Introduction

Purpose

Enable CloudStack's ability to put one firewall device in front of one load balancing devices. 

Document History

Glossary

Feature Specifications

  • This feature would allow one firewall is placed in front of load balancing devices. The firewall would become the gateway of all incoming traffic, then redirect the load balancing traffic to the load balancer behind it. The load balancer in this case won't have direct access to the public network.
  • Currently this feature would only support:
    • Juniper SRX as firewall service provider
    • F5 BIG-IP as load balancing service provider.
    • Only one instance of each external devices existed in one zone.
    • Only support "per zone"(shared) Source NAT for SRX
    • Only support "shared" load balancing policy for F5.
    • Only support Isolate network.
  • Upgrade from previous version of SRX&F5 inline mode
    • We don't support for upgrading from 2.2.x inline mode.
  • As a part of inline mode work, we also update the firewall support on SRX, please refer to: https://cwiki.apache.org/CLOUDSTACK/static-nat-port-forwarding-and-firewall-implementation-on-srx.html for the latest information on firewall support on SRX.

Use cases

  1. Configure F5 and SRX.
    1. Refer to Juniper SRX config information and F5 Device Installation Instructions.
  2. Add SRX and F5 to CloudStack's one zone.
    1. Choose "per zone" source NAT when adding SRX.
    2. Uncheck "dedicated" when adding F5.
  3. Enable these devices.
  4. Create a network offering(e.g. named "SRX-F5-inline") using SRX as provider for Firewall, PortForwarding, SourceNat, StaticNat; using F5 for Load Balancing; using VirtualRouter for DNS, DHCP, user data. VPN is not supported in this combination.
    1. And SELECT INLINE mode option for network offering.
  5. Start a new VM with the new network offering.
  6. Add Firewall rule and load balancing rule as usual.

Architecture and Design description

  • When user add a new load balancing rule, CS would:
    1. Find a unused guest ip from existing guest ip pool for this network.
    2. Create an static NAT rule on the firewall, make every traffic go to the public ip(which is used for load balancing) redirect to this guest ip.
    3. Create an load balancing rule on the load balancer, using the guest ip above as the source ip(instead of public ip in the side-by-side mode).
    4. Thus all the traffic goes to the public ip, would be redirect to the load balancer's internal guest ip, finally reach the guest vms through load balancing policy on the load balancer.
  • When user add a firewall rule(for the load balancing rules)
    1. Since the public ip is not used by load balancer in this mode, we can configure firewall rule on the firewall(which own the public ip) without any trouble.
  • This design would result in every public ip used for load balancing rule consuming one guest ip as well.
  • The static nat rule connect firewall and load balancer won't show in the firewall table of CS, it's considered a part of implementation of load balancing rule itself.
  • The "inline mode" is a property of network offering now. One F5 device can be used in "inline" network and "side-by-side" network at the same time.

web services APIs

list changes to existing web services APIs and new APIs introduced with signatures and throughout documentation

UI flow

  • either demonstrate it visually here or link to relevant mockups

Appendix

Appendix A:

Appendix B:

  • No labels