Distributed SNAT - local gateway mode

In this post I am going to dive into proof of concept (POC) implementation details of local gateway SNAT mode. Instead of being transferred to network node SNAT traffic will utilize additional local gateway interfaces to skip one hop for 'north-south' traffic. POC implementation was based on neutron stable/mitaka branch that is pretty outdated these days. However implementation concept not changes a lot.

SNAT implementation at DVR

SNAT feature in Distributed virtual router (DVR) implementation remains centralized:

figure 1

Figure 1 shows single VM deployed at Compute node. 

  • Data plane address of Compute node:
  • Data plane address of Network node:
  • External network 172.24.2.x
  • VM's address on private network:
Traffic flows as following:
  1. Packet with destination address outside of cloud VM enters internal bridge (br-int)
  2. Target MAC address lays in a Router namespace with on interface with IP address:
  3. Router identifies packet as 'north-south'  and route it towards IP address at network node
  4. Packet passes from internal bridge to tunnel bridge
  5. Tunneling packet  according to defined tunnel type (VXLAN) and send to network node
  6. At end of tunnel packet is passed to internal bridge at network node
  7. Packet arrives to SNAT namespace where target IP address resides
  8. Packet is routed outside

SNAT implementation - local gateway mode

Unlike reference implementation SNAT in local gateway mode not requires network node.
figure 2

We create additional network namespace that hosts SNAT external address. Outgoing 'north-south' packet is routed locally from router namespace to SNAT namespace and then outside.

This implementation consumes 2 additional address per (tenant, router) pair. If addresses are taken from predefined external pool and traffic passes later another NAT beyond cloud boundary this approach will work well.

Router and SNAT namespace are connected in a way that mimics DVR floating IP implementation

figure 3

Addresses on veth pair endpoint interfaces are taken from different IP range

External addresses can be assigned to to SNAT namespace on demand. Once first tenant VM is deployed on given compute host neutron implementation can allocate address additional address pair and setup local routing rules.

POC implementation is however uses CLI based external local gateway allocation which is not desired for production case.
figure 4

Figure 4 shows CLI command that extends router external information and defines local gateway on specified L3 agent.

Extended router information is listed below.
figure 5

Cloud deployment has 2 compute nodes and network node. Router is deployed in DVR mode. Agent gateway information holds compute host alternative gateway address which is denoted in this post as 'local gateway'.

Unlike router new internal structure - having local gateway port on every compute node with different IP addresses - Horizon graphical outline was not part of this feature POC. Besides multiple gateway ports brake traditional gateway visual presentation.

However port view is up to date in Horizon:
figure 6

Besides gateway port at network node, 2 other local gateway ports are present:

Other key implementation aspects

Default gateway port can be overridden on agents with dvr-local-snat mode 
  • When gateway is overridden traffic is routed outside locally avoiding Network Node 
Database update notification may cause ‘re-wiring’ in following cases:
  • Alternative gateway port on this agent is added
  • Alternative gateway port on this agent is removed
  • Internal interface (scheduled VM) is added/removed
  • Default gateway port is set/cleared
  •      All alternative gateway ports are removed to prevent ambiguity


Popular posts from this blog

Distributed SNAT - examining alternatives

SSH as service - more use cases