Juju models networks using spaces, which can be mapped to one or more subnets of the chosen backing cloud. When a space’s subnets span multiple availability zones, Juju will automatically distribute application units across subnets and zones, thereby providing increased resilience.
From a security standpoint, spaces allow you to restrict an application’s network access. Spaces allow you to configure the model’s network topology to restrict applications to posse only the network connectivity they need.
Here are a few properties to keep in mind:
- Spaces can contain multiple subnets
- Subnets are restricted to a single one space
- All subnets within a space are considered equal in terms of routing
Provider support: Spaces are currently only supported by the MAAS and EC2 providers.
Example: isolating a database from the Internet
Consider a model divided into three segments with distinct security requirements:
- The “dmz” space for publicly-accessible applications (e.g. HAProxy) providing access to the CMS application behind it.
- The “cms” space for content-management applications accessible via the “dmz” space only.
- The “db” space for backend database applications, which should be accessible only by the applications.
HAProxy is deployed inside the “dmz” space, it is accessible from the internet and proxies HTTP requests to one or more Joomla units in the “cms” space. The backend MySQL for Joomla is running in the “db” space. All subnets within the “cms” and “db” spaces provide no access from outside the environment for security reasons.
Adding and listing spaces and subnets
Spaces are created with the
add-space command. The following command maps a space called
db-space with subnet 192.168.123.0/24:
juju add-space db-space 192.168.123.0/24
To see which spaces have been added, along with any subnets belonging to those spaces, use the
juju spaces command. Its output will look similar to the following:
Space Subnets db-space 192.168.123.0/24 public undefined 192.168.122.0/24
To map an existing subnet to a space use the
add-subnet command. Here we map subnet 192.168.124.0/24 to space ‘db-space’:
juju add-subnet 192.168.124.0/24 db-space
juju subnets command will list all subnets known to Juju with output similar to the following:
subnets: 192.168.122.0/24: type: ipv4 provider-id: "5" status: in-use space: undefined zones: - default 192.168.123.0/24: type: ipv4 provider-id: "6" status: in-use space: undefined zones: - default
MAAS and spaces
MAAS has a native knowledge of spaces. Within MAAS, spaces can be created, configured, and destroyed. This allows Juju to leverage MAAS spaces without the need to add/remove spaces and subnets. However, this also means that Juju needs to “pull” such information from MAAS. This is done by default upon controller-creation. Run
juju reload-spaces to refresh Juju’s knowledge of MAAS spaces and works on a per-model basis.
reload-spaces command does not currently pull in all information. This is being worked upon. See LP #1747998.
Juju creates bridges for containers only when Juju knows the spaces an application may require, and the container’s bridge for that application will only connect to the required network interfaces.
Once all desired spaces have been added and/or configured they can be called upon by using either a constraint or a binding.
A space constraint, like any other constraint, operates at the machine level. It requests that certain network connections be made available to the Juju machine. When a constraint is used, all application endpoints get associated with the space.
- See the Using constraints page to learn more about constraints.
- For examples of using the ‘spaces’ constraint, read Deploying to spaces for how to use it with the
deploycommand and Setting constraints when adding a machine for how to use it with the
A binding is a space-specific, software level operation and is a more fine-grained request. It associates an application endpoint with a subnet.