Romana is an open-source project that tackles network and security issues for cloud-native applications.
Romana’s goal is to address these issues with the simplest possible solutions using technologies we’re all familiar with–no overlays required.
According to its Web site, Romana “automates the creation of isolated Cloud Native Networks and secures applications with a distributed firewall that applies access control policies consistently across all endpoints and services, wherever they run.”
Joining us on Priority Queue to talk about the project is Chris Marino. Chris is part of a team behind Romana, and the founder and CEO of Pani Networks. We’ll explore just what the Romana project is about, drill into its major components, and look at its integration with OpenStack and Kubernetes.
We’ll also play Devil’s advocate to look at limitations with the project. To get more details about Romana, check out the project’s blog.
Section 1 – Are Cloud Native Networks Really That Complex?
- What do we mean when we say “cloud native network”?
- Not just private cloud, also public cloud
- The emerging container problem
- A common solution in this space is an overlay using VXLAN with an SDN controller.
- What does VXLAN do for us?
- How does the SDN controller fit in?
- So let’s do a multi-tenant packet walk
- How hard is it to troubleshoot this sort of architecture?
Section 2 – Introducing The Romana Project
- In a nutshell, what is the Romana project?
- Let’s discuss the IP scheme used
- 32 bits
- Break them up how you need
- By default, broken on the octet boundary
- Network, tenants, hosts, networks, endpoints
- Okay, so let’s talk through each of the components
- Route manager
- Service insertion
- Is there a Romana API?
- Explain how Romana integrates with OpenStack
- Explain how Romana integrates with Kubernetes
Section 3 – Devil’s Advocate
- I find your lack of scale disturbing
- I want to use IPv6 addressing instead of IPv4. When?
- vMotion. I really, really want that…
- Native IP with no encap makes me nervous. Why shouldn’t it?
- How do I explain Romana multi-tenancy to a security auditor?
- There is zero chance I’m going to use static routes. Will Romana integrate with my BGP or OSPF?
- How is Romana itself secured so that it’s not provisioning IPs for undesirable endpoints or hosts?