Why does the Neutron documentation recommend three interfaces?Mon 28 October 2013 by Lars Kellogg-Stedman Tags openstack neutron networking
The documentation for configuring Neutron recommends that a network controller has three physical interfaces:
Before you start, set up a machine to be a dedicated network node. Dedicated network nodes should have the following NICs: the management NIC (called MGMT_INTERFACE), the data NIC (called DATA_INTERFACE), and the external NIC (called EXTERNAL_INTERFACE).
People occasionally ask, "why three interfaces? What if I only have two?", so I wanted to provide an extended answer that might help people understand what the interfaces are for and what trade-offs are involved in using fewer interfaces.
MGMT_INTERFACE is used for communication between nodes. This
can include traffic from services to the messaging server (
rabbitmq, etc), traffic between nova and neutron, connections to the
database, and other traffic used to manage your OpenStack environment.
DATA_INTERFACE is used for instance traffic...that is, traffic
generated by or inbound to instances running in your OpenStack
environment. If you are using GRE or VXLAN tunnels your tunnel
endpoints will be associated with this interface.
EXTERNAL_INTERFACE is used to provide public access to your
instances. The network attached to this interface is generally open
to external traffic, and ip addresses are managed by the floating-ip
functionality in Neutron or Nova.
You want your
MGMT_INTERFACEseperate from your
DATA_INTERFACEin order to avoid accidentally granting management access to your OpenStack hosts to your tenants. A typical OpenStack environment may not use authentication in all cases, and a tenant host with access to the management network could intentionally or accidentally cause problems.
You want your
EXTERNAL_INTERFACEseparate from your
DATA_INTERFACEbecause your network controller must be acting as a router between these two interfaces in order for the netfilter
POSTROUTINGrules to activate. These rules are used to map floating ip addresses to internal addresses via
DNATrules, which only work packets traverse the
You want your
MGMT_INTERFACEseparate from your
EXTERNAL_INTERFACEbecause they have dramatically different access requirements. Your
MGMT_INTERFACEshould typically only be available to other hosts in your OpenStack deployment, while your
EXTERNAL_INTERFACEwill generally require much broader access.
If you are deploying a proof-of-concept (POC) deployment to which you
are not actually providing public access, you can elect to not have an
EXTERNAL_INTERFACE. Rather than adding this device to
will set up outbound NAT rules so that "external" traffic from your
instances will masquerade using the primary ip address of your network