Networking Concepts
This article describes basic networking concepts in Platform9 Managed OpenStack (PMO).
Please refer to Configure Networking for networking setup details in PMO.
Networking in PMO is designed with a pluggable architecture, allowing for easy integration with third-party networking solutions via plugins.
Network Types
Networks in PMO roughly fall into three distinct categories:
- Provider networks
- Tenant networks
- External networks
Please refer to Configure Networking for making Neutron aware of your data center’s physical network topology, as part of your Neutron setup process.
Provider Networks
Provider networks are designed to map directly to existing networks in your data center. A good example of a provider network is an existing VLAN-based or physical (flat) network within your data center that you would like to incorporate into your OpenStack environment. For example, you may have designated VLAN 20 on a specific subnet for all database traffic, and you might want to deploy database servers in your OpenStack deployment that will explicitly connect to this network.
A provider network in PMO can be either flat, VLAN-based, GRE-based, or VXLAN-based. Here, we will focus primarily on flat and VLAN-based provider networks. To create a provider network in Platform9, browse to the ‘Network’ menu, then select ‘Create New Network’ and then select ‘Provider Network’ from the network type drop-down menu. As part of creation of a provider network, you need to explicitly specify what ‘physical network config’ this provider network should utilize.
This configuration is defined as part of Configuring PMO Networking. The physical network refers to the unique label associated with the provider network config, and the ‘segmentation ID’ refers to the VLAN ID corresponding to this physical network that you’d like to utilize for this provider network. This VLAN ID must fall in the range of VLAN IDs that you supplied as part of the physical network config.

Tenant Networks
Tenant networks are meant to be private to a given tenant, and are generally created by a user or a group of users within a tenant. Without a Neutron router, these networks are isolated from one another, so that the virtual machines created within these networks can not route traffic outside of the network.
To create a tenant network in Platform9, browse to the ‘Network’ menu, then select ‘Create New Network’ and then select ‘Tenant Network’ from the network type drop-down menu.
Note: Unlike provider networks, tenant networks do not offer you the option of specifying what VLAN ID this network should utilize. This is because tenant networks are meant to be consumed primarily by self-service users for use cases such as deploying a private network for your multi-VM Heat application stack, etc. When you deploy a tenant network, a VLAN ID will be automatically selected for it from the pool of VLAN IDs the underlying physical network config is configured with.

Network Interfaces and Ports
Each network will typically have one or more {Network Interface, Port} Tuples associated with it. An interface and a port on a network uniquely maps it to a device in the OpenStack environment. The device can be one of the following:
- A virtual machine instance
- A router
- A DHCP server
External Networks
External networks generally correspond to the physical networks in your data center that are publicly routable/enabled with access to Internet. As an administrator, you would want to supply one or more external networks to Neutron so that:
- Your virtual machines can route packets from the internal network to the Internet
- You can assign floating IPs to your virtual machine and have them publicly addressable from the Internet
To configure an external network in Platform9 Managed OpenStack, you follow a process similar to creation of a provider network or a tenant network. Just browse to ‘Network’ menu in Platform9, then select ‘Create New Network’ and then select ‘External Network’ from the network type dropdown menu.

External networks in OpenStack are shared, by default, and this property can not be edited. This mean external networks are visible and accessible to all tenants. Self-service users from within tenants can create routers that can connect an internal network to an external network.
Neutron Router/Gateway
Neutron routers enable routing of traffic between two or more Neutron networks. A router is capable of routing traffic between Neutron networks of any type - external, provider and tenant. When a router maps an internal network to an external network, it is sometimes referred to as a gateway.
Private/Shared Networks and Multi-Tenancy
You might have noticed that each network in Neutron is created in the context of some tenant who will be the default owner of that network. A network can be explicitly marked as ‘shared’, which will make it accessible to all tenants in OpenStack.
VLAN
VLAN stands for Virtual Local Area Network.
VLANs are logical networks that may operate a single physical network.
A VLAN is a means to logically divide a physical network such that the network traffic on each VLAN is independent of and invisible to the network traffic on another VLAN on the same physical network.
VXLAN
VXLAN stands for Virtual Extensible Local Area Network.
VXLAN is a virtual overlay network that is built on top of Open Systems Interconnection Model (OSI) Layer 2 and Layer 3 technology. VXLAN extends the virtual LAN (VLAN) address space.
VLAN supports the assignment of up to 4096 VLAN IDs at a time, which may be insufficient for big-scale cloud computing. VXLAN adds a 24-bit segment ID, and hence, increases the number of available VLAN IDs to 16 million.
GRE
GRE stands for Generic Routing Encapsulation.
GRE is a protocol that facilitates the delivery of a message payload from one endpoint to another endpoint through a point-to-point virtual tunnel over IP networks.
GRE is generally used to encrypt multicast traffic.
Subnet
A subnet or subnetwork provides a usable IP addressing range within a layer 2 broadcast domain.
The computers belonging to the same subnet can communicate with one another directly without the need for a router, as they are part of the same subnet.
Ports
Ports are the virtual communication endpoints which attach devices such as routers or virtual machines, and enable communication across the network.
A port can be associated with a router, a network, a virtual machine, or a DHCP server.
OpenStack automatically creates ports when instances are created. It is also possible to create ports manually.
Routers
Neutron routers enable routing of traffic between two or more Neutron networks. A router is capable of routing traffic between external, provider or tenant Neutron networks. A router which serves to connect one or more distinct networks is sometimes referred to as a gateway.
Floating IP Address
An instance in PMO is created by default with a fixed IP address.
An instance can be assigned a floating IP address that can be used to access it over a public network.
An instance is identifiable over a public network with the floating IP address.
A pool of floating IP addresses can be created and one floating IP from the pool can be assigned to an instance at a given time.
Security Group
A security group is a group of rules that apply to inbound and outbound network traffic for an instance. A security group acts as a virtual firewall that controls the inbound and outbound network traffic for the instances to which the group has been assigned.
Rules are defined based on what type of network traffic should be allowed to the instance to which the security group is assigned. Traffic that does not match any of the rules assigned to an instance, is denied access, by default.
A default rule is predefined in Clarity that allows all outbound traffic from the instance to which the security group has been assigned.
Network Traffic Types
East-west traffic and north-south traffic are terms commonly used in networking.
East-West Traffic
East-west traffic is the traffic between different virtual machines on the same network.
North-South Traffic
North-south traffic is the traffic between an external network and a virtual machine.
