12 min to read

Deep Dive into OpenStack Neutron

Understanding OpenStack's Network Service Architecture and Components

Featured image

Image Reference link


Understanding OpenStack Neutron

Neutron is OpenStack's networking-as-a-service component that provides a powerful API for defining network connectivity and addressing in the cloud. It enables the creation and management of software-defined networking infrastructures, offering users complete control over their virtual network topologies, IP addressing, and advanced network services.

What is Neutron?

The Network Orchestration Layer

Neutron transforms traditional hardware-based networking into a flexible software-defined service that can be automated and programmatically controlled:

  • Software-Defined Networking: Abstracts physical network infrastructure into logical resources
  • Multi-tenancy: Provides secure network isolation between different projects
  • API-Driven: Exposes RESTful APIs for network automation and orchestration
  • Plugin Architecture: Supports various network technologies through a modular design

By decoupling the logical network topology from the physical infrastructure, Neutron enables cloud users to create custom network architectures that meet their specific application requirements without being constrained by physical hardware limitations.

graph LR A[OpenStack Neutron] A --> B[Core Services] A --> C[Network Types] A --> D[Advanced Services] A --> E[Security Features] B --> B1[L2 Connectivity] B --> B2[L3 Routing] B --> B3[DHCP Services] B --> B4[Metadata Services] C --> C1[Provider Networks] C --> C2[Tenant Networks] C --> C3[External Networks] D --> D1[Load Balancing] D --> D2[Firewall] D --> D3[VPN] E --> E1[Security Groups] E --> E2[Port Security] E --> E3[Network Policies] %% 스타일 정의 style A stroke:#333,stroke-width:1px,fill:#f5f5f5 style B stroke:#333,stroke-width:1px,fill:#a5d6a7 style C stroke:#333,stroke-width:1px,fill:#64b5f6 style D stroke:#333,stroke-width:1px,fill:#ffcc80 style E stroke:#333,stroke-width:1px,fill:#ce93d8


Neutron Architecture and Components

Neutron employs a modular architecture with a central API server and distributed agents that work together to provide comprehensive networking services. This design enables flexibility in deployment and support for diverse networking technologies.

Core Components

Component Role Description
neutron-server API and Database Service
  • Exposes RESTful API for network resource management
  • Processes API requests and forwards them to appropriate plugins
  • Maintains network state in the database
  • Validates and authorizes network operations
L2 Agent Layer 2 Connectivity
  • Manages local virtual switch configurations (OVS, Linux Bridge)
  • Implements network segmentation (VLAN, VXLAN, GRE)
  • Enforces port security and binding
  • Handles local traffic flow between instances
L3 Agent Routing and NAT
  • Provides virtual router functionality between networks
  • Manages floating IP address assignment and NAT
  • Implements distributed virtual routing
  • Provides east-west and north-south connectivity
DHCP Agent IP Address Management
  • Delivers IP addresses to instances via DHCP
  • Manages address pools for each network
  • Provides DNS information to instances
  • Supports both IPv4 and IPv6 addressing
Metadata Agent Instance Configuration
  • Proxies metadata requests from instances to Nova metadata service
  • Enables cloud-init configuration of instances
  • Provides instance-specific data at boot time
  • Serves as a critical link between compute and network services

Architectural Flow

graph TD A[User/Admin] --> B[Neutron API] B --> C[ML2 Plugin] C --> D[Type Drivers] C --> E[Mechanism Drivers] B --> F[Service Plugins] D --> D1[VLAN] D --> D2[VXLAN] D --> D3[GRE] D --> D4[Flat] E --> E1[OVS] E --> E2[Linux Bridge] E --> E3[SR-IOV] F --> F1[L3 Router] F --> F2[LBaaS] F --> F3[FWaaS] F --> F4[VPNaaS] E1 --> G[L2 Agent] E2 --> G F1 --> H[L3 Agent] B --> I[DHCP Agent] B --> J[Metadata Agent] style A stroke:#333,stroke-width:1px,fill:#f5f5f5 style B stroke:#333,stroke-width:1px,fill:#a5d6a7 style C stroke:#333,stroke-width:1px,fill:#64b5f6 style F stroke:#333,stroke-width:1px,fill:#ffcc80

Plugin Architecture

Modular and Extensible Design

Neutron's plugin architecture consists of several key components:

  • Core Plugin: Implements core networking API (typically ML2)
  • ML2 Plugin: Modular Layer 2 plugin that supports multiple technologies simultaneously
  • Type Drivers: Handle specific network segmentation types (VLAN, VXLAN, GRE)
  • Mechanism Drivers: Implement specific networking technologies (OVS, Linux Bridge, SR-IOV)
  • Service Plugins: Provide additional networking services (routing, load balancing, firewall)

This modular design enables Neutron to support a wide range of networking technologies and use cases, from simple flat networks to complex overlay designs.


