THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Page History
...
- SG - Security Group
- VR - Virtual Router
- VM - User Virtual Machine
...
Function specification
- SG is zone-level flag, if a zone is SG enabled, all networks inside this zone must be SG enabled., if zone is SG disabled, all networks inside this zone must be SG disabled.
- All types of shared networks are supported in SG enabled advanced zone, including zone-wide shared network, account-specific shared network, domain-wide shared network.
- Isolated networks cannot be added to advanced SG enabled zone.
- VPC cannot be added to advanced SG enabled zone
- There can be multiple SG enabled shared network in one advanced SG enabled zone
- User VM can be deployed on multiple SG enabled networks.
- SG is on VM level(not NIC level), if a VM has multiple NICs, SG rule applies to all NICs.
- SG can cross multiple networks, VMs on different networks can be in one SG.
- Only one network service provider is supported in advanced SG enabled zone - Virtual Router
- support KVM and XenServer hypervisor.
- Don't support Vmware, OVM, etc. hypervisor
- SG functionality is as same as in Basic zone in terms of Ingress/Egress rules behavior
...
- When Advance zone is Security Group enabled ("securitygroupenabled=true" is passed to createZone API call; corresponding field is being set to true in the DB), only one Shared Zone Wide SG Enabled Guest network can be added to this zone + any number of Shared Account Specific SG Disabled networks.
- Shared Zone Wide SG Enabled Guest network is required in Advance SG enabled zone as CPVM/SSVM are using it.
- User vm can be deployed either in Shared Zone Wide SG enabled network, or in 1-n Shared Account Specific networks. Combination of SG enabled and SG disabled networks for the same VM is not supported.
Feature specification
Code changes
As the 2.2.x code was never removed, we just have to make sure it works + put some additional limitations/fixes to the API related to the 3.0.x changes to NaaS (there was no notion of Physical network/Traffic types in 2.2.x; plus in 2.2.x Shared Zone wide network was created automatically as a part of addZone call.
Things to check:
...
DB modifications
No DB modifications are needed
UI Flow
The flows below require changes:
Add Zone
- Add check box "Enable Security Group" to the first page of create Zone dialog. If Security Group selected, pass
securitygroupenabled=true to the addZone api call. - Like in Basic zone, we should force admin to create Guest shared network as a part of zone creation. With the only 2 differences - VLAN field is required; and network offering should be SG enabled.
- No Public traffic type support when add SG Advance zone
- When add first cluster/host, KVM/XenServer can be chosen.
Add Cluster
- allow adding KVM/XenServer cluster to advanced SG enabled zone
Infrastructure -> PhysicalNetworks Diagram -> Modify Guest traffic type->AddNetwork
- all shared networks type with SG network offering are supported in advanced SG enabled zone
Networks tab
- show all networks
Deploy VM flow
- User can choose multiple networks
- User can choose multiple SG
Work flow
3.0.x fixes
Add Zone flow
Don't create Guest network automatically as a part of addZone
...
- Add "securitygroupenabled" (boolean/optional) to the listZones request.
...
No DB modifications are needed
UI
The flows below require changes:
Add Zone
- Add check box "Enable Security Group" to the first page of create Zone dialog. If Security Group selected, pass
securitygroupenabled=true to the addZone api call. - When create physical network(s) on the next page, show L3(security groups) isolation option as a choice only when "Enable SecurityGroup" was checked when create the zone. And show it only for one of the physical networks as we allow to have only one Shared SG enabled network in the zone at this point.
- Add an ability to select multiple Isolation methods at the same time (Vlan, L3, GRE). Pass it as a coma separated list to createPhysicalNetwork call (API already supports it)
- Like in Basic zone, we should force admin to create Guest Network as a part of zone creation. With the only 2 differences - Vlan field is required; and network offering should be SG enabled.
- No Public traffic type support when add SG Advance zone
- Allow having multiple physical networks though.
- When add first cluster/host, show KVM as the only one available hypervisor.
Add Cluster
- Only allow adding KVM cluster to Advance SG enabled zone
Infrastructure -> PhysicalNetworks Diagram -> Modify Guest traffic type->AddNetwork
- Only allow adding Shared Account specific networks (SG disabled) when the zone is Advance SG enabled
- If there are no Shared Zone wide SG enabled network in the zone (user created the zone using API and didn't add the network yet); allow to add SG enabled Zone wide shared network.
Networks tab
- Add SecurityGroup to the list of Views (drop box) on the top of the view. Show it only when 1) there is at least 1 Basic zone in the cloudStack 2) There is at least one Advance zone that is SG enabled (execute listZones&securitygroupenabled=true)
Deploy VM flow
- Get all the networks available to the User with a simple listNetworks&account=&domainId&type=Shared API call
- Don't allow user to select combination of SG enabled and disabled network
- When SG enabled network is selected, show Security Group list to select from
Upgrade flow
- When create physical network traffic types, don't create Public traffic type.
- The rest of the upgrade should be handled the same way we handle it for other zones
...
In the future releases we are going to:
...
- Add support for SG in Isolated networks
- Implement SG based Isolation across Shared networks.
- Support for SG enabled Vm to have multiple Nics (being deployed in multiple networks)
- Feature support in VPC networksAdd support for Xen hypervisor in Advance SG enabled network
Overview
Content Tools
Apps