Introduction
Purpose
Isolation of Guest VM traffic is achieved using Security Groups in Basic zone. For Advance zone, traffic can be isolated on per network basis using VLANs. Currently there is no way to isolate guest traffic within in Network.
In 2.2.x version of the CloudStack, we used to support SG isolation in Shared Zone wide network in Advance zone. In 3.0, this functionality was temporarily disabled. We have to re-enable it back in the next CloudStack release to support upgrade for existing 2.2.x customers using this feature.
Glossary
- SG - Security Group
- VR - Virtual Router
- VM - User Virtual Machine
Requirements
Major point is, make the feature work just the way it worked in 2.2.x. We might extend the functionality later on.
- Feature is supported for Shared zone wide network only in Advance zone
- When Advance zone is Security Group enabled, only one Shared Zone Wide Guest network can be added to the zone.
- Any number of Shared Account Specific SG Disabled networks can be added to the Advance SG enabled zone
- User vm can be deployed either in Shared Zone Wide SG enabled network, or in 1-n Shared Account Specific networks. Combination of SG enabled and SG disabled networks for the same VM is not supported.
- Only supported on KVM hypervisor.
- Only one provider is supported - Virtual Router
- SG functionality should be the same as in Basic zone in terms of Ingress/Egress rules behavior
Feature specification
Code changes
As the 2.2.x code was never removed, we just have to make sure it works + put some additional limitations/fixes to the API related to the 3.0.x changes to NaaS (there was no notion of Physical network/Traffic types in 2.2.x; plus in 2.2.x Shared Zone wide network was created automatically as a part of addZone call.
Things to check:
Make sure that all 2.2.x limitations for Advance SG zone, are still respected in the code. And fix if something got broken/disabled along the way.
3.0.x fixes
Add Zone flow
Don't create Guest network automatically as a part of addZone
Add Traffic Type flow
Don't allow adding Public Traffic Type to the SG enabled Advance zone.
Create Guest Network flow
1) Only Shared Zone wide and Account specific networks can be added to the SG enabled Advance zone.
2) Don't allow to add more than 1 Shared Zone wide network to the zone. This network has to:
- Have VR as the provider for all its services
- SG Service should be mandatory
System vms (CPVM/SSVM) will have a NIC in the Shared SG network, so before the network is added, the system is not ready for user vm launch.
3) Only VR can be a provider for all the services
Client API changes
- Add "securitygroupenabled" (boolean/optional) to the listZones request.
DB modifications
No DB modifications are needed
UI
The flows below require changes:
Add Zone
- Show Isolation type (Vlan and Security Group) as selectable option when create Advance zone. Put it on the first page. If Security Group selected, pass
securitygroupenabled=true to the addZone api call. You can duplicate this logic from 2.2.x code.
- Like in Basic zone, we should force admin to create Guest Network as a part of zone creation. With the only one difference - Vlan field is required.
- No Public traffic type support when add SG Advance zone
- Allow having multiple physical networks though.
- When add first cluster/host, show KVM as the only one available hypervisor.
Add Cluster
- Only allow adding KVM cluster to Advance SG enabled zone
Infrastructure -> Modify Guest traffic type
- Only allow adding Shared Account specific network when the zone is Advance
Networks tab
- Add SecurityGroup to the list of Views (drop box) on the top of the view. Show it only when 1) there is at least 1 Basic zone in the cloudStack 2) There is at least one Advance zone that is SG enabled (execute listZones&securitygroupenabled=true)
Deploy VM flow
- Get all the networks available to the User with a simple listNetworks&account=&domainId API call
- Don't allow user to select combination of SG enabled and disabled network
- When SG enabled network is selected, show Security Group list to select from
Upgrade flow
- When create physical network traffic types, don't create Public traffic type.
- The rest of the upgrade should be handled the same way we handle it for other zones