The documentation for configuring Neutron recommends that a network controller has three physical interfaces:

Before you start, set up a machine to be a dedicated network node. Dedicated network nodes should have the following NICs: the management NIC (called MGMT_INTERFACE), the data NIC (called DATA_INTERFACE), and the external NIC (called EXTERNAL_INTERFACE).

People occasionally ask, “why three interfaces? What if I only have two?”, so I wanted to provide an extended answer that might help people understand what the interfaces are for and what trade-offs are involved in using fewer interfaces.

The MGMT_INTERFACE is used for communication between nodes. This can include traffic from services to the messaging server (qpid, rabbitmq, etc), traffic between nova and neutron, connections to the database, and other traffic used to manage your OpenStack environment.

The DATA_INTERFACE is used for instance traffic…that is, traffic generated by or inbound to instances running in your OpenStack environment. If you are using GRE or VXLAN tunnels your tunnel endpoints will be associated with this interface.

The EXTERNAL_INTERFACE is used to provide public access to your instances. The network attached to this interface is generally open to external traffic, and ip addresses are managed by the floating-ip functionality in Neutron or Nova.

  • You want your MGMT_INTERFACE seperate from your DATA_INTERFACE in order to avoid accidentally granting management access to your OpenStack hosts to your tenants. A typical OpenStack environment may not use authentication in all cases, and a tenant host with access to the management network could intentionally or accidentally cause problems.

  • You want your EXTERNAL_INTERFACE separate from your DATA_INTERFACE because your network controller must be acting as a router between these two interfaces in order for the netfilter PREROUTING and POSTROUTING rules to activate. These rules are used to map floating ip addresses to internal addresses via SNAT and DNAT rules, which only work packets traverse the FORWARD chain.

  • You want your MGMT_INTERFACE separate from your EXTERNAL_INTERFACE because they have dramatically different access requirements. Your MGMT_INTERFACE should typically only be available to other hosts in your OpenStack deployment, while your EXTERNAL_INTERFACE will generally require much broader access.

If you are deploying a proof-of-concept (POC) deployment to which you are not actually providing public access, you can elect to not have an EXTERNAL_INTERFACE. Rather than adding this device to br-ex, you will set up outbound NAT rules so that “external” traffic from your instances will masquerade using the primary ip address of your network controller.