Enable BGP as a Service
Cloud-Native Contrail® Networking™ supports BGP as a Service (BGPaaS). This document should be used to enable BGPaaS in environments using Release 22.1 or later.
The BGPaaS feature in Cloud-Native Contrail Networking provides the network support for BGP to operate within a virtual network in cloud networking environments using Cloud-Native Contrail Networking.
Benefits of BGP as a Service in Cloud-Native Contrail
With BGPaaS in Kubernetes environments using Cloud-Native Contrail Networking, you gain the following functionality:
-
A BGP protocol service that runs in the virtual network. This BGP service creates BGP neighbor sessions to pods, virtual machines, and other workloads in the virtual network.
-
A routing protocol that supports IPv4 neighbors, the IPv4 and IPv6 unicast address family, and IPv6-over-IPv4 next-hop mapping.
-
A BGP protocol service that is user-configurable using most well-known BGP configuration parameters.
You can use BGPaaS in any cloud networking environment that needs the functionality provided by a routing protocol. You may find BGPaaS especially useful in the following scenarios:
-
If you manage a large cloud networking environment that runs multiple workloads, you may want to use BGPaaS to scale network services.
-
If you use tunneling protocols that need network reachability information from a routing protocol to create and maintain tunnels, BGPaaS can help.
Prerequisites
We assume that before you enable BGP as a service:
-
You are operating in a working cloud networking environment using Kubernetes orchestration, and Cloud-Native Contrail Networking is operational.
-
You have a working knowledge of BGP.
Overview of BGP as a Service in Cloud-Native Contrail Networking
Cloud-Native Contrail Networking provides the networking support for BGPaaS.
You have to find a BGP service to run BGP in your cloud networking environment. This document shows how to enable networking support for BGPaaS with Cloud-Native Contrail Networking using the BGP service provided by the BIRD Internet Routing Daemon (BIRD). This daemon is available as a built-in development tool on many versions of Unix. You can also download it to your environment using a separate image.
In the examples that follow, you see that the BGP daemon from BIRD runs in a pod when BGPaaS is enabled. That daemon then sends BGP messages over the network using the networking capabilities provided by Cloud-Native Contrail Networking. For additional information on BIRD, see the BIRD Internet Routing Daemon homepage.
When BGPaaS is operational, the BGP daemon runs in a pod and manages BGPaaS. The BGP daemon is directly connected to a Contrail vRouter.
The Contrail vRouter has a connection to at least one control plane node and connects the BIRD daemon to the control plane. A BGP peering session between at least one control node and the BIRD daemon is established through this connection with the Contrail vRouter.
After a peering session is created between the control nodes and the BGP daemon, the BGP daemon can manage BGPaaS and send routes to BGP clients over the control plane. The BGPaaS management tasks include assigning IP addresses to workloads, pods, VMs, or other objects.
Enable BGPaaS in a Pod
To enable BGPaaS, you must create a pod to host the BGP service. You must then associate the pod hosting the BGP service with the virtual networks where BGPaaS will run.
You can use either of two methods of associating a pod hosting the BGP service with a virtual network:
-
Virtual Machine Interfaces Selector—The pod running the BGP service is directly associated with the virtual network. The pod hosting the BGP service is discovered automatically after the virtual network association is defined.
-
Virtual Machine Interface References—The pod running the BGP service is directly associated with the virtual network by explicitly providing the namespace and the name of the virtual machine interface of the pod hosting the BGP service.
The following sections provide the steps for each association method.
- Enable BGPaaS in a Pod Using the Virtual Machine Interfaces Selector
- Enable BGPaaS in a Pod Using Virtual Machine Interface References
Enable BGPaaS in a Pod Using the Virtual Machine Interfaces Selector
You must create a pod to host the BGP service, and then you can enable BGPaaS with the Virtual Machine Interfaces Selector.
The pod must:
-
Include at least one IPv4 interface.
-
Include annotations using
core.juniper.net/bgpaas-networks
to specify the associated virtual network names. The value in this annotation must include at least one virtual network name. If you are associating the pod hosting the BIRD daemon with multiple virtual networks, enter the virtual network names as a comma-separated list.
