for subnet", | ||
+ | "Type" : "String", | ||
+ | "ConstraintDescription" : "must be a valid IP address" | ||
+ | }, | ||
+ | |||
+ | "SubnetPoolEnd" : { | ||
+ | "Description" : "End of allocation pool for subnet", | ||
+ | "Type" : "String", | ||
+ | "ConstraintDescription" : "must be a valid IP address" | ||
+ | }, | ||
+ | |||
+ | "VPNPeerCidr" : { | ||
+ | "Description" : "Cidr for VPN peer", | ||
+ | "Type" : "String", | ||
+ | "ConstraintDescription" : "must be a valid cidr" | ||
} | } | ||
}, | }, | ||
− | + | ||
"Resources" : { | "Resources" : { | ||
Line 280: | Line 303: | ||
"network_id": { "Ref" : "Network" }, | "network_id": { "Ref" : "Network" }, | ||
"ip_version": 4, | "ip_version": 4, | ||
− | "cidr": " | + | "cidr": { "Ref" : "SubnetCidr" }, |
+ | "dns_nameservers": ["8.8.8.8"], | ||
"allocation_pools": [ { | "allocation_pools": [ { | ||
− | "start": " | + | "start": { "Ref" : "SubnetPoolStart" }, |
− | "end": " | + | "end": { "Ref" : "SubnetPoolEnd" } |
} | } | ||
] | ] | ||
Line 311: | Line 335: | ||
} | } | ||
}, | }, | ||
− | + | ||
"VPNService" : { | "VPNService" : { | ||
− | "Type" : "OS:: | + | "Type" : "OS::Neutron::VPNService", |
"Properties" : { | "Properties" : { | ||
"name" : "VPNService", | "name" : "VPNService", | ||
"description" : "My new VPN service", | "description" : "My new VPN service", | ||
+ | "admin_state_up" : true, | ||
"router_id" : { "Ref" : "Router" }, | "router_id" : { "Ref" : "Router" }, | ||
"subnet_id" : { "Ref" : "Subnet" } | "subnet_id" : { "Ref" : "Subnet" } | ||
Line 322: | Line 347: | ||
}, | }, | ||
− | + | "IKEPolicy" : { | |
− | "Type" : "OS:: | + | "Type" : "OS::Neutron::IKEPolicy", |
"Properties" : { | "Properties" : { | ||
"name" : "IKEPolicy", | "name" : "IKEPolicy", | ||
− | "description" : "My new IKE policy" | + | "description" : "My new IKE policy", |
+ | "auth_algorithm" : "sha1", | ||
+ | "encryption_algorithm" : "3des", | ||
+ | "phase1_negotiation_mode" : "main", | ||
+ | "lifetime" : { | ||
+ | "units" : "seconds", | ||
+ | "value" : 3600 | ||
+ | }, | ||
+ | "pfs" : "group5", | ||
+ | "ike_version" : "v1" | ||
} | } | ||
}, | }, | ||
"IPsecPolicy" : { | "IPsecPolicy" : { | ||
− | "Type" : "OS:: | + | "Type" : "OS::Neutron::IPsecPolicy", |
"Properties" : { | "Properties" : { | ||
"name" : "IPsecPolicy", | "name" : "IPsecPolicy", | ||
− | "description" : "My new IPsec policy" | + | "description" : "My new IPsec policy", |
+ | "transform_protocol": "esp", | ||
+ | "encapsulation_mode" : "tunnel", | ||
+ | "auth_algorithm" : "sha1", | ||
+ | "encryption_algorithm" : "3des", | ||
+ | "lifetime" : { | ||
+ | "units" : "seconds", | ||
+ | "value" : 3600 | ||
+ | }, | ||
+ | "pfs" : "group5" | ||
} | } | ||
}, | }, | ||
"IPsecSiteConnection" : { | "IPsecSiteConnection" : { | ||
− | "Type" : "OS:: | + | "Type" : "OS::Neutron::VPNConnection", |
"Properties" : { | "Properties" : { | ||
− | "name" : " | + | "name" : "VPNConnection", |
− | "description" : "My new | + | "description" : "My new VPN connection", |
"peer_address" : { "Ref" : "ExternalGatewayIPAddress" }, | "peer_address" : { "Ref" : "ExternalGatewayIPAddress" }, | ||
"peer_id" : { "Ref" : "ExternalGatewayIPAddress" }, | "peer_id" : { "Ref" : "ExternalGatewayIPAddress" }, | ||
− | "peer_cidrs" : [ " | + | "peer_cidrs" : [ { "Ref" : "VPNPeerCidr" } ], |
+ | "mtu" : 1500, | ||
+ | "dpd" : { | ||
+ | "actions" : "hold", | ||
+ | "interval" : 30, | ||
+ | "timeout" : 120 | ||
+ | }, | ||
"psk" : "secret", | "psk" : "secret", | ||
+ | "initiator" : "bi-directional", | ||
+ | "admin_state_up" : true, | ||
"ikepolicy_id" : { "Ref" : "IKEPolicy" }, | "ikepolicy_id" : { "Ref" : "IKEPolicy" }, | ||
"ipsecpolicy_id" : { "Ref" : "IPsecPolicy" }, | "ipsecpolicy_id" : { "Ref" : "IPsecPolicy" }, |
Latest revision as of 11:03, 13 August 2013
Contents
Summary
The point of this blueprint is to add VPNaaS components to resources supported by Heat.
