Introduction

Purpose

Isolation of Guest VM traffic is achieved using Security Groups in Basic zone.  In Advanced zone, a shared network can be shared by multiple accounts/tenents, there is no way to do isolation in this network. The purpose of this document is to provide functional specification to use SG to isolate guest VM within a shared network in advanced zone. And in Advanced zone, VM can be on multiple shared networks, different NICs of a VM can have different SG sets, says SG works on NIC level in Advanced zone.

Glossary

• SG - Security Group
• VR - Virtual Router
• VM - User Virtual Machine

Design

• In advanced zone, SG is on NIC level, a NIC can be part of multiple SGs, different NICs of a VM can be part of different SGs
• In advanced zone, SG is an option of network offering, if a network is created with a network offering (SG in on), SG can be applied to NICs on this network.
• shared network is created by Admin, there is another option in network offering to indicate whether user can apply SG to NICs on this network, if the option is off, only admin can apply SG to NICs on this network, the reason for this is, Admin might want to provide service (for example monitoring service) on this network, Admin might not want to user SG rules break the service, or Admin might not want to user SG rules to allow guest VMs to access utility/service VM/host directly in that network.
• All network types will be supported
• All external device will be supported, if firewall external device is enabled , user might need to configure both firewall and SG to allow traffic go through
• All network service provider will be supported.
• support KVM  and XenServer hypervisor.
• SG functionality is as same as in Basic zone in terms of Ingress/Egress rules behavior,

Not support

• not support Vmware, OVM, etc. hypervisor
• not support SG on isolated /VPC networks,

API changes

• Add "securitygroupenabled" (boolean/optional) to the listZones request.

API behavior changes

• CreateNetworkCmd
  in advanced SG enabled zone, only SG enabled shared network can be created, other network type like isolated and public creation will fail.
  in advanced SG disabled zone, SG enabled shared entwork creation will fail.
• CreateVPCCmd
  will fail in advanced SG enabled zone
• AddF5LoadBalancerCmd
  will fail in advanced SG enabled zone
• AddSrxFirewallCmd
  will fail in advanced SG enabled zone

UI Flow

The flows below require changes:

Add Zone

• Add check box "Enable Security Group" to the first page of create Zone dialog. If Security Group selected, pass
  securitygroupenabled=true to the addZone api call.
• Like in Basic zone, we should force admin to create Guest shared network as a part of zone creation. With the only 2 differences - VLAN field is required; and network offering should be SG enabled.
• No Public traffic type support when add SG Advance zone
• When add first cluster/host, KVM/XenServer can be chosen.

Add Cluster

• allow adding KVM/XenServer cluster to advanced SG enabled zone

Infrastructure -> PhysicalNetworks Diagram -> Modify Guest traffic type->AddNetwork

• all shared networks type with SG network offering are supported in advanced SG enabled zone

Networks tab

• show all networks

Deploy VM flow

• User can choose one network

Upgrade flow

• When create physical network traffic types, don't create Public traffic type.
• The rest of the upgrade should be handled the same way we handle it for other zones

Future release plans

In the future releases we are going to:

• VM can be on multiple SG enabled networks
• Add support for SG in Isolated networks
• Feature support in VPC networks