Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

[Alex Mattioli <Al...@shapeblue.com>]

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)
ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://www.youtube.com/watch?v=f7ao-vv7Ahk).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex

 

Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

["Dietrich, Alex" <ad...@ussignal.com.INVALID>]

Hello Alex,

I appreciate this back and forth as I am excited about the potential this feature would hold.


  *   This is a very valid point.  We could add network specific BGP peers as well, which would override the automatic AS allocation, in the same way that we now allocate DNS servers in the zone level but can override that by manually selecting different DNS servers at network creation time.  Would that address your point?

Why does the network specific BGP peers need to override automatic AS allocation? In my mind there isn’t a dependency that needs to exist to those two as they are somewhat independent of one another.

I am not convinced that specifying BGP peers at the zone level is a good idea given the impacts BGP can have on a given network. I would much rather see both peer and AS specification handled at the network configuration, or another more specific level.

Thanks,
Alex

From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 10:15 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks
EXTERNAL

Hi Alex,

> Would zone-level BGP peers be those used by default for establishing new BGP peers in networks where dynamic routing is enabled?

Correct, so far we plan to allow for up to 4 BGP peers for a zone, with the possibility to setup different metrics to each peer.

> This could affect a multi-tenant model where there may be different BGP peers presented based on what the upstream network provides. An example of >this would be where the VLANs associated to a given account are associated to distinct VRFs and may have different peering IP addresses.
> I would like to see the peering IP addresses specific to the networks where dynamic routing is enabled instead of specifying defaults at the zone level.


This is a very valid point.  We could add network specific BGP peers as well, which would override the automatic AS allocation, in the same way that we now allocate DNS servers in the zone level but can override that by manually selecting different DNS servers at network creation time.  Would that address your point?

Cheers,
Alex




-----Original Message-----
From: Dietrich, Alex <ad...@ussignal.com.INVALID>
Sent: Wednesday, May 15, 2024 2:34 PM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi Alex,

I appreciate the clarity!

Excuse my ignorance if I am misunderstanding the intention of specifying BGP peers at the zone level.

Would zone-level BGP peers be those used by default for establishing new BGP peers in networks where dynamic routing is enabled?

This could affect a multi-tenant model where there may be different BGP peers presented based on what the upstream network provides. An example of this would be where the VLANs associated to a given account are associated to distinct VRFs and may have different peering IP addresses.

I would like to see the peering IP addresses specific to the networks where dynamic routing is enabled instead of specifying defaults at the zone level.


  *   Alex

[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 9:27 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks EXTERNAL

Hi Alex,

Answers inline below with >

Cheers




-----Original Message-----
From: Dietrich, Alex <ad...@ussignal.com.INVALID>
Sent: Wednesday, May 15, 2024 3:12 PM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hello Alex,

I appreciate you taking on this initiative as I’d like to see similar functionality made available in CloudStack.

I do have some feedback on your implementation approach:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)

What is the intention behind specifying BGP peers at the zone level? I would think this would need to be specific to the network that you want to enable BGP on and does not need to concern the entire zone.

>The goal is for the process to be drive by the end user without operator intervention. In the current design we'd enable the VR to share routes with upstream routers without any need for extra configuration on the part of the operator.
>Your point is very valid and it should definitely be a future enhancement on the feature.

2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)

As a private AS consumer, I agree that this approach would be helpful for a more dynamic allocation as new dynamic routing enabled networks are created.

>Glad we are in the same page there.

3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network

4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Given there is a lot of extensibility within BGP, I would think there would need to be some level of customizability to the peering configurations. Is the intention to consider adding additional knobs, or relegating that to the upstream BGP peer? I could see scenarios where you would at least want to have control over prefix lengths, etc.

>Absolutely, but I think this should be a future enhancement, the current goal is to have a very simple and basic dynamic BGP implementation working, after that's out there and in use then we definitely should discuss how to enhance the >feature with exactly what you pointed out.


Thanks,
Alex Dietrich


[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 8:55 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks EXTERNAL

Hi all,

Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?

So far the design is:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Any and all input will be very welcome.

