Shulou(Shulou.com)06/01 Report--

This article shows you how to analyze the principle of instance external network access, the content is concise and easy to understand, it can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

We will connect the created ext_net to the router and verify the connectivity between the internal and external networks.

More importantly, we will analyze the principles hidden beneath the surface.

Connect the external network to the virtual router of Neutron so that instance can access the external network.

Click the menu Project-> Network-> Routers to enter the router list.

Click the "Set Gateway" button on router_100_101.

Select ext_net from the "External Network" drop-down list and click "Set Gateway".

The public network is set successfully.

We need to see what happens to router. Click the "router_100_101" link to open the "Interfaces" tab

Router has a new interface,IP of 10.10.10.2. The interface is used to connect to the ext_net of the public network.

Check the network structure of the control node. The tap device tapb8b32a88-03 of router has been connected to the external network bridge.

View the veth pair device for tapb8b32a88-03 in the namespace of router.

The veth pair is named qg-b8b32a88-03 and is configured with IP 10.10.10.2.

Each interface of router has a corresponding veth in namespace. If veth is used to connect to the tenant network, name the format qr-xxx, such as qr-d568ba1a-74 and qr-e17162c5-00. If veth is used to connect to external networks, name the format qg-xxx, such as qg-b8b32a88-03.

View the routing table information for router.

You can see that the default gateway is 10.10.10.1. This means that router_100_101 forwards all traffic outside the vlan100 and vlan101 tenant network to gateway 10.10.10.1 of ext_net.

Now router_100_101 has connected vlan100, vlan101 and ext_net at the same time.

Let's test it on cirros-vm3.

Cirros-vm3 is located on the compute node, and you can now Ping to the ext_net gateway 10.10.10.1. Check the path from cirros-vm3 to 10.10.10.1 via traceroute

The packet arrives at the 10.10.10.1 gateway after two hops. 1. The packet is first sent to the interface of the router_100_101 connection vlan101 (172.16.101.1). two。 Then forward it through the interface (10.10.10.2) that connects to the ext_net, and finally reach 10.10.10.1.

When a packet is sent from router to the interface qg-b8b32a88-03 of the extranet, a Source NAT is made, that is, the source address of the packet is changed to the interface address of router 10.10.10.2, which ensures that the destination can send the answered packet back to router, and then forward it back to the source instance.

You can view the rules of SNAT through the iptables command.

When cirros-vm3 (172.16.101.3) Ping 10.10.10.1, the behavior of SNAT can be verified by observing the icmp packets of two interface of router through tcpdump.

Tcpdump of vlan101 interface qr-e17162c5-00

Tcpdump of ext_net interface qg-b8b32a88-03

SNAT enables instance to access the public network directly, but the external network cannot directly access the instance.

Because instance does not have a public network IP. Here, "direct access to instance" means that the communication connection is initiated by the external network, such as SSH cirros-vm3 from the external network.

The above content is how to analyze the principle of instance external network access. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.