When using the Open vSwitch driver, for an Ethernet frame to travel from the virtual machine instance to the physical network, it will pass through many different interfaces, including the following:
|
Network Type |
Interface Type |
Interface Name |
|
all |
tap |
tapN |
|
all |
bridge |
qbrXXXX (only used with the iptables firewall driver) |
|
all |
veth |
qvbXXXX, qvoXXXX (only used with the iptables firewall driver) |
|
all |
vSwitch |
br-int |
|
flat, vlan |
vSwitch |
br-ex (user-configurable) |
|
vxlan, gre |
vSwitch |
br-tun |
|
flat, vlan |
patch |
int-br-ethX, phy-br-ethX |
|
vxlan, gre |
patch |
patch-tun, patch-int |
|
flat, vlan |
physical |
ethX (where X is the interface) |
The Open vSwitch bridge br-int is known as the integration bridge. The integration bridge is the central virtual switch that most virtual devices are connected to, including instances, DHCP servers, routers, and more. When Neutron security groups are enabled and the iptables firewall driver is used, instances are not directly connected to the integration bridge. Instead, instances are connected to individual Linux bridges that are cross-connected to the integration bridge using a veth cable.
The Open vSwitch bridge br-ethX is known as the provider bridge. The provider bridge provides connectivity to the physical network via a connected physical interface. The provider bridge is also connected to the integration bridge by a virtual patch cable which is provided by patch ports int-br-ethX and phy-br-ethX.
A visual representation of the architecture described here can be seen in the following diagram:
In the preceding diagram, instances are connected to an individual Linux bridge via their respective tap interface. The Linux bridges are connected to the OVS integration bridge using a veth interface. OpenFlow rules on the integration bridge dictate how traffic is forwarded through the virtual switch. The integration bridge is connected to the provider bridge using an OVS patch cable. Lastly, the provider bridge is connected to the physical network interface, which allows traffic to enter and exit the host onto the physical network infrastructure.
When using the Open vSwitch driver, each controller, network, or compute node in the environment has its own integration bridge and provider bridge. The virtual switches across nodes are effectively cross-connected to one another through the physical network. More than one provider bridge can be configured on a host, but often requires the use of a dedicated physical interface per provider bridge.