Cheers,
Alex




From: Alex Mattioli
Sent: Wednesday, April 17, 2024 3:25 AM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)

ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://urldefense.com/v3/__https://www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$<https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$><https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3chttps://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3e><https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3chttps://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3e%3chttps://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3chttps://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3e%3e> ).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex

RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

[Alex Mattioli <Al...@shapeblue.com>]

Hi Alex,

> Would zone-level BGP peers be those used by default for establishing new BGP peers in networks where dynamic routing is enabled?

Correct, so far we plan to allow for up to 4 BGP peers for a zone, with the possibility to setup different metrics to each peer.

> This could affect a multi-tenant model where there may be different BGP peers presented based on what the upstream network provides. An example of >this would be where the VLANs associated to a given account are associated to distinct VRFs and may have different peering IP addresses.
> I would like to see the peering IP addresses specific to the networks where dynamic routing is enabled instead of specifying defaults at the zone level.


This is a very valid point.  We could add network specific BGP peers as well, which would override the automatic AS allocation, in the same way that we now allocate DNS servers in the zone level but can override that by manually selecting different DNS servers at network creation time.  Would that address your point?

Cheers,
Alex

 


-----Original Message-----
From: Dietrich, Alex <ad...@ussignal.com.INVALID> 
Sent: Wednesday, May 15, 2024 2:34 PM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi Alex,

I appreciate the clarity!

Excuse my ignorance if I am misunderstanding the intention of specifying BGP peers at the zone level.

Would zone-level BGP peers be those used by default for establishing new BGP peers in networks where dynamic routing is enabled?

This could affect a multi-tenant model where there may be different BGP peers presented based on what the upstream network provides. An example of this would be where the VLANs associated to a given account are associated to distinct VRFs and may have different peering IP addresses.

I would like to see the peering IP addresses specific to the networks where dynamic routing is enabled instead of specifying defaults at the zone level.


  *   Alex

[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 9:27 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks EXTERNAL

Hi Alex,

Answers inline below with >

Cheers




-----Original Message-----
From: Dietrich, Alex <ad...@ussignal.com.INVALID>
Sent: Wednesday, May 15, 2024 3:12 PM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hello Alex,

I appreciate you taking on this initiative as I’d like to see similar functionality made available in CloudStack.

I do have some feedback on your implementation approach:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)

What is the intention behind specifying BGP peers at the zone level? I would think this would need to be specific to the network that you want to enable BGP on and does not need to concern the entire zone.

>The goal is for the process to be drive by the end user without operator intervention. In the current design we'd enable the VR to share routes with upstream routers without any need for extra configuration on the part of the operator.
>Your point is very valid and it should definitely be a future enhancement on the feature.

2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)

As a private AS consumer, I agree that this approach would be helpful for a more dynamic allocation as new dynamic routing enabled networks are created.

>Glad we are in the same page there.

3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network

4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Given there is a lot of extensibility within BGP, I would think there would need to be some level of customizability to the peering configurations. Is the intention to consider adding additional knobs, or relegating that to the upstream BGP peer? I could see scenarios where you would at least want to have control over prefix lengths, etc.

>Absolutely, but I think this should be a future enhancement, the current goal is to have a very simple and basic dynamic BGP implementation working, after that's out there and in use then we definitely should discuss how to enhance the >feature with exactly what you pointed out.


Thanks,
Alex Dietrich


[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 8:55 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks EXTERNAL

Hi all,

Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?

So far the design is:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Any and all input will be very welcome.

Cheers,
Alex




From: Alex Mattioli
Sent: Wednesday, April 17, 2024 3:25 AM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)

ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://urldefense.com/v3/__https://www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$<https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$><https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3chttps://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3e> ).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex

RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

[Alex Mattioli <Al...@shapeblue.com>]

Hi Alex,

> Would zone-level BGP peers be those used by default for establishing new BGP peers in networks where dynamic routing is enabled?

Correct, so far we plan to allow for up to 4 BGP peers for a zone, with the possibility to setup different metrics to each peer.

