Dedicated perimeter firewall for OpenStack Tenants
Sep 23, 2016
OpenStack is a cloud operating system, using which public/private/hybrid clouds can be built using commodity hardware. In order to provide higher performance and throughput various network vendors who specialize in the networking gear have utilized the plugin mechanism offered by Neutron and have moved out the L2, L3, Firewall, VPN and Load balancing services onto to their respective networking devices.
Juniper Networks provides OpenStack Neutron plugins which enable integration and orchestration of Juniper’s devices in the customer’s network. The plugins provide L2, L3 and Firewall Services. From release 2.5 onwards, the FWaaS plugin can be used to migrate the router/firewall namespaces from OpenStack network node onto a physical SRX/vSRX HA cluster, providing the tenants with enhanced performance, throughput and scalability.
Tenants may have different requirements with regards to performance and cost. Some tenants may require dedicated firewalls for better performance and compliance whereas others may prefer lower cost solution enabled by sharing network resources. There can be scenarios where a tenant requires full administrative access to his networking device so as to leverage the advanced services provided by the device. The above factors require the cloud provider to have the ability to allocate dedicated/shared network resources to the tenants.
Juniper’s Neutron plugin version 2.7 addresses this problem and enables a service provider to allocate dedicated/shared resources (physical/virtual) to his tenants. This feature opens the gates for a service provider to start creating flavors of various network offerings for his tenants.
As an example, a service provider can start creating various flavors as mentioned below:
Economy : allocate a shared SRX/vSRX for a group of tenants
Silver : allocate dedicated SRX/vSRX per tenant with default specifications
Gold : allocate high-end SRX or vSRX
As seen in the above picture, an admin can dedicate SRX/vSRX to a tenant/group of tenants. This procedure is transparent to the tenant and is done using the supplied CLI tools along with Juniper’s neutron plugin version 2.7.
Let’s take a scenario where a tenant requires a dedicated SRX Cluster. The steps required to use this feature are as follows:
Install OpenStack Kilo/Liberty/Mitaka
Install Juniper’s Neutron Plugin version 2.7
Setup the topology using the CLI tools as per the documentation.
Allocate the master SRX to the tenant using the command:
jnpr_allocate_device add –t <tenant’s_project_id> -d <hostname/IP of the device being allocated>
Define the VRRP cluster and assign it a name.
jnpr_vrrp_pool add –d <hostname/ip of device> -p <pool name to be assigned>
As illustrated in the above example, it’s a very easy process for the system administrator to allocate SRX/vSRX devices which are in HA/non-HA mode and which are shared or exclusively given to a tenant.
This feature enables a service provider to create network flavors that can be chosen by a tenant for his deployment. It also ensures that a customer gets high availability and great performance. A customer can now be empowered with choice to choose a network security flavor based on his needs.