In this example YAML file, a pod is created to host the BGP service. The pod is associated with two virtual networks and BGPaaS is enabled to run on both virtual networks. The image: variable in the containers: hierarchy points to the BIRD image file that will provide the BGP service in this example.
apiVersion: v1 kind: Pod metadata: name: bird-pod-shared-1 namespace: bgpaas-ns annotations: k8s.v1.cni.cncf.io/networks: | [{ "name": "bgpaas-vn-1", "namespace": "bgpaas-ns", "cni-args": null "interface": "eth1" },{ "name": "bgpaas-vn-2", "namespace": "bgpaas-ns", "cni-args": null "interface": "eth2" }] core.juniper.net/bgpaas-networks: bgpaas-vn-1,bgapss-vn-2 spec: containers: - name: bird-pod-c image: somewhere.juniper.net/cn2/bazel-build/dev/bird-sut:1.0 command: ["bash","-c","while true; do sleep 60s; done"] securityContext: privileged: true
Enter the kubectl get vmi -n virtual-network-name to confirm that the pod and its associated virtual machine interfaces have been created. You can also enter the kubectl describe command to ensure that the virtual machine interfaces exist.
You can confirm the virtual network was created by reviewing the bgpaasVN= output in the label section of the kubectl describe command.
kubectl get vmi -n bgpaas-ns CLUSTERNAME NAME NETWORK PODNAME IFCNAME STATE AGE contrail-k8s-kubemanager-kubernetes bird-pod-1-abb881a8 bgpaas-vn-1 bird-pod-1 eth1 Success 13s contrail-k8s-kubemanager-kubernetes bird-pod-1-e3f93f05 default-podnetwork bird-pod-1 eth0 Success 13s kubectl describe vmi bird-pod-1-abb881a8 -n bgpaas-ns Name: bird-pod-1-abb881a8 Namespace: bgpaas-ns Labels: core.juniper.net/bgpaasVN=bgpaas-vn-1 namespace=bgpaas-ns
You must then create a BGPaaS object to configure BGPaaS. The BGPaaS object references the virtual networks in the virtualMachineInterfacesSelector: section.
apiVersion: core.contrail.juniper.net/v1alpha1 kind: BGPAsAService metadata: namespace: bgpaas-ns name: bgpaas-test spec: shared: false autonomousSystem: 10 bgpAsAServiceSessionAttributes: loopCount: 2 routeOriginOverride: origin: EGP addressFamilies: family: - inet - inet6 virtualMachineInterfacesSelector: - matchLabels: core.juniper.net/bgpaasVN: bgpaas-vn-1 - matchLabels: core.juniper.net/bgpaasVN: bgpaas-vn-2
Enable BGPaaS in a Pod Using Virtual Machine Interface References
You must first create a pod to host the BIRD daemon to enable BGPaaS with Virtual Machine Interface references. The pod must include at least one IPv4 interface.
In the following example, a pod is created in the bgpaas-ns namespace. The annotation associates the pod with the bgpaas-vn-1 virtual network. The image: variable in the containers: hierarchy points to the BIRD image file that will provide the BGP service in this example.
apiVersion: v1 kind: Pod metadata: name: bird-pod-1 namespace: bgpaas-ns annotations: k8s.v1.cni.cncf.io/networks: bgpaas-vn-1 spec: containers: - name: bird-pod-c image: somewhere.juniper.net/cn2/bazel-build/dev/bird-sut:1.0 command: ["bash","-c","while true; do sleep 60s; done"] securityContext: privileged: true
Confirm that the pod was created after committing the pod object configuration file by entering the kubectl get vmi -n bgpaas-ns command.
Note the name of the virtual machine interface for the pod in this command output. You will need to specify the virtual machine interface name later in this procedure when configuring the BGPaaS object.
kubectl get vmi -n bgpaas-ns CLUSTERNAME NAME NETWORK PODNAME IFCNAME STATE AGE contrail-k8s-kubemanager-kubernetes bird-pod-1-abb881a8 bgpaas-vn-1 bird-pod-1 eth1 Success 13s contrail-k8s-kubemanager-kubernetes bird-pod-1-e3f93f05 default-podnetwork bird-pod-1 eth0 Success 13s
The Virtual Machine interface references are defined while creating the BGPaaS object using the virtualMachineInterfaceReferences: hierarchy. The namespace: is the pod namespace and the name: is the virtual machine interface name that you retrieved using the kubectl get vmi -n bgpaas-ns command.
apiVersion: core.contrail.juniper.net/v1alpha1 kind: BGPAsAService metadata: namespace: bgpaas-ns name: bgpaas-sample spec: shared: false autonomousSystem: 100 bgpAsAServiceSessionAttributes: localAutonomousSystem: 10 loopCount: 2 routeOriginOverride: origin: EGP addressFamilies: family: - inet - inet6 virtualMachineInterfaceReferences: - apiVersion: core.contrail.juniper.net/v1alpha1 kind: VirtualMachineInterface namespace: bgpaas-ns name: bird-pod-1-abb881a8
Configure the IP Address Allocation Method for BGPasaS
You can configure BGPaaService with one of the following IP address allocation methods:
-
automatic IP address allocation—The BGP service assigns IP addresses.
