 Cool, so here's what we're going to be building like you guys can go ahead and try and log in as I kind of explain What we're going to be doing today, so we're going to build a multi-terra application that is composed of a few components The first component is a jump host the role of this host is basically just to allow public connectivity into it So you can SSH into this host and then from this host We're going to be able to access all of the other hosts that we have set up the other hosts that we're going to deploy is a few web servers and Those web servers are going to sit behind a load balancer So when requests are made to the VIP of the load balancer traffic is going to be load balanced over the two hosts And we're going to use security groups in order to tighten security so for instance only TCP port 22 is going to be allowed to come into the jump host and Only from the jump host we're going to be able to SSH into the web servers So this allows us to limit kind of our attack vector and also allows us not to put our web servers directly on the WAN So what we kind of have what we have set up for you here is this network topology when you SSH into that IP address you end on this jump host and We have two compute nodes a controller node and a network node on all of the nodes We have except for the controller node We have an L2 agent and the L2 agent is responsible for setting up all of the virtual networks So for instance in a few minutes, we're going to go ahead and create our own Networks and this agent is responsible for doing the network wiring One interesting thing that that neutron allows you to do is it allows you to do a lot more Allows you to have a lot more advanced networking capabilities and also kind of minimize the amount of network management you need So for instance, you can see here. We have two different compute nodes That's attached to this management network, but they're also attached to this second network which is a data network and they're both in two different L2 segments that are connected to a router and One cool thing is we can actually provide L2 connectivity between these two compute nodes using overlays and This data network is also connected to our network node The network node is the point where traffic from the WAN comes in comes into our network So there's where the L3 agent runs the L3 agents responsibility is to provide L3 access so for instance floating IPs things of that nature One of the improvements that was done in Havana is there is work to implement Distributed virtual routing. So what that means is east-west traffic Between the compute between instances on compute nodes actually go from hypervisor to hypervisor Rather than going through the network node, which was a centralized choke point another improvement that was added is High availability routers. So now the routers use VRRP between each other If you're running if you have this stuff enabled in order to provide active passive type reliability So we're gonna go ahead and jump into lab. So if you go back to that a code pad As you can see there are a few there are a number of steps that we're gonna be doing The first step that we're gonna do is we're gonna go ahead and create a private network So I've kind of drawn out here What these actual steps do and I'll just catch up to you guys later after I'm finished explaining them so the first command that you guys will have to run when you ssh into the box is Sourcing that credentials file. What that file does is it puts a few Variables in your bash environment that allow the clients to know how to connect to the various open stack components And it also sets the password there for you So the first command that we're gonna go ahead and do is a neutron net create What this does is this creates a l2 broadcast domain Then after we go ahead and do that we're gonna add a subnet on top of that network So we can accomplish that using the neutron subnet command It's probably makes things easiest if you just copy and paste the commands directly from the code pad into the terminal Because there are some instructions that just make it easier rather than having to copy IDs We use names and things like that So after you attach a subnet to a network what neutron allows you to do is when you create ports on that network Ports are automatically allocated IP addresses for you and then there's a DATP agent That goes ahead and allocates out those IP addresses or gives you DATP Responses for requests on this network for that subnet So I'm gonna go ahead and do that as well So the next thing that we need to do is we need to go we need to create a router So what the router does it allows us to uplink this network to actual like internet to the way So the first step that in doing that is just to create a router So we do that via issuing the command neutron Router create and then we give it a name. So here we just called it my router After we create the router then we have to uplink the router to a network So in this lab setup, we just have one physical network, but you could actually have multiple wins that you connect to So for instance at VM where we have several different physical networks one That's one that connects inside of the VM or internet and then another one that actually connects to the public internet Directly and then another one that yet again connects to a different type of physical network So what we're gonna do is we're gonna use neutron router gateway set pass in the router and the network that we want to connect to Yes As far as if you did like 10 dot 0 dot 0 dot 192 slash 24 Yeah, so if you do that command if we look at the output that it gave us back By default it picks the Second address to be the start subnet and then and then one last from the broadcast to be the ending range And then by default it allocates the the gateway IP to be the first address in that subnet So one of the cool things you can do is if you're using a flat network So for instance if you want your VMs to reside on the same networks is actual existing physical infrastructure or Exist or other networks that you've already provisioned and you don't have continuous IP blocks You can go ahead and create Like disjoint IP blocks so you can say neutron subnet create and you can pass in The allocation pools and you can say I want to start allocating at this address and end at this one I want to start allocating at this next address and end at this next one so you can be able to Mix virtual networks and actual things that might be allocated on those networks as well Sure Cool, so at this stage we should be able to create a router and then uplink it to the public network So