Description of problem: Creating multiple Neutron availability zones allows the operator to schedule DHCP and L3 agents within a single AZ. Neutron will still try to form a VXLAN mesh between all nodes in all availability zones, which creates inter-AZ dependencies and may not work when strict firewalls are placed between AZs. Version-Release number of selected component (if applicable): OSP15/Stein Actual results: The desired end-state configuration would have separate DHCP and L3 agents hosted in each AZ, along with tunnels formed only inside the AZ. This would allow, for instance, multiple edge sites within a single deployment that each performed local networking only. Any particular Neutron network would be limited to one AZ. A new flag would allow AZs to be truly autonomous and remove cross-AZ dependencies. Expected results: This behavior should be configurable, so that L2 may be limited to a particular AZ, and no tunnels are formed between different AZs. This will prevent Neutron from trying to form tunnels when the tunnel cannot function, and may enhance security when AZs are in different security zones. Additional info: Example: Suppose to AZs, AZ1 (control plane 10.1.1.0/24) and AZ2 (control plane 172.16.2.0/24). Here is example output from a node in AZ1. It is forming tunnels between members of both AZs. The desired configuration would have VXLAN tunnels only formed between endpoints in the same AZ. Bridge br-tun Controller "tcp:127.0.0.1:6633" is_connected: true fail_mode: secure Port "vxlan-1e0094c8" Interface "vxlan-1e0094c8" type: vxlan options: {df_default="true", in_key=flow, local_ip="10.1.1.20", out_key=flow, remote_ip="10.1.1.200"} Port br-tun Interface br-tun type: internal Port "vxlan-1e0094d6" Interface "vxlan-1e0094d6" type: vxlan options: {df_default="true", in_key=flow, local_ip="10.1.1.20", out_key=flow, remote_ip="172.16.2.214"} Port patch-int Interface patch-int type: patch options: {peer=patch-tun}
Note that it appears that NSX-T has a concept called "Transport Zones" that enables the feature that is being requested here. Compute nodes within a given transport zone will only be able to communicate with compute nodes within that same transport zone. This prevents network traffic from being sent between zones. More information here: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.3/com.vmware.nsxt.install.doc/GUID-F47989B2-2B9D-4214-B3BA-5DDF66A1B0E6.html NSX-T also supports Availability Zones, but it appears that those are separate from the Transport Zone functionality: https://docs.vmware.com/en/VMware-Integrated-OpenStack/5.0/com.vmware.openstack.admin.doc/GUID-37F0E9DE-BD19-4AB0-964C-D1D12B06345C.html It's possible that limiting tunneling traffic to a particular AZ may be outside the intended functions of Neutron AZs, but I think this is a valid use case.