Versions Compared

Old Version 11

changes.mady.by.user Simon Waterhouse

Saved on

compared with

New Version 12

changes.mady.by.user Simon Waterhouse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In addition, the following API will be modified in a backward compatible manner, to allow a collection of NICs to be specified when deploying a new virtual machine, and ; clarify which NICs will be returned as a result of a list virtual machines command, and specify that the security groups for a NIC be listed:

  • deployVirtualMachine
  • listVirtualMachines
  • listSecurityGroups

...

The main functional change arising from this proposal is that security groups, previously associated with a virtual machine will now be associated with a NIC. When a NIC is created via the createNic command, zero or more security groups may be associated with the NIC.

The security group rules will be applied when a NIC is attached to a virtual machine, and will only affect traffic to/from the network to which the NIC is attached. For example if a NIC connected to network net1 has a security group that allows ingress on port TCP/80, then when it is attached to a virtual machine, the firewall rules will be changed to allow traffic on port TCP/80 from net1 into the virtual machine. This must have no effect on the ingress/egress rules being applied to other NICs on the virtual machine.

The legacy semantics of the deployVirtualMachine operation will be preserved; if there are security groups specified as part of a deployVirtualMachine command then they will be associated with each of the NICs that get created as a result of that command. For example consider a system with two security groups (sg1 and sg2) and networks (net1 and net2) and a command of the form

...

The feature allows the IaaS user great freedom in creating virtual machines and attaching them to networks. 

One scenario would allow an IaaS user to construct a long lived service at a defined network identity by creating a NIC and associating it with a virtual machine. During the life of the service it may be that an update of the virtual machine is required (e.g. to apply security patches). In this case the old virtual machine can be destroyed but the NIC retained. When the new (patched) virtual machine is created it can be associated with the existing NIC and so continue to implement the service.

...