I'll go ahead and do that as well So the next thing that we're going to go ahead and do is we're going to connect that private subnet and that Private network that we created earlier to this router that we actually created. So what this actually does is When you'll create ports on this network What happens is traffic is actually an added through the router So one of the IP addresses out of that public network is actually going to reside on this end of the interface So when traffic flows out all the traffic will be netted with that IP address So later on we'll go ahead and use floating IPs, which will allow us to have traffic Traverse in into an instance as well But by default the routers are netted and also in Havana We added a new model on routers when you uplink it to a network You can pass in no SNAT if you want to create routers that are not SNAT base that don't do Natting by defaults for instance if you don't want to deal with NAT and your type of deployment Or you want to create networks that aren't that based Right the default is it will not Cool So this is what we're going to be trying to build out soon So the next couple stages that we're going to do is we're going to go ahead and create a couple of security groups So the first security group that we're going to create is called jump host and then we're going to associate that with the jump host instance we're going to go ahead and By default the security group doesn't allow any traffic in and out So we're going to go ahead and allocate a few rules to Allow traffic to come in so the first rule that we're going to allow is ICMP So just so we can ping it just to kind of debug what's going on and the second rule that we're going to go ahead and add is To allow TCP port 22 Into the into the jump host this will allow us to SSH into the instance How's everyone doing at this point is everyone able to follow along or is anyone stuck Cool. Yeah, I'll go ahead and post the slides on the internet I'll I'll tweet out the link after or I can give it to you directly so after we've Cool, so the next step that we're going to go ahead and do is use this nova key pair add So this is kind of a a useful thing that you can use is you can add your SSH key To Nova and then you can tell Nova when you boot the instance you want to provide that SSH key So what this allows you to do is it allows you to SSH into your instance without having to have a hard-coded password Into the disk image so this way you don't have an image in your infrastructure That's deployed and everyone knows the password and then everyone kind of SSH into it Because it's the same password, but it kind of also demos that neutron actually has these capabilities to inject These key pairs over the network. So this leverages the metadata service. There's a metadata agent that's responsible for actually receiving the request and Dispatching or inserting the instance ID and dispatching it to Nova in order to make this work So after you upload the key you can go ahead and list that from Nova to see that it's actually there if you want with Nova key pair list You can see it has my key So the next thing we're going to do is we're going to go ahead and boot our jump host So before we do that, there's this one command here that just used just to kind of make things easier It goes ahead and determines the UID of the private subnet this way You don't have to copy and paste it and you can just reference this variable directly So I'm going to go ahead and Boot my first instance so you can see here we pass in an image which is the seros default seros image You can see which images are available via Nova flavor list or a Nova image list You can see there's two images available and you can also the next thing is the key pair So you can see we passed in my key, which is the one we just uploaded We also passed in this the network that we want to be on So if you do neutron net list that I'll show you the valuable networks so we see we just have to the private and the public network and and Then we also pass in the security groups that we want to be associated with the instance So we can go ahead and run this command Nova list Which will tell us the status of the instance to see if it's booted yet, or if it's still in scheduling state or What's going on with it? You can see my instance is already active And it has the IP address 10.0.0.2 So one thing so the next thing that we're gonna have to do is we're gonna associate a floating IP with this instance so at this point there's this instance that's sitting behind that router, but we're not actually able to access it directly because There's no public IP address in order to get into it. Yes Your instance is an error state. Okay, so there could be a few different reasons Why it's an error state? I think there's some race condition in the knit scripts for the schedulers Can you look at that real quick? Cool So the next step that we're gonna do is we're gonna associate a floating IP with this private or with this instance So to do that we need to figure out the port ID That is attached to the instance so one of the there are several different ways you can do that You can do neutron port list and find the one that associates with 10.0.0.2 or you can search for it So just to make things easy we can search for it with this command and this returns us the UID of the of the port the MAC address the subnet and IP address that is associated with that So we're gonna go ahead and associate this port with a floating IP so to do that you use neutron floating IP create and You can pass in the floating IP the port ID directly in order to create it in one API call Or you could also create a floating IP and associate it later But just to make things simpler. We'll just go ahead and create that in one step And then the second parameter to this command is the network that we want to create this floating IP on Since we only have the public network That's only one available. So we'll pass in public care One of the new things that was actually added in Juneau was Statuses to floating IPs previously you could create floating IPs, but you wouldn't actually know if they were working or not So now when you create a floating IP you can see it's in downstate And then we can actually query the status of the the floating IP and and it gets set to active whenever the back-end implementation actually Associates it so in this case we're using all the open-source components. This is using ml2 and the l3 agent so if we do Neutral and floating IP show hopefully this should be an active state Cool, and it is so if everything was actually done correctly on the back-end We should be able