VPN Services Support QoS


Currently, there is no way to set VPN services’ bandwidth. This specification proposed a way to set the VPN services’ bandwidth limit.

Problem Description

Currently, Neutron VPNaaS provides site to site VPN services, but its bandwidth consumption is not regulated, as the VPN tunnel will cost the bandwidth from the outside public bandwidth provided by the ISP or other organizations. That means it is not free. The OpenStack provider or users should pay for the limited bandwidth. So it is necessary for saving the resources.

Currently, physical device configurations outside OpenStack environment cannot be modified by OpenStack, but we can shape the outgoing traffic. VPN services provide the security guarantee, but it shouldn’t abuse the bandwidth of underlay network that it will affects other traffic.

Use Case

Consider that an OpenStack public cloud has been deployed in a real data center. A cloud enterprise user has a requirement in which one of the applications should connect to its private network, but for other traffic flows, still use the original network functionality provided by OpenStack. The network topology diagram is shown below:

                       +--------------------+   +                                                        |DataCenter
                       |VM1                 |   |                                                        |external network
                       |nic IP:   |   |                 +-------------------------------+      |        +----+
                       |default via                 |Default Router                 |      |        |    |
                       |                    |   +-----------------+Interface:            +------+        |    |
                       +--------------------+   |                 |gw:                |      |        |    |
OpenStack                                       |                 |route: via|      |        |    |
private                                .        |                 |                               |      |        |    |
network                                .        |                 +-------------------------------+      |        |    |
                                                |                                                        |        |    |
subnet:                             |                                                        |        |    |
                       +--------------------+   |                                                        |        |    |
                       |VM2                 |   |                                                        +--------+    |Internet
                       |nic IP:   |   |                                                        |        |    |
                       |default via                                                        |        |    |
                       |                    |   |                                                        |        |    |
                       +--------------------+   |                                                        |        |    |
                                                |                                                        |        |    |
                                       .        |                 +--------------------------------+     |        |    |       +-------------------------------+
                                       .        |                 |VPN Router                      |     |        |    |       |Vendor GW Router               |
                                                |                 |Interface:             |     |        |    |       |peer vpn service running       |
                                                +-----------------+gw:                 +-----+        |    +-------+hold private subnet|
                       +--------------------+   |                 |VPN service running             |     |        |    |       |                               |
                       |VMX                 |   |                 |                                |     |        |    |       |                               |
                       |nic IP:   |   |                 +--------------------------------+     |        +----+       +-------------------------------+
                       |default via                                                        |
                       |                    |   |                                                        |
                       +--------------------+   |                                                        |
                                                |                                                        |
                                                +                                                        +

As this diagram shows, the enterprise user owned many VMs in the private network and the allocated IPs are from the private subnet There are two routers connected, Default Router is used for the normal network functions, such as NAT, Floating IP, Routing. VPN Router is mainly used for VPN traffic process, also contains NAT and route for other traffic. Both of the routers are attached to the external network which is the physical underlay network in the real data center. The VPN Router in OpenStack and Vendor GW Router in other site maintain a VPN peer relationship across the Internet.

There are two scenarios towards the VM outgoing traffic:

  1. VMs in the OpenStack private network access the normal websites, first send the network packets to its gateway which is located on the Default Router. Then send to the Internet by the data center devices.

  2. VMs in the OpenStack private network access the other site private network, still first send the network packets to its gateway, then check the route tables, the nexthop of is which is located on VPN Router. The network traffic will be sent based on the existing VPN tunnel to Vendor private site.

Like the diagram shows, the QoS Policy should be set on the qg-XX port of the VPN router for limiting the outgoing VPN traffic.

This spec focuses on the QoS of VPN outgoing traffic, so for neutron-vpnaas, this spec will focus on the Router related with VPN services. And for the general use cases which is that VPN service usually setup across the Internet in tunnel mode, we will only introduce the QoS support on tunnel type VPN services.

Proposed Change

We propose the VPN Service resource accepts the Neutron QoS Policy. Once the ipsec site connection is created, the QoS Policy will be applied on the VPN router’s qg-XX port, as the ESP encapsulation will use the qg-XX port’s IP to access other sites.

So there are three parts that require to work:

  1. DB related changes, including new table qos_vpnservice_policy_bindings addition and data model change.

  2. API changes, including extend the API to accept the Neutron QoS Policy.

  3. Introduce a new l3 agent extension to extend the ability to process the QoS policy installation on the router.


  • Accept the QoS parameters and implement the QoS function on our own.

  • Apply QoS Policy on the Router interface directly, but this would affect the west-east traffic.

Data model impact

In this spec, the QoS data model and function will be provided by Neutron, so vpnservices table need to maintain the relationship with Neutron QoS Policy.