VPNaaS componets to add:
- VPNService
- IKEPolicy
- IPsecPolicy
- IPsecSiteConnection
Components
VPNServices
Property | Description |
---|---|
name | Name of the VPN Service. |
description | Description of the VPN Service. |
admin_state_up | Administrative state of vpnservice. If false (down), port does not forward packets. |
subnet_id | Subnet id in which the tenant wants the vpn service. |
router_id | Router id to which the vpn service is inserted. |
Example:
... "Resources" : { ... "VPNService" : { "Type" : "OS::Neutron::VPNService", "Properties" : { "name" : "My VPN", "description" : "My new VPN", "admin_state_up" : True, "subnet_Id" : { "Ref" : "Subnet" }, "router_Id" : { "Ref" : "Router" } } } ... }, ...
IKEPolicy
Property | Description |
---|---|
name | Friendly name for the IKE policy. |
description | Description of the IKE policy. |
auth_algorithm | Authentication Hash algorithms "sha1". |
encryption_algorithm | Encryption Algorithms "3des", "aes-128", "aes-256", "aes-192" etc. |
phase1_negotiation_mode | IKE mode "main". |
pfs | Perfect Forward Secrecy (group2, group5, group14). |
ike_version | v1 or v2 version. |
lifetime | |
units | Lifetime of the SA unit in "seconds" or "kilobytes". |
value | Lifetime value in seconds or kilobytes. |
Example:
... "Resources" : { ... "IKEPolicy" : { "Type" : "OS::Neutron::IKEPolicy", "Properties" : { "name" : "My IKEPolicy", "description" : "My new IKE policy", "auth_algorithm" : "sha1", "encryption_algorithm" : "3des", "phase1_negotiation_mode" : "main", "lifetime" : { "units" : "seconds", "value" : 3600 }, "pfs" : "group5", "ike_version" : "v1" } } ... }, ...
IPsecPolicy
Property | Description |
---|---|
name | Friendly name for the IPsec policy. |
description | Description of the IPsec policy. |
transform_protocol | Transform Protocol used such as "esp" or "ah" or "ah-esp". |
encapsulation_mode | Encapsulation mode either "tunnel" mode or "transport" mode. |
auth_algorithm | Authentication Hash algorithms "sha1". |
encryption_algorithm | Encryption Algorithms "3des", "aes-128", "aes-256", "aes-192" etc. |
pfs | Perfect Forward Secrecy (group2, group5, group14). |
lifetime | |
units | Lifetime of the SA unit in "seconds" or "kilobytes". |
value | Lifetime value in seconds or kilobytes. |
Example:
... "Resources" : { ... "IPsecPolicy" : { "Type" : "OS::Neutron::IPsecPolicy", "Properties" : { "name" : "My IKEPolicy", "description" : "My new IKE policy", "transform_protocol": "esp", "encapsulation_mode" : "tunnel", "auth_algorithm" : "sha1", "encryption_algorithm" : "3des", "lifetime" : { "units" : "seconds", "value" : 3600 }, "pfs" : "group5" } } ... }, ...
IPsecSiteConnection
Property | Description |
---|---|
name | Friendly Name for the IPsec site connection. |
description | Description of the IPsec site connection. |
peer_address | Remote branch router public IPv4 address or IPv6 address or FQDN. |
peer_id | Remote branch router identity. |
peer_cidrs | Peer private cidrs. |
mtu | Maximum transmission unit to address fragmentation. |
psk | Pre-shared-key any string. |
initiator | Whether this VPN can only respond to connections or can initiate as well ("bi-directional", "response-only"). |
admin_state_up | Administrative state of vpn connection. If false (down), VPN connection does not forward packets. |
ikepolicy_id | UUID id of IKE policy. |
ipsecpolicy_id | UUID id of IPsec policy. |
vpnservice_id | UUID id of VPN service. |
dpd | |
actions | DPD actions controls the use of Dead Peer Detection Protocol. ("clear", "hold", "restart", "disabled", "restart-by-peer"). |
interval | Number of seconds for DPD delay. |
timeout | Number of seconds for DPD timeout. |
Example:
... "Resources" : { ... "VPNConnection" : { "Type" : "OS::Neutron::VPNConnection", "Properties" : { "name" : "My VPN connection", "description" : "My new VPN connection", "peer_address" : "10.0.0.1", "peer_id" : "peer", "peer_cidrs" : ["10.0.0.0/24"], "mtu" : 1500, "dpd" : { "actions" : "hold", "interval" : 30, "timeout" : 120 }, "psk" : "secret", "initiator" : "bi-directional", "admin_state_up" : True, "ikepolicy_id" : { "Ref" : "IKEPolicy" }, "ipsecpolicy_Id" : { "Ref" : "IPsecPolicy" }, "vpnservice_id" : { "Ref" : "VPNService" } } } ... }, ...
