
Enable geo-redundancy and fault isolation with VPNaaS
One of the critical aspects to fully implement High-Availability (HA) is redundancy.
In engineering, redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the form of a backup or fail-safe, or to improve actual system performance, […]
Wikipedia
Geo-redundancy stresses this concept to a critical level where power-line issues or catastrophic events can massively impact a datacenter operability.
Openstack VPNaaS (current supported release: Victoria) geo-redundancy and fault isolation, removing single-points of failure, and ensuring your application’s high level of productivity.
This article describes how to set up a VPN connection between multiple CityCloud datacenters. Also, we will use Terraform to support and quickly configure our networks and routers.
Level
ADVANCED
Pre-requisites
- A project enabled in each datacenter, as described in the next Section
- CLI access to each project
- python-openstackclient & python-neutronclient installed
- ICMP (ping) enabled via Security Groups
- SSH access to the VMs in each project enabled via Security Groups
- Terraform installed and good knowledge of the tool
If you are new to Terraform and need a structured way of learning the tool and how it can benefit your CI/CD deployments, have a look at our City Cloud Academy courses.
Overview
In this article, we will describe how to connect Stockholm (Sto2), Dubai (Dx1) and Frankfurt (Fra1) through VPNaaS connections as described below:

Only one VPN service per router is allowed as only one listener is used for VPN services.
Step-by-step guide
Stockholm – Sto2
1. Navigate to the directory containing your Terraform configuration
2. Source your openstack.rc file and run:
$ terraform init
3. Apply the VPNaaS configuration below:
// VPNaaS Configuration
resource "openstack_vpnaas_service_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
router_id = openstack_networking_router_v2.router.id
admin_state_up = "true"
}
resource "openstack_vpnaas_ipsec_policy_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
transform_protocol = "esp"
encapsulation_mode = "tunnel"
}
resource "openstack_vpnaas_ike_policy_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
}
resource "openstack_vpnaas_endpoint_group_v2" "local" {
name = "${var.prefix}-local"
type = "subnet"
endpoints = [openstack_networking_subnet_v2.subnet.id]
}
resource "openstack_vpnaas_endpoint_group_v2" "peer" {
name = "${var.prefix}-peer"
type = "cidr"
endpoints = ["10.3.0.0/24"] // <-- Peer CIDR
}
resource "openstack_vpnaas_site_connection_v2" "subgw" {
name = "${var.prefix}-subgw"
ipsecpolicy_id = openstack_vpnaas_ipsec_policy_v2.geo-redundancy.id
ikepolicy_id = openstack_vpnaas_ike_policy_v2.geo-redundancy.id
local_ep_group_id = openstack_vpnaas_endpoint_group_v2.local.id
peer_ep_group_id = openstack_vpnaas_endpoint_group_v2.peer.id
vpnservice_id = openstack_vpnaas_service_v2.geo-redundancy.id
psk = "zvuGp9vuwLMpBoa..."
peer_address = "103.81.142.192" // <-- Peer Router Floating IP
peer_id = "103.81.142.192" // <-- Peer Router Floating IP
admin_state_up = "true"
}
4. Check the VPN service is enabled and in ACTIVE status.
In case the service is listed as DOWN right after it’s been deployed, simply restart it via Openstack CLI:
$ openstack vpn service set <vpn-service> --disable
$ openstack vpn service set <vpn-service> --enable
Frankfurt – Fra1
1. Navigate to the directory containing your Terraform configuration
2. Source your openstack.rc file and run:
$ terraform init
3. Apply the VPNaaS configuration below:
// VPNaaS Configuration
resource "openstack_vpnaas_service_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
router_id = openstack_networking_router_v2.router.id
admin_state_up = "true"
}
resource "openstack_vpnaas_ipsec_policy_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
transform_protocol = "esp"
encapsulation_mode = "tunnel"
}
resource "openstack_vpnaas_ike_policy_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
}
resource "openstack_vpnaas_endpoint_group_v2" "local" {
name = "${var.prefix}-local"
type = "subnet"
endpoints = [openstack_networking_subnet_v2.subnet.id]
}
resource "openstack_vpnaas_endpoint_group_v2" "peer" {
name = "${var.prefix}-peer"
type = "cidr"
endpoints = ["10.3.0.0/24"] // <-- Peer CIDR
}
resource "openstack_vpnaas_site_connection_v2" "subgw" {
name = "${var.prefix}-subgw"
ipsecpolicy_id = openstack_vpnaas_ipsec_policy_v2.geo-redundancy.id
ikepolicy_id = openstack_vpnaas_ike_policy_v2.geo-redundancy.id
local_ep_group_id = openstack_vpnaas_endpoint_group_v2.local.id
peer_ep_group_id = openstack_vpnaas_endpoint_group_v2.peer.id
vpnservice_id = openstack_vpnaas_service_v2.geo-redundancy.id
psk = "zvuGp9vuwLMpBoaWPUTq63LFcmK7GnAH"
peer_address = "103.81.142.192" // <-- Peer Router Floating IP
peer_id = "103.81.142.192" // <-- Peer Router Floating IP
admin_state_up = "true"
