Enable geo-redundancy and fault isolation with VPNaaS

Stefano Cucchiella City Cloud Leave a Comment

One of the critical aspects to fully implement High-Availability (HA) is redundancy.  

In engineering, redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the form of a backup or fail-safe, or to improve actual system performance, […]

Wikipedia

Geo-redundancy stresses this concept to a critical level where power-line issues or catastrophic events can massively impact a datacenter operability.

Openstack VPNaaS (current supported release: Victoria) geo-redundancy and fault isolation, removing single-points of failure, and ensuring your application’s high level of productivity. 

This article describes how to set up a VPN connection between multiple CityCloud datacenters. Also, we will use Terraform to support and quickly configure our networks and routers.

Level

ADVANCED

Pre-requisites

  • A project enabled in each datacenter, similar to the above architecture – How-To 
  • CLI access to each project – How-To
  • ICMP (ping) enabled via Security Groups
  • SSH access to the VMs in each project enabled via Security Groups
  • Terraform installed and good knowledge of the tool

If you are new to Terraform and need a structured way of learning the tool and how it can benefit your CI/CD deployments, have a look at our City Cloud Academy courses.

Overview

In this article, we will describe how to connect Stockholm (Sto2),  Dubai (Dx1) and Frankfurt (Fra1) through VPNaaS connections as described below:

Only one VPN service per router is allowed as only one listener is used for VPN services.

Step-by-step guide

Stockholm – Sto2

1. Navigate to the directory containing your Terraform configuration

2. Source your openstack.rc file and run:

$ terraform init

3. Apply the VPNaaS configuration below:

// VPNaaS Configuration

resource "openstack_vpnaas_service_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
router_id = openstack_networking_router_v2.router.id
admin_state_up = "true"
}

resource "openstack_vpnaas_ipsec_policy_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
transform_protocol = "esp"
encapsulation_mode = "tunnel"
}

resource "openstack_vpnaas_ike_policy_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
}

resource "openstack_vpnaas_endpoint_group_v2" "local" {
name = "${var.prefix}-local"
type = "subnet"
endpoints = [openstack_networking_subnet_v2.subnet.id]
}

resource "openstack_vpnaas_endpoint_group_v2" "peer" {
name = "${var.prefix}-peer"
type = "cidr"
endpoints = ["10.3.0.0/24"] // <-- Peer CIDR
}

resource "openstack_vpnaas_site_connection_v2" "subgw" {
name = "${var.prefix}-subgw"
ipsecpolicy_id = openstack_vpnaas_ipsec_policy_v2.geo-redundancy.id
ikepolicy_id = openstack_vpnaas_ike_policy_v2.geo-redundancy.id
local_ep_group_id = openstack_vpnaas_endpoint_group_v2.local.id
peer_ep_group_id = openstack_vpnaas_endpoint_group_v2.peer.id
vpnservice_id = openstack_vpnaas_service_v2.geo-redundancy.id
psk = "zvuGp9vuwLMpBoa..."
peer_address = "103.81.142.192" // <-- Peer Router Floating IP
peer_id = "103.81.142.192" // <-- Peer Router Floating IP
admin_state_up = "true"
}

4. Check the VPN service is enabled and in ACTIVE status.

In case the service is listed as DOWN right after it’s been deployed, simply restart it via Openstack CLI:

$ openstack vpn service set <vpn-service> --disable 
$ openstack vpn service set <vpn-service> --enable

Frankfurt – Fra1

1. Navigate to the directory containing your Terraform configuration

2. Source your openstack.rc file and run:

$ terraform init

3. Apply the VPNaaS configuration below:

// VPNaaS Configuration

resource "openstack_vpnaas_service_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
router_id = openstack_networking_router_v2.router.id
admin_state_up = "true"
}

resource "openstack_vpnaas_ipsec_policy_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
transform_protocol = "esp"
encapsulation_mode = "tunnel"
}

resource "openstack_vpnaas_ike_policy_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
}

resource "openstack_vpnaas_endpoint_group_v2" "local" {
name = "${var.prefix}-local"
type = "subnet"
endpoints = [openstack_networking_subnet_v2.subnet.id]
}

resource "openstack_vpnaas_endpoint_group_v2" "peer" {
name = "${var.prefix}-peer"
type = "cidr"
endpoints = ["10.3.0.0/24"] // <-- Peer CIDR
}

resource "openstack_vpnaas_site_connection_v2" "subgw" {
name = "${var.prefix}-subgw"
ipsecpolicy_id = openstack_vpnaas_ipsec_policy_v2.geo-redundancy.id
ikepolicy_id = openstack_vpnaas_ike_policy_v2.geo-redundancy.id
local_ep_group_id = openstack_vpnaas_endpoint_group_v2.local.id
peer_ep_group_id = openstack_vpnaas_endpoint_group_v2.peer.id
vpnservice_id = openstack_vpnaas_service_v2.geo-redundancy.id
psk = "zvuGp9vuwLMpBoaWPUTq63LFcmK7GnAH"
peer_address = "103.81.142.192" // <-- Peer Router Floating IP
peer_id = "103.81.142.192" // <-- Peer Router Floating IP
admin_state_up = "true"
}

