A decade after Amazon firstly introduced its cloud services and more than six years after OpenStack project was initiated, it is clear now that both public and private clouds are here to stay. Each comes with its own pros and cons, and is optimal for different use cases and scenarios. In fact, many enterprises today are either using or looking at a hybrid cloud solution, which allows them to use a mix of public cloud along with on-premise private cloud services. With hybrid cloud, organizations can run each workload on the most optimal cloud infrastructure, taking into consideration required functionalities, cost and effort.

A streamlined hybrid cloud experience is enabled using orchestration or cloud management platforms, providing a single, streamlined user experience, while interacting with the different clouds under the hood using its dedicated APIs. Having said that, it’s important to remember that cloud services are not identical, and hence can not always be used interchangeably. This post surveys the conceptual similarities and differences between Amazon Web Services (AWS) and OpenStack APIs and outlines possible alternatives to bridge gaps. Technical nuances of each and every API call is out of the scope of this article.

In general, an API (Application Programming Interface) defines a software service’s functionalities; by publishing the API, other software services and applications can consume the service programmatically. Unlike relatively simple applications that only provide a GUI (graphical user interface), consumable only by humans, complex applications expose the full breadth of its functionalities using APIs; the GUI, or command line interface in this context are just clients that use the API. For this reason, the best way to understand a software service is by going through its APIs. Note that APIs allow a monolithic application to be broken up into independent, modular services – each provides one, well-defined service. Therefore, APIs allow use of existing services (such as cloud services in our context) instead of reinventing of unnecessary wheels.

Determine how to appraise the economic impact of a private cloud.

APIs convey concepts

More than providing functionality, an API conveys a concept; in other words, who this service is and what it is good for. In context of this post, both Amazon’s AWS and OpenStack are cloud services. To be more specific, at the basic level, they both provide IaaS (Infrastructure as a Service), or more simplistically, they both allow users to create virtual machines by themselves, attach storage to them, and connect these machines to one another without having to manage or even to be aware of the physical resources actually serving them. However, while both are cloud services, Amazon’s AWS is a public cloud and OpenStack is focused on providing private cloud services. Most of the differences between the APIs are attributed to this conceptual difference.

It is important to mention that while both services started as plain vanilla IaaS services, of the kind described above, as of today they both have evolved tremendously and provide many services that fall into the definition of PaaS (Platform as a Service) and beyond. In this post we will focus on the IaaS part of both services, or more specifically, on Amazon’s EC2 (Elastic Compute Cloud) service and on OpenStack’s core projects, namely, Nova, Keystone, Neutron, Cinder and Glance.

Multi tenancy: AWS vs OpenStack

The first conceptual difference between AWS and OpenStack is about multi-tenancy. OpenStack offers a multi-layer tenant mechanism with domain and projects. A domain is a collection of users, groups, and projects, in a way parallel to AWS’s account. LDAP groups are attached to domains. OpenStack’s Project is a container of virtual resources such as virtual machines, networks and volumes. Using projects, users can establish several isolated and independently controlled groups of resources that serve different objectives. In the Kilo release, Keystone introduced the hierarchical multi-tenancy concept, using sub-projects.

Accommodating more than one million customers, Amazon Web Services is a multi-tenant cloud by nature; however, at the account level, a single user receives a single tenant experience. Having said that, AWS offers Virtual Private Cloud, VPC, which is somewhat parallel to OpenStack’s project. Amazon’s VPC lets the user provision a logically isolated section of the Amazon Web Services (AWS) cloud where the user can launch AWS resources in a virtual network that s/he defines. AWS’s VPC is limited to one router and one IP block; though not compulsory, this is a common practice for OpenStack projects. It is worth noting that all EC2’s virtual networking capabilities are only available using VPC.

On the other hand, unlike OpenStack, Amazon’s VPC offers extremely valuable tools that simplify the establishment of secured connectivity between VPCs and between VPC and on-premise resources. The classical use case for enterprises is running the web servers or the entire customer facing application on Amazon’s public cloud, while keeping the rest of the servers on-premise. Through its API, Amazon allows the user to establish a VPN connection and even control the customer’s and AWS’s gateways. This is extremely valuable for enterprises that chose the hybrid cloud path, especially given the fact that Amazon has integrated its VPN gateway with the market leading VPN CPEs (customer premise equipment). OpenStack’s Neutron project does offers VPN as a Service capabilities (VPNaaS); however, it is experimental and lacks the end-to-end integration that Amazon provides.

Check out this slideshare to see how to build networks with Neutron.

Networking: Neutron vs AWS VPC

From the network perspective, while OpenStack provides control over the L2 elements of the virtual network, AWS exposes only subnets. OpenStack Neutron’s API allows granular control of elements such as ports (the connection point for attaching a virtual server to a virtual network) and the ability to allocate VLAN IDs that correspond to VLANs present in the physical network. This is especially useful for provider networks, which are mapped to existing physical networks in the data center. Those differences are again attributed to the different concepts of AWS and OpenStack. In the private cloud, the user manages the physical networking by himself. Thus, it is crucial for virtual networking to be fully integrated with the physical data center networking. However, the public cloud is a managed service that takes all the hassle of physical network management away from the user, therefore providing control on L2 is irrelevant to the user.

As for Layer 3 networking, conceptually, Amazon’s AWS and OpenStack’s Neutron provides comparable capabilities. Both cloud services allow creation of network subnets. OpenStack allows use of several subnets on the same virtual network, although it is not a common practice. AWS allows users to define Elastic IP addresses, which are public IP addresses reachable from the Internet. OpenStack offers a similar mechanism, the floating IP, which is part of the virtual router’s API.

Both clouds provide routing services; in AWS each VPC includes an implicit virtual router and the API allows the user to set the routing table (which contains a set of rules, called routes, that are used to determine where network traffic is directed). OpenStack’s Neutron API also allows management of the routing table; however, it also allows management of the router entities themselves and does not limiting the number of routers per project. Moreover, a single router can be connected to more than one project.

From a network security perspective, AWS and OpenStack offer similar mechanisms. Security groups are used to inspect the traffic at the instance level. Networking ACLs and virtual firewalls are used by AWS and OpenStack respectively to inspect traffic going between subnets. There are minor nuances unique to each API; however, the general concept is very similar.

Summary

AWS APIs and OpenStack APIs provide similar fundamental capabilities, allowing users to consume cloud services such as virtual machines, volumes and networks; however, there are many differences attributed to the simple fact that Amazon Web Services is a managed public cloud service, while OpenStack is an open source, deployed on-premise and self-managed by the corporate IT staff. In our next post in this series we will compare other aspects of cloud services, including compute and storage.