Just the Basics

Romana creates isolated Cloud Native networks and applies security and network policy to them using standard layer 3 networking techniques. Just like networks on the public internet, isolation and access is based on IP address ranges that identify what traffic is allowed and where it can flow. Romana uses these familiar layer 3 techniques to build secure, Cloud Native networks without a virtual network overlay.

Romana controls IP addresses on VM and container endpoints through an IP Address Management (IPAM) system which lets complete layer 3 networks become the unit of isolation. Romana then creates a gateway and routes to these networks on hosts so that the Linux kernel can forward traffic directly to endpoints and enforce network policy without the overhead of encapsulation.

An important advantage of this approach is that route aggregation makes route distribution unnecessary and collapses the number of Linux iptables rules required for segment isolation.

Even though Romana uses a layer 3 isolation model, it can run on layer 2 or layer 3 networks, as well as on public cloud networks like Amazon’s VPC.

More details on how Romana works are available here.

Background information in the form of a brief overview of layer 3 routed access datacenter design, VXLAN tenant isolation and service chaining techniques are available here.

Or jump right to the topic you want to learn more about.

Romana Details

Technology Background