You can use Contrail to chain various Layer 2 through Layer 7 services such as firewall, NAT, and IDP through one or more cSRX containers. For example, you can insert a cSRX firewall container between two other virtual machines (VMs, containers, or both). By using cSRX and service chains, you can tailor your security needs to a targeted virtual network and container set. This provides agility and scalability in line with the fluidity of cloud network environments.

Understanding Service Chains

To create a service through cSRX, you instantiate one or more cSRX containers to dynamically apply single or multiple services to network traffic.

Figure 1 shows a basic service chain with a single cSRX container. The cSRX service container spawns a service, such as a firewall. The left interface (left IF) points to the internal end customer, who uses the service; and the right interface (right IF) points to the external network or Internet. You can also instantiate multiple cSRX containers to chain multiple services together. For example, you could add an IDP service after the firewall.

Figure 1: cSRX Service Chaining

When you create a service chain, Contrail creates tunnels across the underlay network that span all services in the chain.

Service Chain Modes

You can configure the following service modes:

• In-network or routed mode—Provides a gateway service that routes packets between the service instance interfaces. Examples include NAT, Layer 3 firewall, and load balancing.

• In-network-nat mode—Similar to in-network mode; however, packets from the left (private) network are not routed to the right (public) source network. In-network-nat mode is particularly useful for NAT services.

  Note: Ensure that you define the service policy with the private network on the left and public on the right to get the public routes (usually the default) advertised into the left network.

Components of a Service Chain

Service chaining requires the following configuration components to build the chain:

• Service template

• Virtual networks

• Service instance

• Network policy

Service Templates

Service templates map out the basic configuration that Contrail uses to instantiate a service instance or container. Within Contrail, you configure service templates in the scope of a domain, and you can use the templates on all projects within a domain. You can use a template to launch multiple service instances of the same type in different projects within a domain. Within a service template, you select the service mode, a cSRX image name for the container that will provide the service, and an ordered list of interfaces for the service. cSRX service containers require the management interface to be the first interface in that ordered list. The service template launches the cSRX as part of the service chain. A dedicated Nova Docker Agent runs on the cSRX compute node to receive instructions from the Openstack Controller and to act on behalf of the cSRX. When the Nova Docker Agent starts the cSRX container, the agent will first check if the cSRX image is located in the local host Docker Engine. If not, the agent will then attempt to pull the cSRX image from the remote Docker registry.

Virtual Networks

Virtual networks provide the link between the service instance and the network traffic in the containerized environment. You can create the virtual networks in Contrail or OpenStack and use those networks to direct traffic to or through the service instance.

Service Instances

A service instance is the instantiation of the selected service template to create one or more containers that provide the service (for example, a firewall). When you create a service instance, you select a service template that defines the instance. You also associate the interfaces in the service template with the virtual networks needed to direct traffic into and out of the service instance. If you enable service scaling in the selected service template, you can instantiate more than one container when you create the service instance.

Network Policies

By default, all traffic in a virtual network remains isolated. You configure a network policy to allow traffic between virtual networks and through the service instance. The network policy filters traffic to and from the service container based on the rules you configure. You select the service instance container and the virtual networks for the right and left interfaces of that container that the network policy applies to. As a final step, you associate the network policy with each virtual network the policy applies to.