Murano/Specifications/Network Management

Per-environment Network Management

Purpose

Murano defines Environment as an isolated group of services. These groups should be completely independent from each other, there should be no possibility of unexpected and unwanted interference between the services of different environments. Security is also a very important topic here: even within a single tenant there may be sensitive scenarios which require to eliminate even theoretical possibilities of eavesdropping, sniffing, traffic intercepting and other malicious attempts of one service towards another, located in different environment. That is why the default behavior for Murano is to place its environments into different networks segments, thus providing isolation at the physical level. However, there may exist different scenarios, requiring different environments to communicate in more tightly-integrated manner. In such scenarios services of different environments may (or even should) be placed within the same network segments, to simplify direct communications between these services.

This specification defines these various scenarios and their support in Murano in more details.

Default scenario By default, Murano will create a Network (L2-segment) dedicated for each deployed Environment. There will be a subnet (L3 segment) allocated within this Network. The IP-range for this subnet will be unique among other subnets of this tenant. There may be different possible ways of achieving this, by defining different sizes of subnets. The default proposed way is to have class C networks with 24-bit subnet mask. In this case, the first two octets will be fixed (read from a configuration file), the third octet will be managed by Murano, which will pick and assign any available value (i.e. not taken by any other environment of this tenant), and the resulting subnet mask will be 255.255.255.0. This will result in having up to 255 possible environments, each having maximum 252 virtual machine nodes.