Versions Compared

Old Version 10

changes.mady.by.user Alena Prokharchyk

Saved on

compared with

New Version 11

changes.mady.by.user Anthony Grasso

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Isolation of Guest VM traffic is achieved using Security Groups in Basic zone. For Advance zone, traffic can be isolated on per network basis using VLANs. Currently there is no way to isolate guest traffic within in Network.
In 2.2.x version of the CloudStack, we used to support SG isolation in Shared Zone wide network in Advance zone. In 3.0, this functionality was temporarily disabled. We have to re-enable it back in the next CloudStack release to support upgrade for existing 2.2.x customers using this feature. Purpose of this document is provide functional specification to use SG to isolate guest VM within a same network in advanced zone.

Glossary

  • SG - Security Group
  • VR - Virtual Router
  • VM - User Virtual Machine

Requirements

Major point is, make the feature work just the way it worked in 2.2.x. We will extend the functionality later on.

  • SG is zone-level flag, if a zone is SG enabled, all networks inside this zone must be SG enabled., if zone is SG disabled, all networks inside this zone must be SG disabled.
  • All types of shared networks are supported in SG enabled advanced zone, including zone-wide shared network, account-specific shared network, domain-wide shared network.
  • Isolated networks cannot be added to advanced SG enabled zone.
  • There can be multiple SG enabled shared network in one advanced SG enabled zone
  • User VM can be deployed on multiple SG enabled networks.
  • SG is on VM level(not NIC level), if a VM has multiple NICs, SG rule applies to all NICs.
  • SG can cross multiple networks, VMs on different networks can be in one SG.
  • Only one network service provider is supported in advanced SG enabled zone - Virtual Router
  • support KVM  and XenServer hypervisor.
  • Don't support Vmware, OVM, etc. hypervisor
  • SG functionality is as same as in Basic zone in terms of Ingress/Egress rules behavior
  • No Isolated networks can be added to the Advance SG enabled zone. No Shared Domain wide networks are allowed either.
  • If VM is deployed in SG enabled Shared network, it can't have more than 1 Nic - can't belong to any other network.
  • Feature is supported for Shared zone wide network only in Advance zone
  • When Advance zone is Security Group enabled ("securitygroupenabled=true" is passed to createZone API call; corresponding field is being set to true in the DB), only one Shared Zone Wide SG Enabled Guest network can be added to this zone +  any number of Shared Account Specific SG Disabled networks.
  • Shared Zone Wide SG Enabled Guest network is required  in Advance SG enabled zone as CPVM/SSVM are using it.
  • User vm can be deployed either in Shared Zone Wide SG enabled network, or in 1-n Shared Account Specific networks. Combination of SG enabled and SG disabled networks for the same VM is not supported.
  • Only supported on KVM hypervisor.
  • Only one provider is supported - Virtual Router
  • SG functionality should be the same as in Basic zone in terms of Ingress/Egress rules behavior
  • No Isolated networks can be added to the Advance SG enabled zone. No Shared Domain wide networks are allowed either.
  • If VM is deployed in SG enabled Shared network, it can't have more than 1 Nic - can't belong to any other network.

Feature specification

Code changes

...