to SSH into this guest without using a password because we specified The SSH key to be added automatically for us in the instance So I'm gonna see if we can do that Cool, so as you can see we're able to SSH directly into the instance So is everyone at this point? Sure. So the ID that I used was the floating IP ID to the floating IP that was returned from the command Neutral and floating IP create No, that's the ID that was returned the floating network ID is the public network that we passed in at the end Sure Okay, so at this point I'm just gonna go ahead and exit out of this instance And then we're gonna create a few more security groups that we're gonna use for our web tier So the next few steps here We're gonna go ahead and create a security group called web and then we're gonna install a few rules into it So the first rule that we install into it allows TCP port 80 into it and the second rule that we install is slightly more interesting It allows TCP port 22 into it, but only from members who are part of the jump-host group So this allows us to construct who is actually able to access this instance So one of the cool things is if we if one of our jump posts goes down or if we want to scale up the number Of jump posts we can't we have we can just go ahead and boot more jump posts passing in which security group They are on and these other instances will automatically allow access from it to it directly So we don't actually have to deal with IP addresses directly updating them as part of the security group rules Yep, the remote group ID has actually been available since Grizzly Because in Falsland there wasn't actually security group a security group API and neutron But since Grizzly it's had it and also Nova Network supports the same construct Today it's not directly possible via neutron But you could definitely do this outside of neutron having additional orchestration to do this type of thing for you Or you could also create a different type of network for instance You could have a provider network that's on a network that actually has public addresses so if you wanted to actually Allocate a public IP address for everyone automatically you could go that route of just exposing or connecting that network directly to that Where the public connectivity is so you would allocate public IPs directly Alternately you would have to do it outside, but do it via the API Cool. So after I've created that web security group We're gonna go ahead and boot two instances that we're gonna use as web servers So you can see when I do novel list Now we have three hosts. We have the jump host web server one and web server two So the next thing that we're gonna do is we're just gonna set up this dummy HTTP server that just returns the name of the instance So what we'll what we'll have to do is we'll have to actually ssh to the jump host in order to get to web server one and web server two So if you find that ssh command, we'll go ahead and ssh to That first jump post and then we'll ssh to the other web server So once you get to that box, you'll have to type ssh 10.0.0.5 And then the password is going to be cubs win with a colon and a smiley face It should be it's right here in the in the launchpad doc and the reason why you're not able to actually ssh from this hook from the jump host into our web server hosts without like automatically is because the Public or the private key does not reside on the jump host that we uploaded the public key for Yep, it's the same username So once once you do that we want to run these commands. So this first command Just runs a little loop that returns back the string over netcat So after I insert that command, I'll exit out. So it's kind of confusing Right now. I'm on web server one. I type exit. I'm on the jump post and Then I'll ssh to five The password is cubs win with a smiley face. It's in the it's in the actual code pad a little bit higher in it And after you do that you should be able to curl to either web server one and web server two and it'll return a different string Is it prompting you for a password? So at this point you can see I can curl to either one of these two web servers and it'll return the actual name That it has It shows that sit but you need to do that from the jump post and you need to type in its IP address So for instance, it's Yep curl 10 0 0 5 4 returns web server 2 and if you do it on the 4 1 to observe or 1 So the next step that we're going to go ahead and is are some people up to this point Okay, cool. So we're going to go ahead and Continue so what we're going to go ahead and do is we're going to create a a load balancing pool And after we create that we're going to go ahead and add these two web servers to this pool So I'm going to go ahead and do that as well So for the load balancing methods, I don't think it's actually exposed on the client side But if we looked in the API, there's There's a few different like random distributions of load balancing But you could also have like a vendor extension to do load balancing based on like Different types of things like for instance if you had some kind of like agents on your server in order to calculate load or something like that But using this implementation that we have here. This is just using ha proxy So it supports a few of them round robin some kind of Random distribution and Yeah, probably least least connection as well. I'd have to look I'm not sure off the top of my head So after you create the load balancing pool and add the two web server nodes in it The next thing that we're actually going to do is we're going to create a health monitor So what the health monitor does is it tells us? So basically it monitors the the liveliness of the host so The one that we're going to use it's going to wait three seconds And it's going to do an HTTP check check to see if like HTTP port 80 is returning And it's going to retry it three times and after it doesn't hear back after three attempts Then it's going to mark it down in the pool. Yeah, I think that you can actually use the same one for Actually, it looks like it looks like you can't Which is unfortunate. Yeah Right, I agree. This is kind of a deficiency in the API I know that there are some people that are working on improvements to the load balancer API But there are several like shortcomings in it But yeah, that's a good point So in order to find the IP address for the web servers if you do nova list that should just return the IP addresses for you The password is in the dock. It says cubs win if you search for in the code pad. It's C U B S W I N colon Open brands or clothes brands So I associated the the health check with the pool