> This could affect a multi-tenant model where there may be different BGP peers presented based on what the upstream network provides. An example of >this would be where the VLANs associated to a given account are associated to distinct VRFs and may have different peering IP addresses.
> I would like to see the peering IP addresses specific to the networks where dynamic routing is enabled instead of specifying defaults at the zone level.


This is a very valid point.  We could add network specific BGP peers as well, which would override the automatic AS allocation, in the same way that we now allocate DNS servers in the zone level but can override that by manually selecting different DNS servers at network creation time.  Would that address your point?

Cheers,
Alex

 


-----Original Message-----
From: Dietrich, Alex <ad...@ussignal.com.INVALID> 
Sent: Wednesday, May 15, 2024 2:34 PM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi Alex,

I appreciate the clarity!

Excuse my ignorance if I am misunderstanding the intention of specifying BGP peers at the zone level.

Would zone-level BGP peers be those used by default for establishing new BGP peers in networks where dynamic routing is enabled?

This could affect a multi-tenant model where there may be different BGP peers presented based on what the upstream network provides. An example of this would be where the VLANs associated to a given account are associated to distinct VRFs and may have different peering IP addresses.

I would like to see the peering IP addresses specific to the networks where dynamic routing is enabled instead of specifying defaults at the zone level.


  *   Alex

[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 9:27 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks EXTERNAL

Hi Alex,

Answers inline below with >

Cheers




-----Original Message-----
From: Dietrich, Alex <ad...@ussignal.com.INVALID>
Sent: Wednesday, May 15, 2024 3:12 PM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hello Alex,

I appreciate you taking on this initiative as I’d like to see similar functionality made available in CloudStack.

I do have some feedback on your implementation approach:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)

What is the intention behind specifying BGP peers at the zone level? I would think this would need to be specific to the network that you want to enable BGP on and does not need to concern the entire zone.

>The goal is for the process to be drive by the end user without operator intervention. In the current design we'd enable the VR to share routes with upstream routers without any need for extra configuration on the part of the operator.
>Your point is very valid and it should definitely be a future enhancement on the feature.

2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)

As a private AS consumer, I agree that this approach would be helpful for a more dynamic allocation as new dynamic routing enabled networks are created.

>Glad we are in the same page there.

3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network

4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Given there is a lot of extensibility within BGP, I would think there would need to be some level of customizability to the peering configurations. Is the intention to consider adding additional knobs, or relegating that to the upstream BGP peer? I could see scenarios where you would at least want to have control over prefix lengths, etc.

>Absolutely, but I think this should be a future enhancement, the current goal is to have a very simple and basic dynamic BGP implementation working, after that's out there and in use then we definitely should discuss how to enhance the >feature with exactly what you pointed out.


Thanks,
Alex Dietrich


[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 8:55 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks EXTERNAL

Hi all,

Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?

So far the design is:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Any and all input will be very welcome.

Cheers,
Alex




From: Alex Mattioli
Sent: Wednesday, April 17, 2024 3:25 AM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)

ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://urldefense.com/v3/__https://www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$<https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$><https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3chttps://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3e> ).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex

Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

["Dietrich, Alex" <ad...@ussignal.com.INVALID>]

Hi Alex,

I appreciate the clarity!

Excuse my ignorance if I am misunderstanding the intention of specifying BGP peers at the zone level.

Would zone-level BGP peers be those used by default for establishing new BGP peers in networks where dynamic routing is enabled?

This could affect a multi-tenant model where there may be different BGP peers presented based on what the upstream network provides. An example of this would be where the VLANs associated to a given account are associated to distinct VRFs and may have different peering IP addresses.

I would like to see the peering IP addresses specific to the networks where dynamic routing is enabled instead of specifying defaults at the zone level.


  *   Alex

[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 9:27 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks
EXTERNAL

Hi Alex,

Answers inline below with >

Cheers




-----Original Message-----
From: Dietrich, Alex <ad...@ussignal.com.INVALID>
Sent: Wednesday, May 15, 2024 3:12 PM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hello Alex,

I appreciate you taking on this initiative as I’d like to see similar functionality made available in CloudStack.