-
user-specified IP address allocation—You assign the IP address.
You configure the IP address allocation method in the Subnet
object.
Automatic IP address allocation is enabled by default. If you enable BGPaaS without manually disabling automatic IP address allocation, BGPaaS uses automatic IP address allocation.
You disable automatic IP address allocation by setting the
disableBGPaaSIPAutoAllocation: variable in the Subnet
object to
true. If the disableBGPaaSIPAutoAllocation: variable is not present in the
Subnet object file, automatic IP address allocation is enabled.
In the following configuration sample, automatic IP address allocation is enabled because the disableBGPaaSIPAutoAllocation: variable isn't present in the Subnet object configuration file.
apiVersion: core.contrail.juniper.net/v1alpha1 kind: Subnet metadata: namespace: bgpaas-ns name: bgpaas-subnet-1 spec: cidr: "172.20.10.0/24"
In this configuration sample, automatic IP address allocation is enabled because the disableBGPaaSIPAutoAllocation: variable is set to false.
apiVersion: core.contrail.juniper.net/v1alpha1 kind: Subnet metadata: namespace: bgpaas-ns name: bgpaas-subnet-2 spec: cidr: "172.20.20.0/24" disableBGPaaSIPAutoAllocation: false
To enable user-specified IP address allocation, set the
disableBGPaaSIPAutoAllocation: variable to true
. When
user-specified IP address allocation is enabled, you must also configure the BGP addresses
that BGPaaS can assign to endpoints within the subnet. You must set a primary IP address
using the bgpaasPrimaryIP: variable. You can also set an optional secondary IP
address, which you can see in this example with the bgpaasSecondaryIP: variable.
apiVersion: core.contrail.juniper.net/v1alpha1 kind: Subnet metadata: namespace: bgpaas-ns name: bgpaas-subnet-2 spec: cidr: "172.20.20.0/24" disableBGPaaSIPAutoAllocation: true bgpaasPrimaryIP: 172.20.20.3 bgpaasSecondaryIP: 172.20.20.4
Configure the BGPasaService Object
You enable BGPaaS in a cluster by creating a BGPAsAService object.
Create the BGPAsAService object by creating a YAML file that uses
BGPAsAService
in the kind: field:
apiVersion: core.contrail.juniper.net/v1alpha1 kind: BGPAsAService metadata: namespace: bgpaas-ns name: bgpaas-test spec: shared: false autonomousSystem: 10 bgpAsAServiceSessionAttributes: loopCount: 2 routeOriginOverride: origin: EGP addressFamilies: family: - inet - inet6 virtualMachineInterfacesSelector: - matchLabels: core.juniper.net/bgpaasVN: bgpaas-vn-1 - matchLabels: core.juniper.net/bgpaasVN: bgpaas-vn-2
Field Variable | Description |
---|---|
shared: |
Specifies whether a common BGP router object can be shared with multiple virtual machine interfaces in the same virtual network. When this field is set to true, one BGP client router can be shared with multiple virtual machine interfaces in the same virtual network. This setting limits the total number of BGP client routers that have to be created in a virtual network for a VMI. When this field is set to false, one BGP client router is created for each virtual machine interface. |
autonomousSystem: |
Specifies the global Autonomous System number for the BGP instance. The Autonomous System number can be any whole number between 1 and 4294967295. |
bgpAsAServiceSessionAttributes: |
Defines the BGP session attributes for BGPaaS. See Table 2.
|
virtualMachineInterfaceReferences: |
Defines the virtual machine interface parameters to associate with BGPaaS when using virtual machine interface references. See Table 3.
|
virtualMachineInterfacesSelector: |
Defines the virtual networks where BGPaaS runs when using the virtual machine interfaces selector. See Table 4.