and the next thing that we're actually going to do is we're going to go ahead and create a VIP so we tell it the port that we want the VIP bound on the traffic that it's expecting and The subnet that we want it to be created on so as you can see this returns this private IP address here And this actually creates a port for us So one of the nice things is you can do load balancing internally For instance, if you're if you don't want your load balancer facing the public Outside on the public infrastructure. So say you want to load balance my sequel connections or something like that internally you can Use this to do that. So after we create this VIP We want to go ahead and associate the port with the floating IP. So this way we can access that externally So after that is done, we should be able to curl to this loading IP and see that it's automatically load balanced So you can see that works if I hit it once it says web server one if I hit it another time It says web server two so one of the cool things of this is allows us to Horizontally scale out our application a little bit using the load balancer and it also provides us a little bit high Availability like in a moment We'll go ahead and delete one of the web servers and then we'll see when we make the request only one of the web servers We'll actually return a response So the next thing that we're going to do is we're just going to quickly demo the firewall as a service stuff And what that does is that allows us to actually do additional filtering at the router So the first step to do that is we're going to create a default firewall policy And then we're going to go ahead and associate and then we're going to go ahead and create a firewall and associate it with that policy The default policy is actually blocked. So what happens is we're no longer able to connect into the instance So in order to allow connections again, we have to create another rule So this rule allows HTTP traffic and so we'll go ahead and create this rule and then insert into the firewall So after you do that, you can see connectivity is now restored and we can actually connect in so this allows us just to do an additional filtering at the router To filter out additional traffic that we don't actually want to reach our guests So the last thing that we can demo is if we do novel list We can actually delete one of these web servers and we can see that neutron will actually take it out of the load balancing pool So only one of the web servers that are going to return its name. So I'll just go ahead and delete web server one So it actually takes about nine or ten seconds for this actually to be pulled out of the load balancer pool because it waits three times and it It's it retries three times and it waits three times So now if I curl to this it should only be returning web server to Or a web server one, I guess I copied and pasted the names differently One more thing that I'd like to demo for you guys is this is actually deployed in our cloud at VMware Running on top of NSX so in your labs You're actually using the open-source components, but underneath that's using the NSX plug-in that's powering all of these labs Yeah, so we're gonna actually leave these labs up for a couple days And you can go ahead and re-register and recreate another lab if you want to yep I will what would you like me to explain why we didn't add the firewall policy we do at the end not without adding the Policy to allow the traffic in because by default it blocks Traffic, so I'm just a VPNing in really quick to show you this Is it say it's connected Sorry about this we had to switch from one laptop to another so there was one more If later on in the week you guys want to go ahead and redo the lab or continue on it We'll go ahead and leave the labs accessible for a while For at least a week or so Or if you have any questions at this point like we can like open up the floor for questions or anything like that Can you just SSH into it instead of using that I might be the easiest bet Yeah, if you just copy that Or just necessarily is the username Yeah But the API could definitely be extended to allow like a list of services or something like that in order to be able to do This but I don't think today it does No, this is killer or this is Juno Right, so in kilo, maybe if someone adds it if you if you want to add it you can add it then we can show it next time Yeah, I don't know this thing isn't VPN VPN component only allows you to kind of like connect different logical routers Together, so there's not really much. I don't know. It doesn't really add add much So all the VPN stuff does today is just allows you to connect two different virtual routers And you can actually connect two different virtual routers between different opensack deployments if you want So you have to have multiple open-sack deployments to kind of like demo that so there isn't So I was going to show how that actually looks And there's actually like a ton of tools that actually operationalize it so you can actually see where things are and like things in the underlay and overlay It does work the network It seems like not today the load balancer API has a lot of problems Share the network But it should work I would guess it's some kind of configuration. Yeah, absolutely Great, okay, I'm not sure but it sounds like Oh Yeah Why do you really care the IP address that you're allocated because for one thing is we don't want to allow a tenant to take an IP Then I could do a bunch of bad things and then get another IP Because a lot of people in the internet have blocked it so that's kind of the motivation for that but the IP For doing it then Because Right, but the instance doesn't know And so Okay, and that case gotcha in these cases is better to Not really because the shared network has nothing to do with the floating IPs We can set up shoot me an email maybe Yeah, I'll put it on Twitter Aaron O'Rozan I'll do that after the top R-O-N-O-R-O-S-E-M Thanks, I'm glad you enjoyed it Unfortunately, I didn't get to show the NSX bits, but below it. This is all running on Which is powering inside of your lab you're running ML to below it, so all the physical And I can show you more products. Yeah, so you can actually see all the labs Actually, I think it's Mac because this works under Linux so Oh Thanks, yeah, I have something with peace. Yep. Thanks You Now you can partition your network however you want Okay, so even though they're Yep, even though they're on the same No, it doesn't go through the router No, it goes actually directly, but like on the vif that attaches to the bridge. That's where the security is implemented on the edge Okay