You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 14
Next »
Introduction
Purpose
Isolation of Guest VM traffic is achieved using Security Groups in Basic zone. For Advance zone, traffic can be isolated on per network basis using VLANs. Currently there is no way to isolate guest traffic within in Network.
Purpose of this document is provide functional specification to use SG to isolate guest VM within a same network in advanced zone.
Glossary
- SG - Security Group
- VR - Virtual Router
- VM - User Virtual Machine
Function specification
- SG is zone-level flag, if a zone is SG enabled, all networks inside this zone must be SG enabled., if zone is SG disabled, all networks inside this zone must be SG disabled.
- All types of shared networks are supported in SG enabled advanced zone, including zone-wide shared network, account-specific shared network, domain-wide shared network.
- Isolated networks cannot be added to advanced SG enabled zone.
- VPC cannot be added to advanced SG enabled zone
- There can be multiple SG enabled shared network in one advanced SG enabled zone
- User VM can be deployed on only one SG enabled network.
- Only one network service provider is supported in advanced SG enabled zone - Virtual Router
- external device like F5, SRX cannot be added to advanced SG enabled zone.
- support KVM and XenServer hypervisor.
- Don't support Vmware, OVM, etc. hypervisor
- SG functionality is as same as in Basic zone in terms of Ingress/Egress rules behavior
API changes
- Add "securitygroupenabled" (boolean/optional) to the listZones request.
API behavior changes
- CreateNetworkCmd
in advanced SG enabled zone, only SG enabled shared network can be created, other network type like isolated and public creation will fail.
in advanced SG disabled zone, SG enabled shared entwork creation will fail.
- CreateVPCCmd
will fail in advanced SG enabled zone
- AddF5LoadBalancerCmd
will fail in advanced SG enabled zone
- AddSrxFirewallCmd
will fail in advanced SG enabled zone
UI Flow
The flows below require changes:
Add Zone
- Add check box "Enable Security Group" to the first page of create Zone dialog. If Security Group selected, pass
securitygroupenabled=true to the addZone api call.
- Like in Basic zone, we should force admin to create Guest shared network as a part of zone creation. With the only 2 differences - VLAN field is required; and network offering should be SG enabled.
- No Public traffic type support when add SG Advance zone
- When add first cluster/host, KVM/XenServer can be chosen.
Add Cluster
- allow adding KVM/XenServer cluster to advanced SG enabled zone
Infrastructure -> PhysicalNetworks Diagram -> Modify Guest traffic type->AddNetwork
- all shared networks type with SG network offering are supported in advanced SG enabled zone
Networks tab
Deploy VM flow
- User can choose one network
Upgrade flow
- When create physical network traffic types, don't create Public traffic type.
- The rest of the upgrade should be handled the same way we handle it for other zones
Future release plans
In the future releases we are going to:
- VM can be on multiple SG enabled networks
- Add support for SG in Isolated networks
- Feature support in VPC networks