I do have some feedback on your implementation approach:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)

What is the intention behind specifying BGP peers at the zone level? I would think this would need to be specific to the network that you want to enable BGP on and does not need to concern the entire zone.

>The goal is for the process to be drive by the end user without operator intervention. In the current design we'd enable the VR to share routes with upstream routers without any need for extra configuration on the part of the operator.
>Your point is very valid and it should definitely be a future enhancement on the feature.

2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)

As a private AS consumer, I agree that this approach would be helpful for a more dynamic allocation as new dynamic routing enabled networks are created.

>Glad we are in the same page there.

3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network

4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Given there is a lot of extensibility within BGP, I would think there would need to be some level of customizability to the peering configurations. Is the intention to consider adding additional knobs, or relegating that to the upstream BGP peer? I could see scenarios where you would at least want to have control over prefix lengths, etc.

>Absolutely, but I think this should be a future enhancement, the current goal is to have a very simple and basic dynamic BGP implementation working, after that's out there and in use then we definitely should discuss how to enhance the >feature with exactly what you pointed out.


Thanks,
Alex Dietrich


[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 8:55 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks EXTERNAL

Hi all,

Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?

So far the design is:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Any and all input will be very welcome.

Cheers,
Alex




From: Alex Mattioli
Sent: Wednesday, April 17, 2024 3:25 AM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)

ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://urldefense.com/v3/__https://www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$<https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$><https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3chttps://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3e> ).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex

Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

["Dietrich, Alex" <ad...@ussignal.com.INVALID>]

Hi Alex,

I appreciate the clarity!

Excuse my ignorance if I am misunderstanding the intention of specifying BGP peers at the zone level.

Would zone-level BGP peers be those used by default for establishing new BGP peers in networks where dynamic routing is enabled?

This could affect a multi-tenant model where there may be different BGP peers presented based on what the upstream network provides. An example of this would be where the VLANs associated to a given account are associated to distinct VRFs and may have different peering IP addresses.

I would like to see the peering IP addresses specific to the networks where dynamic routing is enabled instead of specifying defaults at the zone level.


  *   Alex

[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 9:27 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks
EXTERNAL

Hi Alex,

Answers inline below with >

Cheers




-----Original Message-----
From: Dietrich, Alex <ad...@ussignal.com.INVALID>
Sent: Wednesday, May 15, 2024 3:12 PM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hello Alex,

I appreciate you taking on this initiative as I’d like to see similar functionality made available in CloudStack.

I do have some feedback on your implementation approach:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)

What is the intention behind specifying BGP peers at the zone level? I would think this would need to be specific to the network that you want to enable BGP on and does not need to concern the entire zone.

>The goal is for the process to be drive by the end user without operator intervention. In the current design we'd enable the VR to share routes with upstream routers without any need for extra configuration on the part of the operator.
>Your point is very valid and it should definitely be a future enhancement on the feature.

2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)

As a private AS consumer, I agree that this approach would be helpful for a more dynamic allocation as new dynamic routing enabled networks are created.

>Glad we are in the same page there.

3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network

4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Given there is a lot of extensibility within BGP, I would think there would need to be some level of customizability to the peering configurations. Is the intention to consider adding additional knobs, or relegating that to the upstream BGP peer? I could see scenarios where you would at least want to have control over prefix lengths, etc.

>Absolutely, but I think this should be a future enhancement, the current goal is to have a very simple and basic dynamic BGP implementation working, after that's out there and in use then we definitely should discuss how to enhance the >feature with exactly what you pointed out.


Thanks,
Alex Dietrich


[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 8:55 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks EXTERNAL

Hi all,

Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?

So far the design is:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Any and all input will be very welcome.

Cheers,
Alex




From: Alex Mattioli
Sent: Wednesday, April 17, 2024 3:25 AM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)

ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://urldefense.com/v3/__https://www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$<https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$><https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3chttps://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$%3e> ).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex

RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

[Alex Mattioli <Al...@shapeblue.com>]

Hi Alex,

Answers inline below with >

Cheers

 


-----Original Message-----
From: Dietrich, Alex <ad...@ussignal.com.INVALID> 
Sent: Wednesday, May 15, 2024 3:12 PM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hello Alex,

I appreciate you taking on this initiative as I’d like to see similar functionality made available in CloudStack.

