9.3. External Provider Networks
9.3.1. Importing Networks From External Providers
To use networks from an external network provider (OpenStack Networking or any third-party provider that implements the OpenStack Neutron REST API), register the provider with the Manager. See Adding an OpenStack Network Service Neutron for Network Provisioning or Adding an External Network Provider for more information. Then, use the following procedure to import the networks provided by that provider into the Manager so the networks can be used by virtual machines.
Importing a Network From an External Provider
-
Click
. - Click Import.
- From the Network Provider drop-down list, select an external provider. The networks offered by that provider are automatically discovered and listed in the Provider Networks list.
- Using the check boxes, select the networks to import in the Provider Networks list and click the down arrow to move those networks into the Networks to Import list.
- You can customize the name of the network that you are importing. To customize the name, click the network’s name in the Name column, and change the text.
- From the Data Center drop-down list, select the data center into which the networks will be imported.
- Optional: Clear the Allow All check box to prevent that network from being available to all users.
- Click Import.
The selected networks are imported into the target data center and can be attached to virtual machines. See Adding a New Network Interface in the Virtual Machine Management Guide for more information.
9.3.2. Limitations to Using External Provider Networks
The following limitations apply to using logical networks imported from an external provider in a Red Hat Virtualization environment.
- Logical networks offered by external providers must be used as virtual machine networks, and cannot be used as display networks.
- The same logical network can be imported more than once, but only to different data centers.
- You cannot edit logical networks offered by external providers in the Manager. To edit the details of a logical network offered by an external provider, you must edit the logical network directly from the external provider that provides that logical network.
- Port mirroring is not available for virtual network interface cards connected to logical networks offered by external providers.
- If a virtual machine uses a logical network offered by an external provider, that provider cannot be deleted from the Manager while the logical network is still in use by the virtual machine.
- Networks offered by external providers are non-required. As such, scheduling for clusters in which such logical networks have been imported will not take those logical networks into account during host selection. Moreover, it is the responsibility of the user to ensure the availability of the logical network on hosts in clusters in which such logical networks have been imported.
9.3.3. Configuring Subnets on External Provider Logical Networks
A logical network provided by an external provider can only assign IP addresses to virtual machines if one or more subnets have been defined on that logical network. If no subnets are defined, virtual machines will not be assigned IP addresses. If there is one subnet, virtual machines will be assigned an IP address from that subnet, and if there are multiple subnets, virtual machines will be assigned an IP address from any of the available subnets. The DHCP service provided by the external network provider on which the logical network is hosted is responsible for assigning these IP addresses.
While the Red Hat Virtualization Manager automatically discovers predefined subnets on imported logical networks, you can also add or remove subnets to or from logical networks from within the Manager.
If you add Open Virtual Network (OVN) (ovirt-provider-ovn) as an external network provider, multiple subnets can be connected to each other by routers. To manage these routers, you can use the OpenStack Networking API v2.0. Please note, however, that ovirt-provider-ovn has a limitation: Source NAT (enable_snat in the OpenStack API) is not implemented.
9.3.4. Adding Subnets to External Provider Logical Networks
Create a subnet on a logical network provided by an external provider.
Adding Subnets to External Provider Logical Networks
-
Click
. - Click the logical network’s name to open the details view.
- Click the Subnets tab.
- Click New.
- Enter a Name and CIDR for the new subnet.
- From the IP Version drop-down list, select either IPv4 or IPv6.
- Click OK.
For IPv6, Red Hat Virtualization supports only static addressing.
9.3.5. Removing Subnets from External Provider Logical Networks
Remove a subnet from a logical network provided by an external provider.
Removing Subnets from External Provider Logical Networks
-
Click
. - Click the logical network’s name to open the details view.
- Click the Subnets tab.
- Select a subnet and click Remove.
- Click OK.
9.3.6. Assigning Security Groups to Logical Networks and Ports
This feature is only available when Open Virtual Network (OVN) is added as an external network provider (as ovirt-provider-ovn). Security groups cannot be created through the Red Hat Virtualization Manager. You must create security groups through OpenStack Networking API v2.0 or Ansible.
A security group is a collection of strictly enforced rules that allow you to filter inbound and outbound traffic over a network. You can also use security groups to filter traffic at the port level.
In Red Hat Virtualization 4.2.7, security groups are disabled by default.
Assigning Security Groups to Logical Networks
-
Click
. - Click the cluster name to open the details view.
- Click the Logical Networks tab.
-
Click Add Network and define the properties, ensuring that you select
ovirt-provider-ovn
from theExternal Providers
drop-down list. For more information, see Section 9.1.2, “Creating a New Logical Network in a Data Center or Cluster”. -
Select
Enabled
from theSecurity Group
drop-down list. For more details see Section 9.1.7, “Logical Network General Settings Explained”. -
Click
OK
. - Create security groups using either OpenStack Networking API v2.0 or Ansible.
- Create security group rules using either OpenStack Networking API v2.0 or Ansible.
- Update the ports with the security groups that you defined using either OpenStack Networking API v2.0 or Ansible.
-
Optional. Define whether the security feature is enabled at the port level. Currently, this is only possible using the OpenStack Networking API. If the
port_security_enabled
attribute is not set, it will default to the value specified in the network to which it belongs.