}
4. Check the VPN service is enabled and in ACTIVE status.
In case the service is listed as DOWN right after it’s been deployed, simply restart it via Openstack CLI:
$ openstack vpn service set <vpn-service> --disable
$ openstack vpn service set <vpn-service> --enable
Dubai – Dx1
1. Navigate to the directory containing your Terraform configuration
2. Source your openstack.rc file and run:
$ terraform init
3. Apply the VPNaaS configuration below:
// VPNaaS Configuration
resource "openstack_vpnaas_endpoint_group_v2" "local" {
name = "${var.prefix}-local"
type = "subnet"
endpoints = [openstack_networking_subnet_v2.subnet.id]
}
resource "openstack_vpnaas_service_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
router_id = openstack_networking_router_v2.router.id
admin_state_up = "true"
}
// Create VPN Network - Sto2
resource "openstack_vpnaas_ipsec_policy_v2" "sto2" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
transform_protocol = "esp"
encapsulation_mode = "tunnel"
}
resource "openstack_vpnaas_ike_policy_v2" "sto2" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
}
resource "openstack_vpnaas_endpoint_group_v2" "sto2" {
name = "${var.prefix}-peer"
type = "cidr"
endpoints = ["10.1.0.0/24"] // <-- Peer CIDR
}
resource "openstack_vpnaas_site_connection_v2" "sto2" {
name = "${var.prefix}-geo-redundancy"
ipsecpolicy_id = openstack_vpnaas_ipsec_policy_v2.sto2.id
ikepolicy_id = openstack_vpnaas_ike_policy_v2.sto2.id
local_ep_group_id = openstack_vpnaas_endpoint_group_v2.local.id
peer_ep_group_id = openstack_vpnaas_endpoint_group_v2.sto2.id
vpnservice_id = openstack_vpnaas_service_v2.geo-redundancy.id
psk = "zvuGp9vuwLMpBoa..."
peer_address = "31.12.86.44" // <-- Peer Router Floating IP
peer_id = "31.12.86.44" // <-- Peer Router Floating IP
admin_state_up = "true"
}
// Create VPN Network - Fra1
resource "openstack_vpnaas_ipsec_policy_v2" "fra1" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
transform_protocol = "esp"
encapsulation_mode = "tunnel"
}
resource "openstack_vpnaas_ike_policy_v2" "fra1" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
}
resource "openstack_vpnaas_endpoint_group_v2" "fra1" {
name = "${var.prefix}-peer"
type = "cidr"
endpoints = ["10.2.0.0/24"] // <-- Peer CIDR
}
resource "openstack_vpnaas_site_connection_v2" "fra1" {
name = "${var.prefix}-geo-redundancy"
ipsecpolicy_id = openstack_vpnaas_ipsec_policy_v2.fra1.id
ikepolicy_id = openstack_vpnaas_ike_policy_v2.fra1.id
local_ep_group_id = openstack_vpnaas_endpoint_group_v2.local.id
peer_ep_group_id = openstack_vpnaas_endpoint_group_v2.fra1.id
vpnservice_id = openstack_vpnaas_service_v2.geo-redundancy.id
psk = "zvuGp9vuwLMpBoa..."
peer_address = "45.114.123.30" // <-- Peer Router Floating IP
peer_id = "45.114.123.30" // <-- Peer Router Floating IP
admin_state_up = "true"
}
4. Check the VPN service is enabled and in ACTIVE status.
In case the service is listed as DOWN right after it’s been deployed, simply restart it via Openstack CLI:
$ openstack vpn service set <vpn-service> --disable
$ openstack vpn service set <vpn-service> --enable
Test infra-projects connectivity
1. SSH into one of the VMs in Dubai-Dx1
2. Ping one of the VMs in Stockholm-Sto2 using the local ip 10.1.0.x and check traffic flows:
$ ping 10.1.0.175PING 10.1.0.175 (10.1.0.175) 56(84) bytes of data.64 bytes from 10.1.0.175: icmp_seq=1 ttl=62 time=147 ms64 bytes from 10.1.0.175: icmp_seq=2 ttl=62 time=147 ms64 bytes from 10.1.0.175: icmp_seq=3 ttl=62 time=147 ms
3. Ping one of the VMs in Frankfurst-Fra1 using the local ip 10.2.0.y and check traffic flows:
$ ping 10.2.0.155PING 10.2.0.155 (10.2.0.155) 56(84) bytes of data.64 bytes from 10.2.0.155: icmp_seq=1 ttl=62 time=117 ms64 bytes from 10.2.0.155: icmp_seq=2 ttl=62 time=117 ms64 bytes from 10.2.0.155: icmp_seq=3 ttl=62 time=117 ms
Conclusions
This article presented how our City Cloud infrastructure copes with such essential requirements as redundancy and fault isolation. Achieving full high-availability may require additional work at the platform and application level.
Need more technical tips? Please visit our Knowledge Base space.