4. Check the VPN service is enabled and in ACTIVE status.

In case the service is listed as DOWN right after it’s been deployed, simply restart it via Openstack CLI:

$ openstack vpn service set <vpn-service> --disable 
$ openstack vpn service set <vpn-service> --enable

Dubai – Dx1

1. Navigate to the directory containing your Terraform configuration

2. Source your openstack.rc file and run:

$ terraform init

3. Apply the VPNaaS configuration below:

// VPNaaS Configuration

resource "openstack_vpnaas_endpoint_group_v2" "local" {
name = "${var.prefix}-local"
type = "subnet"
endpoints = [openstack_networking_subnet_v2.subnet.id]
}

resource "openstack_vpnaas_service_v2" "geo-redundancy" {
name = "${var.prefix}-geo-redundancy"
router_id = openstack_networking_router_v2.router.id
admin_state_up = "true"
}

// Create VPN Network - Sto2

resource "openstack_vpnaas_ipsec_policy_v2" "sto2" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
transform_protocol = "esp"
encapsulation_mode = "tunnel"
}

resource "openstack_vpnaas_ike_policy_v2" "sto2" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
}

resource "openstack_vpnaas_endpoint_group_v2" "sto2" {
name = "${var.prefix}-peer"
type = "cidr"
endpoints = ["10.1.0.0/24"] // <-- Peer CIDR
}

resource "openstack_vpnaas_site_connection_v2" "sto2" {
name = "${var.prefix}-geo-redundancy"
ipsecpolicy_id = openstack_vpnaas_ipsec_policy_v2.sto2.id
ikepolicy_id = openstack_vpnaas_ike_policy_v2.sto2.id
local_ep_group_id = openstack_vpnaas_endpoint_group_v2.local.id
peer_ep_group_id = openstack_vpnaas_endpoint_group_v2.sto2.id
vpnservice_id = openstack_vpnaas_service_v2.geo-redundancy.id
psk = "zvuGp9vuwLMpBoa..."
peer_address = "31.12.86.44" // <-- Peer Router Floating IP
peer_id = "31.12.86.44" // <-- Peer Router Floating IP
admin_state_up = "true"
}

// Create VPN Network - Fra1

resource "openstack_vpnaas_ipsec_policy_v2" "fra1" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
transform_protocol = "esp"
encapsulation_mode = "tunnel"
}

resource "openstack_vpnaas_ike_policy_v2" "fra1" {
name = "${var.prefix}-geo-redundancy"
pfs = "group5"
auth_algorithm = "sha1"
encryption_algorithm = "aes-128"
}

resource "openstack_vpnaas_endpoint_group_v2" "fra1" {
name = "${var.prefix}-peer"
type = "cidr"
endpoints = ["10.2.0.0/24"] // <-- Peer CIDR
}

resource "openstack_vpnaas_site_connection_v2" "fra1" {
name = "${var.prefix}-geo-redundancy"
ipsecpolicy_id = openstack_vpnaas_ipsec_policy_v2.fra1.id
ikepolicy_id = openstack_vpnaas_ike_policy_v2.fra1.id
local_ep_group_id = openstack_vpnaas_endpoint_group_v2.local.id
peer_ep_group_id = openstack_vpnaas_endpoint_group_v2.fra1.id
vpnservice_id = openstack_vpnaas_service_v2.geo-redundancy.id
psk = "zvuGp9vuwLMpBoa..."
peer_address = "45.114.123.30" // <-- Peer Router Floating IP
peer_id = "45.114.123.30" // <-- Peer Router Floating IP
admin_state_up = "true"
}

4. Check the VPN service is enabled and in ACTIVE status.

In case the service is listed as DOWN right after it’s been deployed, simply restart it via Openstack CLI:

$ openstack vpn service set <vpn-service> --disable 
$ openstack vpn service set <vpn-service> --enable

Test infra-projects connectivity

1. SSH into one of the VMs in Dubai-Dx1

2. Ping one of the VMs in Stockholm-Sto2 using the local ip 10.1.0.x and check traffic flows:

$ ping 10.1.0.175PING 10.1.0.175 (10.1.0.175) 56(84) bytes of data.64 bytes from 10.1.0.175: icmp_seq=1 ttl=62 time=147 ms64 bytes from 10.1.0.175: icmp_seq=2 ttl=62 time=147 ms64 bytes from 10.1.0.175: icmp_seq=3 ttl=62 time=147 ms

3. Ping one of the VMs in Frankfurst-Fra1 using the local ip 10.2.0.y and check traffic flows:

$ ping 10.2.0.155PING 10.2.0.155 (10.2.0.155) 56(84) bytes of data.64 bytes from 10.2.0.155: icmp_seq=1 ttl=62 time=117 ms64 bytes from 10.2.0.155: icmp_seq=2 ttl=62 time=117 ms64 bytes from 10.2.0.155: icmp_seq=3 ttl=62 time=117 ms

Conclusions

This article presented how our City Cloud infrastructure copes with such essential requirements as redundancy and fault isolation. Achieving full high-availability may require additional work at the platform and application level.

Need more technical tips? Please visit our Knowledge Base space.