networking-calico

networking-calico is the Neutron ‘stadium’ sub-project that provides ‘Calico’ connectivity and security in an OpenStack/Neutron cloud.

Calico (http://www.projectcalico.org/) uses IP routing to provide connectivity - in the form of a flat IP network - between the workloads in a data center that provide or use IP-based services - whether VMs, containers or bare metal appliances; and iptables, to impose any desired fine-grained security policy between those workloads. Calico thus differs from most other Neutron backends, which use bridging and tunneling to simulate L2-level connectivity between the VMs attached to a Neutron network.

Using Calico implies and requires some restrictions on the full generality of what can theoretically be expressed by the Neutron API and data model. Specifically:

  • Calico only supports IP addresses in a single, flat IP address space. Therefore it does not support overlapping IP ranges, or “bring your own addressing.” In Neutron API terms, all Calico network subnets must belong to the same address scope.
  • Calico does not provide layer 2 adjacency even on the same Neutron subnet, so raw layer 2 protocols and broadcast do not work with Calico. In Neutron API terms, all Calico networks are l2_adjacency False.
  • Calico provides connectivity between different networks by default, and relies on security group configuration and policy to implement whatever network isolation and finer-grained security restrictions are desired. In Neutron API terms, this means that Calico networks must either be external provider networks, or be tenant networks that are connected through a Neutron router to an external network.

For more detail please see Detailed Semantics.

Indices and tables

Table Of Contents

Next topic

Team and repository tags

Project Source

This Page