I do have some feedback on your implementation approach:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)

What is the intention behind specifying BGP peers at the zone level? I would think this would need to be specific to the network that you want to enable BGP on and does not need to concern the entire zone.

>The goal is for the process to be drive by the end user without operator intervention. In the current design we'd enable the VR to share routes with upstream routers without any need for extra configuration on the part of the operator.
>Your point is very valid and it should definitely be a future enhancement on the feature.

2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)

As a private AS consumer, I agree that this approach would be helpful for a more dynamic allocation as new dynamic routing enabled networks are created.

>Glad we are in the same page there.

3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network

4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Given there is a lot of extensibility within BGP, I would think there would need to be some level of customizability to the peering configurations. Is the intention to consider adding additional knobs, or relegating that to the upstream BGP peer? I could see scenarios where you would at least want to have control over prefix lengths, etc.

>Absolutely, but I think this should be a future enhancement, the current goal is to have a very simple and basic dynamic BGP implementation working, after that's out there and in use then we definitely should discuss how to enhance the >feature with exactly what you pointed out.


Thanks,
Alex Dietrich


[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 8:55 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks EXTERNAL

Hi all,

Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?

So far the design is:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Any and all input will be very welcome.

Cheers,
Alex




From: Alex Mattioli
Sent: Wednesday, April 17, 2024 3:25 AM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)

ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://urldefense.com/v3/__https://www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$<https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$> ).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex

RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

[Alex Mattioli <Al...@shapeblue.com>]

Hi Alex,

Answers inline below with >

Cheers

 


-----Original Message-----
From: Dietrich, Alex <ad...@ussignal.com.INVALID> 
Sent: Wednesday, May 15, 2024 3:12 PM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hello Alex,

I appreciate you taking on this initiative as I’d like to see similar functionality made available in CloudStack.

I do have some feedback on your implementation approach:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)

What is the intention behind specifying BGP peers at the zone level? I would think this would need to be specific to the network that you want to enable BGP on and does not need to concern the entire zone.

>The goal is for the process to be drive by the end user without operator intervention. In the current design we'd enable the VR to share routes with upstream routers without any need for extra configuration on the part of the operator.
>Your point is very valid and it should definitely be a future enhancement on the feature.

2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)

As a private AS consumer, I agree that this approach would be helpful for a more dynamic allocation as new dynamic routing enabled networks are created.

>Glad we are in the same page there.

3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network

4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Given there is a lot of extensibility within BGP, I would think there would need to be some level of customizability to the peering configurations. Is the intention to consider adding additional knobs, or relegating that to the upstream BGP peer? I could see scenarios where you would at least want to have control over prefix lengths, etc.

>Absolutely, but I think this should be a future enhancement, the current goal is to have a very simple and basic dynamic BGP implementation working, after that's out there and in use then we definitely should discuss how to enhance the >feature with exactly what you pointed out.


Thanks,
Alex Dietrich


[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 8:55 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks EXTERNAL

Hi all,

Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?

So far the design is:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Any and all input will be very welcome.

Cheers,
Alex




From: Alex Mattioli
Sent: Wednesday, April 17, 2024 3:25 AM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)

ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://urldefense.com/v3/__https://www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$<https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$> ).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex

Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

["Dietrich, Alex" <ad...@ussignal.com.INVALID>]

Hello Alex,

I appreciate you taking on this initiative as I’d like to see similar functionality made available in CloudStack.

I do have some feedback on your implementation approach:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)

What is the intention behind specifying BGP peers at the zone level? I would think this would need to be specific to the network that you want to enable BGP on and does not need to concern the entire zone.

2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)

As a private AS consumer, I agree that this approach would be helpful for a more dynamic allocation as new dynamic routing enabled networks are created.

3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network

4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Given there is a lot of extensibility within BGP, I would think there would need to be some level of customizability to the peering configurations. Is the intention to consider adding additional knobs, or relegating that to the upstream BGP peer? I could see scenarios where you would at least want to have control over prefix lengths, etc.

