**OVN** (Open Virtual Network) is the control plane layer built on top of [[Open vSwitch (OVS)]] that adds distributed routing, logical switching, load balancing, ACLs, and security groups to a cloud network. It is what [[OpenStack]] Neutron uses under the hood in modern deployments to implement tenant network isolation. --- ### First Principle: The network control plane must be distributed. A centralised controller is a bottleneck and a single point of failure. OVN compiles high-level network intent (logical switches, routers, ACLs) down into [[Open vSwitch (OVS)]] flow table rules that are distributed and applied locally on each hypervisor host. There is no central packet forwarder — every host enforces the rules itself. --- ### Key Considerations - **Logical vs Physical**: OVN introduces Logical Switches, Logical Routers, and ACLs as abstractions. These get compiled into OVS flow rules via Northbound and Southbound databases. - **Distributed Routing**: East-west traffic between VMs on different hosts routes directly between hosts — no hairpinning through a centralised gateway. Critical for performance at scale. - **Load Balancing**: OVN provides stateful L4 load balancing via flow tables — implementing VPC-level load balancers at the hypervisor. - **Security Groups**: Tenant-defined security groups are compiled into OVS flow rules and enforced at the source VM's vport — preventing inter-tenant traffic efficiently. - **[[OpenStack]] Neutron**: In modern OpenStack deployments, Neutron ML2+OVN is the recommended networking backend. --- ### How It Fits ``` [[OpenStack]] Neutron (API) → OVN (distributed control plane) → [[Open vSwitch (OVS)]] (per-host dataplane) → Physical network ([[SONiC]] / [[FRRouting (FRR)]]) ``` [[Open vSwitch (OVS)]] | [[Cilium]] | [[OpenStack]] | [[SONiC]] | [[Open Source Hyperscaler MoC]]