The following new table is added as part of the VPN QoS feature:

CREATE TABLE `qos_vpnservice_policy_bindings` (
  `vpn_service_id` varchar(36) NOT NULL,
  `qos_policy_id` varchar(36) NOT NULL,
  UNIQUE KEY `vpn_service_id` (`vpn_service_id`),
  KEY `qos_policy_id` (`qos_policy_id`),
  CONSTRAINT `qos_vpn_service_policy_bindings_ibfk_1` FOREIGN KEY (
  `qos_policy_id`) REFERENCES `qos_policies` (`id`) ON DELETE CASCADE,
  CONSTRAINT `qos_vpn_service_policy_bindings_ibfk_2` FOREIGN KEY (
  `vpn_service_id`) REFERENCES `vpnservices` (`id`) ON DELETE CASCADE

REST API impact

Proposed attribute:

    'qos_policy_id':{'allow_post': True, 'allow_put': True,
                     'validate': {'type:uuid': None},
                     'is_visible': True,
                     'default': None}

Some samples in VPN service create/update. Users are allowed to pass qos_policy_id.

Create/Update VPN service Request:

POST /v2.0/vpn/vpnservices
    "vpnservice": {
        "subnet_id": null,
        "qos_policy_id": "a36c20d0-18e9-42ce-88fd-82a35977ee8c",
        "router_id": "66e3b16c-8ce5-40fb-bb49-ab6d8dc3f2aa",
        "name": "myservice",
        "admin_state_up": true

    "vpnservice": {
        "router_id": "66e3b16c-8ce5-40fb-bb49-ab6d8dc3f2aa",
        "status": "PENDING_CREATE",
        "name": "myservice",
        "external_v6_ip": "2001:db8::1",
        "admin_state_up": true,
        "subnet_id": null,
        "project_id": "10039663455a446d8ba2cbb058b0f578",
        "tenant_id": "10039663455a446d8ba2cbb058b0f578",
        "external_v4_ip": "",
        "id": "5c561d9d-eaea-45f6-ae3e-08d1a7080828",
        "description": "",
        "qos_policy_id": "a36c20d0-18e9-42ce-88fd-82a35977ee8c"

PUT /v2.0/vpn/vpnservices/{service_id}
    "vpnservice": {
        "name": "NEW VPN SERVICE NAME",
        "description": "Updated description",
        "qos_policy_id": "a36c20d0-18e9-42ce-88fd-82a35977ee8c"

    "vpnservice": {
        "router_id": "881b7b30-4efb-407e-a162-5630a7af3595",
        "status": "ACTIVE",
        "name": "NEW VPN SERVICE NAME",
        "admin_state_up": true,
        "subnet_id": null,
        "project_id": "26de9cd6cae94c8cb9f79d660d628e1f",
        "tenant_id": "26de9cd6cae94c8cb9f79d660d628e1f",
        "id": "41bfef97-af4e-4f6b-a5d3-4678859d2485",
        "description": "Updated description",
        "qos_policy_id": "a36c20d0-18e9-42ce-88fd-82a35977ee8c"

QoS Policy Application Details

The reason for introducing this, for example, we change the use case below, we deploy the vpn service on the Default Router, delete the VPN Router. That means the general traffic and VPN traffic will pass through the Default Router, then we apply the Neutron QoS policy on the qg-XX port of the Default Router, it will limit all the bandwidth, so the VPN’s bandwidth may have a lower performance, or we can say it is not consistent with expectations.

Currently, Neutron provides the QoS function but not for some interest streams. Here we will focus on the VPN traffic. For this function, we will combine the iptables and tc together. The reason for choosing them is that, iptables could mark the VPN interest stream by the ipsec VPN transform protocols(such as esp, ah-esp protocols), the interface that the packets will go out and the local encapsulated IP if running in tunnel mode. Also we need to shape the vpn traffic before send out to the underlay network, so some new iptables rules will be installed on mangle table in the router’s namespace. Also the fwmark is eaiser to extend, such as ipchains.

And we will introduce a new tc wrapper which will use htb and it will provides classification algorithm. Then developers can easily implement other complex traffic control. That means we will extend the current tc_lib in Neutron repo. And vpn_qos will based on this.

Just like above description, a new L3 agent extension will be introduced like fip_qos done. We suggest to name it vip_qos, it will install the appropriate iptables rules in the router’s namespace which binds with VPN service. Then users or managers could use the QoS function to the Default Router and not affect other network streams.

Security impact


Notifications impact

No expected change.

Other end user impact

Users will be able to specify qos_policy during create/update VPN service.

Performance Impact

It will save the bandwidth of the underlay network in data center.

Other deployer impact


Developer impact

Developer may use the new tc wrapper to do other things, as it is powerful to support other stream control functionality. But there may be a conflict with openstack/neutron-classifier, as it provides defining the traffic. So we may reconsider that if possible.




Work Items

  • Add the DB model and extend the table column.

  • Extend VPN API to accept QoS policy.

  • Extend new tc wrapper which support classification algorithm based on traffic classifier feature.

  • Extend new L3 agent extension vip_qos.

  • Add API validation code to validate access/existence of the qos_policy which created in Neutron.

  • Add UTs to Neutron-vpnaas.

  • Add API tests.

  • Update CLI to accept QoS fields.

  • Documentation work.




Unit tests, functional tests, API tests and scenario tests are necessary.

Documentation Impact

The Neutron API reference will need to be updated.