Thanks,
Alex Dietrich


[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 8:55 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks
EXTERNAL

Hi all,

Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?

So far the design is:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Any and all input will be very welcome.

Cheers,
Alex




From: Alex Mattioli
Sent: Wednesday, April 17, 2024 3:25 AM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)

ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://urldefense.com/v3/__https://www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$<https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$> ).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex

Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

[Wido den Hollander <wi...@widodh.nl.INVALID>]

My apologies! I totally missed this one. Commments inline.

Op 15/05/2024 om 14:55 schreef Alex Mattioli:
> Hi all,
> 
> Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?
> 
> So far the design is:
> 
> 1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
> 2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
> 3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
> 4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks
> 

I would suggest that the upstream router (Juniper, Frr, etc) should then 
use Dynamic BGP neihbors.

On JunOS this is the "allow" statement [0]. The VR would indeed get an 
AS assigned by ACS and the network should know the 1, 2 or X upstream 
routers it can peer with. I do suggest we add BGP passwords/encryption 
from the start for safety reasons.

"allow 192.168.1.0/24"

On JunOS this allows any router within that subnet to establish a BGP 
sessions (and when the BGP password matches).

On the VR you just need to make sure you properly configure the BGP 
daemon and it points to the right upstream routers.

[0]: 
https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/allow-edit-protocols-bgp.html

> Any and all input will be very welcome.
> 
> Cheers,
> Alex
> 
> 
>   
> 
> From: Alex Mattioli
> Sent: Wednesday, April 17, 2024 3:25 AM
> To: users@cloudstack.apache.org; dev@cloudstack.apache.org
> Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks
> 
> Hi all,
> 
> I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)
> 
> ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://www.youtube.com/watch?v=f7ao-vv7Ahk).
> 
> With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.
> 
> The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:
> 
> 1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
> 2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
> 3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
> 4 - ACS configures the BGP session on the VR, advertising all its connected networks
> 
> This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)
> 
> This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.
> 
> There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).
> 
> Any and all input is very welcome...
> 
> Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>
> 
> Cheers,
> Alex
> 

Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

[Wido den Hollander <wi...@widodh.nl.INVALID>]

My apologies! I totally missed this one. Commments inline.

Op 15/05/2024 om 14:55 schreef Alex Mattioli:
> Hi all,
> 
> Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?
> 
> So far the design is:
> 
> 1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
> 2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
> 3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
> 4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks
> 

I would suggest that the upstream router (Juniper, Frr, etc) should then 
use Dynamic BGP neihbors.

On JunOS this is the "allow" statement [0]. The VR would indeed get an 
AS assigned by ACS and the network should know the 1, 2 or X upstream 
routers it can peer with. I do suggest we add BGP passwords/encryption 
from the start for safety reasons.

"allow 192.168.1.0/24"

On JunOS this allows any router within that subnet to establish a BGP 
sessions (and when the BGP password matches).

On the VR you just need to make sure you properly configure the BGP 
daemon and it points to the right upstream routers.

[0]: 
https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/allow-edit-protocols-bgp.html

> Any and all input will be very welcome.
> 
> Cheers,
> Alex
> 
> 
>   
> 
> From: Alex Mattioli
> Sent: Wednesday, April 17, 2024 3:25 AM
> To: users@cloudstack.apache.org; dev@cloudstack.apache.org
> Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks
> 
> Hi all,
> 
> I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)
> 
> ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://www.youtube.com/watch?v=f7ao-vv7Ahk).
> 
> With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.
> 
> The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:
> 
> 1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
> 2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
> 3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
> 4 - ACS configures the BGP session on the VR, advertising all its connected networks
> 
> This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)
> 
> This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.
> 
> There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).
> 
> Any and all input is very welcome...
> 
> Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>
> 
> Cheers,
> Alex
> 

Re: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

["Dietrich, Alex" <ad...@ussignal.com.INVALID>]

Hello Alex,

I appreciate you taking on this initiative as I’d like to see similar functionality made available in CloudStack.

