THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Page History
...
- SG is zone-level flag, if a zone is SG enabled, all networks inside this zone must be SG enabled., if zone is SG disabled, all networks inside this zone must be SG disabled.
- All types of shared networks are supported in SG enabled advanced zone, including zone-wide shared network, account-specific shared network, domain-wide shared network.
- Isolated networks cannot be added to advanced SG enabled zone.
- VPC cannot be added to advanced SG enabled zone
- There can be multiple SG enabled shared network in one advanced SG enabled zone
- User VM can be deployed on multiple SG enabled networks.
- SG is on VM level(not NIC level), if a VM has multiple NICs, SG rule applies to all NICs.
- SG can cross multiple networks, VMs on different networks can be in one SG.
- Only one network service provider is supported in advanced SG enabled zone - Virtual Router
- external device like F5, SRX cannot be added to advanced SG enabled zone.
- support KVM and XenServer hypervisor.
- Don't support Vmware, OVM, etc. hypervisor
- SG functionality is as same as in Basic zone in terms of Ingress/Egress rules behavior
- No Isolated networks can be added to the Advance SG enabled zone. No Shared Domain wide networks are allowed either.
- If VM is deployed in SG enabled Shared network, it can't have more than 1 Nic - can't belong to any other network.
- When Advance zone is Security Group enabled ("securitygroupenabled=true" is passed to createZone API call; corresponding field is being set to true in the DB), only one Shared Zone Wide SG Enabled Guest network can be added to this zone + any number of Shared Account Specific SG Disabled networks.
- Shared Zone Wide SG Enabled Guest network is required in Advance SG enabled zone as CPVM/SSVM are using it.
- User vm can be deployed either in Shared Zone Wide SG enabled network, or in 1-n Shared Account Specific networks. Combination of SG enabled and SG disabled networks for the same VM is not supported.
DB modifications
No DB modifications are needed
API changes
- Add "securitygroupenabled" (boolean/optional) to the listZones request.
API behavior changes
- CreateNetworkCmd
in advanced SG enabled zone, only SG enabled shared network can be created, other network type like isolated and public creation will fail.
in advanced SG disabled zone, SG enabled shared entwork creation will fail. - CreateVPCCmd
will fail in advanced SG enabled zone - AddF5LoadBalancerCmd
will fail in advanced SG enabled zone - AddSrxFirewallCmd
will fail in advanced SG enabled zone
UI Flow
The flows below require changes:
...
- User can choose multiple networks
- User can choose multiple SG
Work flow
3.0.x fixes
Add Zone flow
Don't create Guest network automatically as a part of addZone
Add Traffic Type flow
Don't allow adding Public Traffic Type to the SG enabled Advance zone.
Create Guest Network flow
1) Only Shared Zone wide and Account specific networks can be added to the SG enabled Advance zone.
2) Don't allow to add more than 1 Shared Zone wide network to the zone. This network has to:
- Have VR as the provider for all its services
- SG Service should be mandatory
System vms (CPVM/SSVM) will have a NIC in the Shared SG network, so before the network is added, the system is not ready for user vm launch.
3) Only VR can be a provider for all the services
Client API changes
- Add "securitygroupenabled" (boolean/optional) to the listZones request.
Upgrade flow
- When create physical network traffic types, don't create Public traffic type.
- The rest of the upgrade should be handled the same way we handle it for other zones
...
Overview
Content Tools
Apps