Network Types and Connectivity Models

Neutron supports various network types and connectivity models to accommodate different deployment scenarios, performance requirements, and isolation needs. Understanding these options is essential for designing effective cloud network architectures.

Network Segmentation Technologies

Type Characteristics Advantages Limitations
Flat
  • No network segmentation
  • Shared broadcast domain
  • Single L2 network
  • Simple configuration
  • No encapsulation overhead
  • Direct hardware access
  • Limited multi-tenancy
  • Potential broadcast storms
  • Poor isolation
VLAN
  • 802.1Q tag-based segmentation
  • Separate broadcast domains
  • Hardware-enforced isolation
  • Widely supported in hardware
  • Minimal performance overhead
  • Good security isolation
  • Limited to 4,096 networks
  • Switch configuration required
  • Limited to single data center
VXLAN
  • MAC-in-UDP encapsulation
  • 24-bit segment ID (VNID)
  • Overlay technology
  • 16 million potential networks
  • Works across Layer 3 boundaries
  • Multi-data center support
  • Encapsulation overhead
  • MTU considerations
  • CPU utilization impact
GRE
  • IP-in-IP tunneling
  • Protocol-based encapsulation
  • Overlay technology
  • Widely supported
  • Works across Layer 3 boundaries
  • Simple implementation
  • Higher overhead than VXLAN
  • Firewall traversal issues
  • Limited hardware offload support
Geneve
  • Generic Network Virtualization
  • Extensible headers
  • Modern overlay protocol
  • Flexible metadata support
  • Future-proof design
  • Vendor extensibility
  • Newer, less widespread support
  • Potentially higher complexity
  • Limited hardware acceleration

Network Types

graph LR A[Neutron Networks] --> B[Provider Networks] A --> C[Tenant Networks] A --> D[External Networks] B --> B1[Direct Physical Access] B --> B2[Admin Controlled] B --> B3[Physical VLAN/Flat] C --> C1[Self-Service] C --> C2[Tenant Controlled] C --> C3[VXLAN/GRE Tunnels] D --> D1[Public Connectivity] D --> D2[Floating IP Source] D --> D3[Internet Access] style A stroke:#333,stroke-width:1px,fill:#f5f5f5 style B stroke:#333,stroke-width:1px,fill:#a5d6a7 style C stroke:#333,stroke-width:1px,fill:#64b5f6 style D stroke:#333,stroke-width:1px,fill:#ffcc80
Provider vs. Tenant Networks

Neutron supports two primary network ownership models:

  • Provider Networks: Created by administrators, mapped directly to physical network infrastructure, often using VLANs or flat networks
  • Tenant Networks: Created by users, using overlay technologies like VXLAN or GRE, allowing self-service network creation

Most deployments use a combination of both network types, with provider networks offering higher performance and tenant networks providing flexibility and isolation.


Advanced Networking Features

Beyond basic connectivity, Neutron offers a suite of advanced networking features that provide enterprise-grade functionality for cloud deployments. These features enhance security, performance, and operational capabilities of OpenStack environments.

Security Mechanisms

Feature Description
Security Groups
  • Distributed instance-level firewalls that control inbound and outbound traffic
  • Stateful packet filtering based on IP addresses, protocols, and ports
  • Default deny-all policy with explicit allow rules
  • Applied at the port level, providing instance-specific protection
Port Security
  • Controls MAC and IP spoofing attacks
  • Restricts MAC/IP addresses that can send traffic from a port
  • Can be disabled for specific use cases (e.g., load balancers)
  • Works in conjunction with security groups
Allowed Address Pairs
  • Permits traffic from specified MAC/IP combinations
  • Enables virtual IP (VIP) implementations for high availability
  • Supports failover scenarios while maintaining port security
  • Essential for clustering applications
Network Policies
  • Defines rules for inter-network communication
  • Enables micro-segmentation of workloads
  • Provides granular traffic control between application tiers
  • Implements zero-trust network architecture

Network Services (aaS Features)

Advanced Service Plugins

Neutron extends its functionality through service plugins that provide advanced networking capabilities:

  • Load Balancer as a Service (LBaaS): Distributes traffic across multiple instances, supports multiple algorithms, SSL termination, and health monitoring
  • Firewall as a Service (FWaaS): Provides perimeter network protection with stateful Layer 3/4 filtering, applied at the router level
  • VPN as a Service (VPNaaS): Enables secure site-to-site connections using IPsec tunnels between tenant networks and external networks
  • Quality of Service (QoS): Applies bandwidth limits, minimum guarantees, and traffic prioritization

These services are implemented through dedicated agents or integration with specialized software/hardware.

