Open Virtual Network (OVN)


Open Virtual Network (OVN) is an SDN platform. When used with OpenStack the overall solution is known as “Neutron ML2+OVN”. OVN extends the existing capabilities of a solution based solely on Open vSwitch, which is known as “Neutron ML2+OVS”.

OVN is implemented via a suite of charms:

  • neutron-api-plugin-ovn

  • ovn-central

  • ovn-chassis (or ovn-dedicated-chassis)


The OpenStack Charms project supports OVN starting with OpenStack Train, and uses it by default starting with OpenStack Ussuri.

Instructions for migrating non-OVN clouds to OVN are found on the Migration to OVN page.

Due to feature gaps with ML2+OVS, the OpenStack Charms project continues to support ML2+OVS.



OVN is typically deployed alongside other core components via a comprehensive cloud bundle. For example, see the openstack-base bundle.

The below overlay bundle encapsulates what is needed in terms of the deployment.


An overlay’s parameters should be adjusted as per the local environment (e.g. the machine mappings). In particular, the following placeholders must be replaced with actual values:




Replace $SERIES with the Ubuntu release running on the cloud nodes (e.g. ‘jammy’). For $OPENSTACK_ORIGIN see the corresponding charm options. For channel information see the Charm delivery page.

series: $SERIES


- - neutron-api-plugin-ovn:certificates
  - vault:certificates
- - neutron-api-plugin-ovn:neutron-plugin
  - neutron-api:neutron-plugin-api-subordinate
- - neutron-api-plugin-ovn:ovsdb-cms
  - ovn-central:ovsdb-cms
- - ovn-central:certificates
  - vault:certificates
- - ovn-chassis:ovsdb
  - ovn-central:ovsdb
- - ovn-chassis:certificates
  - vault:certificates
- - ovn-chassis:nova-compute
  - nova-compute:neutron-plugin



    charm: ch:neutron-api-plugin-ovn
    channel: $CHANNEL_OVN

    charm: ch:ovn-central
    channel: $CHANNEL_OVN
    num_units: 3
      source: $OPENSTACK_ORIGIN
    - '0'
    - '1'
    - '2'

    charm: ch:ovn-chassis
    channel: $CHANNEL_OVN

TLS and Vault

With the OpenStack charms, OVN requires Vault, which is the chosen software for managing the TLS certificates that secure control plane communication. This is achieved via the ovn-chassis:certificates vault:certificates relation (as shown in the overlay).

For certificate management information see the Managing TLS certificates page.

See the vault charm for details on Vault itself.

Data plane

The OVN components used for the data plane are deployed by the ovn-chassis subordinate charm, in conjunction with the nova-compute principal charm. This is achieved via the ovn-chassis:nova-compute nova-compute:neutron-plugin relation (as shown in the overlay).

To obtain a dedicated software gateway, the data plane components should be deployed with the principal ovn-dedicated-chassis charm.

High availability

OVN is natively HA. See the OVN section of the Infrastructure high availability page.


OVN integrates with OpenStack through the OVN ML2 driver. On OpenStack Ussuri and onwards the OVN ML2 driver is maintained as an in-tree driver in Neutron. On OpenStack Train it is maintained separately as per the networking-ovn plugin.

General Neutron configuration is still done through the neutron-api charm, and the subset of configuration specific to OVN is done through the neutron-api-plugin-ovn charm.


Create networks, routers, and subnets through the OpenStack API or CLI as you normally would.

The OVN ML2 driver will translate the OpenStack network constructs into high level logical rules in the OVN Northbound database.

The ovn-northd daemon in turn translates this into data in the Southbound database.

The local ovn-controller daemon on each chassis consumes these rules and programs flows in the local Open vSwitch database.

Specific topics on OVN usage are given below: