Versions Compared

Old Version 14

changes.mady.by.user Anthony Grasso

Saved on

compared with

New Version 15

changes.mady.by.user Anthony Grasso

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Isolation of Guest VM traffic is achieved using Security Groups in Basic zone. For Advance   In Advanced zone, traffic can be isolated on per network basis using VLANs. Currently a shared network can be shared by multiple accounts/tenents, there is no way to isolate guest traffic within in Network.
Purpose do isolation in this network. The purpose of this document is to provide functional specification to use SG to isolate guest VM within a same shared network in advanced zone. And in Advanced zone, VM can be on multiple shared networks, different NICs of a VM can have different SG sets, says SG works on NIC level in Advanced zone.

Glossary

  • SG - Security Group
  • VR - Virtual Router
  • VM - User Virtual Machine

Function specification

Design

  • In advanced zone, SG is zone-level flag, if a zone is SG enabled, all networks inside this zone must be SG enabled., if zone is SG disabled, all networks inside this zone must be SG disabled.
  • All types of shared networks are supported in SG enabled advanced zone, including zone-wide shared network, account-specific shared network, domain-wide shared network.
  • Isolated networks cannot be added to advanced SG enabled zone.
  • VPC cannot be added to advanced SG enabled zone
  • There can be multiple SG enabled shared network in one advanced SG enabled zone
  • User VM can be deployed on only one SG enabled network.
  • Only one network service provider is supported in advanced SG enabled zone - Virtual Router
  • on NIC level, a NIC can be part of multiple SGs, different NICs of a VM can be part of different SGs
  • In advanced zone, SG is an option of network offering, if a network is created with a network offering (SG in on), SG can be applied to NICs on this network.
  • shared network is created by Admin, there is another option in network offering to indicate whether user can apply SG to NICs on this network, if the option is off, only admin can apply SG to NICs on this network, the reason for this is, Admin might want to provide service (for example monitoring service) on this network, Admin might not want to user SG rules break the service, or Admin might not want to user SG rules to allow guest VMs to access utility/service VM/host directly in that network.
  • All network types will be supported
  • All external device will be supported, if firewall external device is enabled , user might need to configure both firewall and SG to allow traffic go through
  • All network service provider will be supportedexternal device like F5, SRX cannot be added to advanced SG enabled zone.
  • support KVM  and XenServer hypervisor.Don't support Vmware, OVM, etc. hypervisor
  • SG functionality is as same as in Basic zone in terms of Ingress/Egress rules behavior,

Not support

  • not support Vmware, OVM, etc. hypervisor
  • not support SG on isolated /VPC networks,

API changes

  • Add "securitygroupenabled" (boolean/optional) to the listZones request.

...