I do have some feedback on your implementation approach:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)

What is the intention behind specifying BGP peers at the zone level? I would think this would need to be specific to the network that you want to enable BGP on and does not need to concern the entire zone.

2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)

As a private AS consumer, I agree that this approach would be helpful for a more dynamic allocation as new dynamic routing enabled networks are created.

3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network

4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Given there is a lot of extensibility within BGP, I would think there would need to be some level of customizability to the peering configurations. Is the intention to consider adding additional knobs, or relegating that to the upstream BGP peer? I could see scenarios where you would at least want to have control over prefix lengths, etc.

Thanks,
Alex Dietrich


[__tpx__]
From: Alex Mattioli <Al...@shapeblue.com>
Date: Wednesday, May 15, 2024 at 8:55 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>, dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks
EXTERNAL

Hi all,

Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?

So far the design is:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Any and all input will be very welcome.

Cheers,
Alex




From: Alex Mattioli
Sent: Wednesday, April 17, 2024 3:25 AM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)

ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://urldefense.com/v3/__https://www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$<https://urldefense.com/v3/__https:/www.youtube.com/watch?v=f7ao-vv7Ahk__;!!P9cq_d3Gyw!gRe7Js-1plXE8vRRc_mJQIri5T4-Z1zOFVmqEwmHGE_AGkN6P6BU5T8nq0WL4Fx0MTwP0p-ucEL6DjwFzB7TaoBNnS4$> ).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex

RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

[Alex Mattioli <Al...@shapeblue.com>]

Hi all,

Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?

So far the design is:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Any and all input will be very welcome.

Cheers,
Alex


 

From: Alex Mattioli
Sent: Wednesday, April 17, 2024 3:25 AM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)

ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://www.youtube.com/watch?v=f7ao-vv7Ahk).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex

RE: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

[Alex Mattioli <Al...@shapeblue.com>]

Hi all,

Does anyone have an opinion on the implementation of dynamic routing in Isolated networks and VPCs?

So far the design is:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated to the network
4 - ACS configures the BGP session on the VR (using FRR), advertising all its connected networks

Any and all input will be very welcome.

Cheers,
Alex


 

From: Alex Mattioli
Sent: Wednesday, April 17, 2024 3:25 AM
To: users@cloudstack.apache.org; dev@cloudstack.apache.org
Subject: Dynamic routing for routed mode IPv6 and IPv4 Isolated and VPC networks

Hi all,

I'd like to brainstorm dynamic routing in ACS (yes, again... for the newcomers to this mailing list - this has been discussed multiple times in the past 10+ years)

ACS 4.17 has introduced routed mode for IPv6 in Isolated networks and VPCs, we are currently working on extending that to IPv4 as well, which will support the current NAT'ed mode and also a routed mode (inspired by the NSX integration https://www.youtube.com/watch?v=f7ao-vv7Ahk).

With stock ACS (i.e. without NSX or OpenSDN) this routing is purely static, with the operator being responsible to add static routes to the Isolated network or VPC tiers via the "public" (outside) IP of the virtual router.

The next step on this journey is to add some kind of dynamic routing. One way that I have in mind is using dynamic BGP:

1 - Operator configures one or more BGP peers for a given Zone (with different metrics)
2 - Operator presents a pool of Private AS numbers to the Zone (just like we do for VLANs)
3 - When a network is created with an offering which has dynamic routing enabled an AS number is allocated
4 - ACS configures the BGP session on the VR, advertising all its connected networks

This way there's no need to reconfigure the upstream router for each new ACS network (it just needs to allow dynamic BGP peering from the pool of AS numbers presented to the zone)

This implementation could also be used for Shared Networks, in which case the destination advertised via BGP is to the gateway of the shared network.

There could also be an offering where we allow for end users to setup the BGP parameters for their Isolated or VPC networks, which can then peer with upstream VNF(s).

Any and all input is very welcome...

Taking the liberty to tag some of you: @Wei Zhou<ma...@shapeblue.com> @Wido den Hollander<ma...@widodh.nl> @Kristaps Čudars<ma...@telia.lv>

Cheers,
Alex