[ovs-discuss] OVN: availability zones concept

Dan Sneddon dsneddon at redhat.com
Wed Mar 6 10:27:02 UTC 2019


On Tue, Mar 5, 2019 at 9:40 PM Han Zhou <zhouhan at gmail.com> wrote:

> On Tue, Mar 5, 2019 at 7:24 PM Ben Pfaff <blp at ovn.org> wrote:
> > What's the effective difference between an OVN deployment with 3 zones,
> > and a collection of 3 OVN deployments?  Is it simply that the 3-zone
> > deployment shares databases?  Is that a significant advantage?
>
> Hi Ben, based on the discussions there are two cases:
>
> For completely separated zones (no overlapping) v.s. separate OVN
> deployments, the difference is that separate OVN deployments requires
> some sort of federation at a higher layer, so that a single CMS can
> operate multiple OVN deployments. Of course separate zones in same OVN
> still requires changes in CMS to operate but the change may be smaller
> in some cases.
>
> For overlapping zones v.s. separate OVN deployments, the difference is
> more obvious. Separate OVN deployments doesn't allow overlapping.
> Overlapping zones allows sharing gateways between different groups of
> hypervisors.
>
> If the purpose is only reducing tunnel mesh size, I think it may be
> better to avoid the zone concept but instead create tunnels (and bfd
> sessions) on-demand, as discussed here:
> https://mail.openvswitch.org/pipermail/ovs-discuss/2019-March/048281.html
>
> Daniel or other folks please comment if there are other benefit of
> creating zones.
>
> Thanks,
> Han
>

The original discussion came about when I was consulting with a very large
bank who were considering network designs for an application cloud. In that
case, all chassis were in a single site, and the desire was to be able to
separate groups of chassis into trust zones with no East-West communication
between zones. Of course this same result can be handled via network
segregation and firewalling, but zones would provide an additional layer of
security enforcement. In their case, the choice due to policy was to have
separate flow controllers and software routers in each zone rather than
rely on firewalls alone, but this increased the hardware footprint.

When I discovered that there was no way to prevent tunnels from being
formed between all chassis, that became an obvious problem for edge
scenarios. To me that is the more pressing issue, which dynamic tunnels
would solve. However, the ability to have separate transit zones would also
be a useful feature, in my opinion.

-- 
Dan Sneddon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20190306/3e122906/attachment.html>


More information about the discuss mailing list