Virtual Router Capabilities

sequenceDiagram participant User as "Instance" participant Router as "Neutron Router" participant NAT as "SNAT/Floating IP" participant Internet as "External Network" User->>Router: Request External Connection Router->>NAT: Translate Internal IP NAT->>Internet: Forward with External IP Internet->>NAT: Return Response NAT->>Router: Translate to Internal IP Router->>User: Deliver Response
Router Feature Functionality
L3 Routing Connects different subnets/networks, enabling communication between isolated network segments
Floating IPs Provides 1:1 NAT for inbound connectivity to instances from external networks
SNAT Enables outbound internet access for instances on private networks
Distributed Virtual Routing Distributes router functionality across compute nodes for improved performance and scalability
HA Routers Provides redundant router instances with automatic failover capabilities
Extra Routes Supports static routes for complex network topologies and specialized routing requirements


Performance and Scaling Considerations

As OpenStack deployments grow, optimizing Neutron's performance and ensuring its scalability become critical concerns. Various techniques and technologies can help address these challenges while maintaining network functionality and security.

Performance Optimization Techniques

Network Performance Factors

Several factors affect Neutron network performance:

  • Network Type Selection: Provider networks generally offer better performance than overlay networks due to reduced encapsulation overhead
  • Hardware Offloading: Supporting NICs can offload VXLAN/GRE encapsulation to hardware
  • Jumbo Frames: Larger MTU sizes reduce packet fragmentation overhead, particularly important for overlay networks
  • Network Topology: Simplified topologies with fewer hops improve latency and throughput
  • Agent Optimization: Tuning agent configurations for specific workloads

Performance requirements should be balanced against flexibility and multi-tenancy needs when designing the network architecture.

Hardware Acceleration Options

Technology Description Benefits
SR-IOV Single Root I/O Virtualization allows VMs to directly access network hardware, bypassing the hypervisor
  • Near-native network performance
  • Reduced CPU utilization
  • Lower latency
  • Higher packets per second (PPS)
DPDK Data Plane Development Kit provides poll-mode drivers and userspace packet processing
  • Improved packet processing speed
  • Reduced latency
  • Better deterministic performance
  • Works with existing OVS deployments
Smart NICs Network cards with onboard processors that can handle networking tasks independently
  • Offloaded encapsulation/decapsulation
  • Hardware-accelerated security processing
  • Reduced host CPU utilization
  • Programmable pipeline capabilities
Hardware VTEP VXLAN Tunnel Endpoint implemented in hardware switches or NICs
  • Offloaded overlay networking
  • Integration with physical network infrastructure
  • Improved throughput for east-west traffic
  • Reduced encapsulation overhead

Scaling Strategies

graph LR A[Neutron Scaling] --> B[Horizontal Scaling] A --> C[Performance Optimization] A --> D[Architectural Choices] B --> B1[Multiple Network Nodes] B --> B2[Agent Distribution] B --> B3[Service Placement] C --> C1[Hardware Acceleration] C --> C2[Resource Allocation] C --> C3[Configuration Tuning] D --> D1[Network Type Selection] D --> D2[Topology Design] D --> D3[Service Distribution] style A stroke:#333,stroke-width:1px,fill:#f5f5f5 style B stroke:#333,stroke-width:1px,fill:#a5d6a7 style C stroke:#333,stroke-width:1px,fill:#64b5f6 style D stroke:#333,stroke-width:1px,fill:#ffcc80
Deployment Architecture Considerations

For large-scale deployments, consider these architectural approaches:

  • Distributed Virtual Routing (DVR): Places L3 agent functionality on compute nodes, reducing traffic bottlenecks
  • High Availability: Implements redundancy for L3 and DHCP agents using VRRP
  • Service Function Chaining: Optimizes traffic flow through network services
  • Role-Based Deployment: Separates control plane and data plane nodes for better resource allocation
  • API Workers Scaling: Increases neutron-server workers to handle more concurrent API requests

The right combination of these strategies depends on specific workload characteristics, hardware capabilities, and performance requirements.


Key Points

💡 Neutron Essentials
  • Core Functionality
    - Provides software-defined networking for OpenStack clouds
    - Supports various network types (flat, VLAN, VXLAN, GRE)
    - Enables multi-tenancy through network isolation
    - Manages IP addressing and L2/L3 connectivity
  • Architecture
    - Plugin-based modular design for flexibility
    - Distributed agents for scalability and resilience
    - ML2 framework for simultaneous support of multiple technologies
    - Service plugins for advanced networking capabilities
  • Advanced Features
    - Comprehensive security through multi-layered approaches
    - Advanced services (LBaaS, FWaaS, VPNaaS, QoS)
    - Multiple options for performance optimization
    - Extensive interoperability with physical network infrastructure


References