|
Field | Description |
---|---|
localAutonomousSystem: |
Specifies the local Autonomous System number for BGP. |
LoopCount: |
Specifies the number of times that the same ASN can be seen in a route update before the route is discarded. The LoopCount: can be any whole number up to 16. |
routeOriginOverride: |
Overrides the original setting and sets the origin attribute to Incomplete when forwarding routes. If you set this field to false, routes are advertised into BGP based on the origin setting. The origin is either IGP or EGP and is set using the origin: field in this file. If you set this field to true, the origin is set to Incomplete for advertised routes. Use this field if you want to change how BGP networks prioritize routes received from the BGP service. By default, BGP networks prioritize routes based on origin, and routes with an Incomplete origin receive lower priority than routes received from IGP or EGP. |
Origin: |
Specifies if BGP operates as an interior gateway protocol (igp) or exterior gateway protocol (egp). The default route origin is igp. |
AddressFamilies: |
Specifies the address family. You can specify the family as inet for IPv4 or inet6 for IPv6. You can specify both address families simultaneously. |
Field | Description |
---|---|
apiVersion: |
Specifies the API version for the virtual machine interface reference. |
kind: |
Always set this field to VirtualMachineInterface. |
namespace: |
Specifies the namespace associated with the virtual machine interface reference. You define this namespace while creating the Pod object. See Enable BGPaaS in a Pod Using Virtual Machine Interface References. |
name: |
Specifies the name of the pod associated with the virtual machine interface reference. You can retrieve the pod name by entering the kubectl get vmi -n bgpaas-ns command. See Enable BGPaaS in a Pod Using Virtual Machine Interface References. |
Field | Description |
---|---|
matchLabels: |
Define the match labels for the Virtual Machine Interfaces selector. The match labels in this context are always used to reference the virtual networks where the Virtual Machine interfaces selector is running. Always enter the match label values in this section as core.juniper.net/bgpaasVN:virtual-network-name. See Enable BGPaaS in a Pod Using the Virtual Machine Interfaces Selector. |
Validate the BGP as a Service Configuration
You should confirm that the BGPaaS object is successfully running after you commit the BGPAsAService object file.
Enter the kubectl get BGPAsAService command after you create the BGPAsAService object to confirm the object state. The object is successfully created when the State field indicates Success.
kubectl get BGPAsAService -n bgpaas-ns NAME AS IPADDRESS SHARED STATE AGE bgpaas-sample 100 false Success 33s
You should also ensure the BGPaaS server and the BGPaaS client are created and are in the Success state.
Enter the kubectl get BGPRouter command to confirm the presence and operational state of the BGPaaS servers and clients.
kubectl get BGPRouter -n bgpaas-ns NAME TYPE IDENTIFIER STATE AGE bgpaas-ns-bgpaas-vn-1-bgpaas-server bgpaas-server Success 2m57s bgpaas-ns-bgpaas-vn-1-bird-pod-1-abb881a8 bgpaas-client 172.20.10.2 Success 2m57s
Configure BGP in Pod
You must also configure the networking parameters for the BGP service running in the pod. The configuration for each individual BGP service is unique. Documenting the required networking configuration parameters is beyond the scope of this document. Please check the documentation that accompanies your BGP service.
In this example, we show you how to configure the BGP network configuration using BIRD.
You configure BGP using the BIRD CLI in this example. The parameters of the BGP configuration that need to match the BGPaaS objects defined in Cloud-Native Contrail Networking are noted. Although not shown in this example, you should know that the default location to access the BIRD configuration file in most deployments is /etc/bird.conf or /etc/bird/bird.conf.
# Change the router id to your BIRD router ID. It's a world-wide unique identification # of your router, usually one of router's IPv4 addresses. router id 172.20.10.2; protocol direct { interface "eth1*"; -> interface on which BGPAsAService needs to be configured } protocol bgp bgp1_1 { import all; export all; local as 10; -> AS configured in BGPAsAService neighbor 172.20.10.3 as 64512; -> neighbor for primary BGP session, use BGPaaSPrimaryIP from subnet neighbor 172.20.10.3 as 64512; -> neighbor for secondary BGP session, use BGPaaSSecondaryIP from subnet
From your BGP service, verify that the BGP protocol is running.
In this example from BIRD, you enter the show protocol command to verify that the BGP protocol is established in BIRD.
birdc show protocol bgp1_1 BIRD 1.6.8 ready. name proto table state since info bgp1_1 BGP master up 10:31:27 Established