Dependencies & References
- BL: VPN as a Service providing IPsec VPN with Static routing (UNDER REVIEW)
Appendix
VPNaaS.template
{ "AWSTemplateFormatVersion" : "2010-09-09", "Description" : "", "Parameters" : { "ExternalNetworkId" : { "Description" : "External network id", "Type" : "String", "ConstraintDescription" : "must be a id of existing external network" }, "ExternalGatewayIPAddress" : { "Description" : "External Gateway IP address", "Type" : "String", "ConstraintDescription" : "must be an IP address of external gateway" }, "SubnetCidr" : { "Description" : "Subnet cidr", "Type" : "String", "ConstraintDescription" : "must be a cidr" }, "SubnetPoolStart" : { "Description" : "Start of allocation pool for subnet", "Type" : "String", "ConstraintDescription" : "must be a valid IP address" }, "SubnetPoolEnd" : { "Description" : "End of allocation pool for subnet", "Type" : "String", "ConstraintDescription" : "must be a valid IP address" }, "VPNPeerCidr" : { "Description" : "Cidr for VPN peer", "Type" : "String", "ConstraintDescription" : "must be a valid cidr" } }, "Resources" : { "Network": { "Type": "OS::Quantum::Net", "Properties": { "name": "My Network" } }, "Subnet": { "Type": "OS::Quantum::Subnet", "Properties": { "name": "My Subnet", "network_id": { "Ref" : "Network" }, "ip_version": 4, "cidr": { "Ref" : "SubnetCidr" }, "dns_nameservers": ["8.8.8.8"], "allocation_pools": [ { "start": { "Ref" : "SubnetPoolStart" }, "end": { "Ref" : "SubnetPoolEnd" } } ] } }, "Router": { "Type": "OS::Quantum::Router", "Properties": { "name": "My Router" } }, "RouterInterface": { "Type": "OS::Quantum::RouterInterface", "Properties": { "router_id": { "Ref" : "Router" }, "subnet_id": { "Ref" : "Subnet" } } }, "RouterGateway": { "Type": "OS::Quantum::RouterGateway", "Properties": { "router_id": { "Ref" : "Router" }, "network_id": { "Ref" : "ExternalNetworkId" } } }, "VPNService" : { "Type" : "OS::Neutron::VPNService", "Properties" : { "name" : "VPNService", "description" : "My new VPN service", "admin_state_up" : true, "router_id" : { "Ref" : "Router" }, "subnet_id" : { "Ref" : "Subnet" } } }, "IKEPolicy" : { "Type" : "OS::Neutron::IKEPolicy", "Properties" : { "name" : "IKEPolicy", "description" : "My new IKE policy", "auth_algorithm" : "sha1", "encryption_algorithm" : "3des", "phase1_negotiation_mode" : "main", "lifetime" : { "units" : "seconds", "value" : 3600 }, "pfs" : "group5", "ike_version" : "v1" } }, "IPsecPolicy" : { "Type" : "OS::Neutron::IPsecPolicy", "Properties" : { "name" : "IPsecPolicy", "description" : "My new IPsec policy", "transform_protocol": "esp", "encapsulation_mode" : "tunnel", "auth_algorithm" : "sha1", "encryption_algorithm" : "3des", "lifetime" : { "units" : "seconds", "value" : 3600 }, "pfs" : "group5" } }, "IPsecSiteConnection" : { "Type" : "OS::Neutron::VPNConnection", "Properties" : { "name" : "VPNConnection", "description" : "My new VPN connection", "peer_address" : { "Ref" : "ExternalGatewayIPAddress" }, "peer_id" : { "Ref" : "ExternalGatewayIPAddress" }, "peer_cidrs" : [ { "Ref" : "VPNPeerCidr" } ], "mtu" : 1500, "dpd" : { "actions" : "hold", "interval" : 30, "timeout" : 120 }, "psk" : "secret", "initiator" : "bi-directional", "admin_state_up" : true, "ikepolicy_id" : { "Ref" : "IKEPolicy" }, "ipsecpolicy_id" : { "Ref" : "IPsecPolicy" }, "vpnservice_id" : { "Ref" : "VPNService" } } } } }