Geoff Higginbottom is a cloud architect and CTO of ShapeBlue who specializes in designing and building clouds based on Apache CloudStack. He has experience implementing CloudStack for various companies and is a committer for CloudStack. The document provides an overview of networking in CloudStack, including basic and advanced networking options, security groups, virtual private clouds, and the different network components and providers that can be used.
2. www.shapeblue.com @CloudStackGuru
Cloud Architect & ShapeBlue CTO
Specialise in….
Designing & Building Clouds based on Apache CloudStack / Citrix
CloudPlatform
Developing CloudStack training
Blogging and sharing CloudStack knowledge
Involved with CloudStack before donation to Apache
Designed Clouds for SunGard, Ascenty, BskyB, Trader Media,
M5 Hosting, Team Cymru, Interoute, University of Pennsylvania.…
CloudStack Committer (non-developer)
About Me
5. www.shapeblue.com @CloudStackGuru
AWS Style L3 isolation – Massive Scale
Simple Flat Network
Each POD has a unique CIDR
Optional Guest Isolation via Security Groups
Optional NetScaler Integration - Elastic IPs and Elastic LB
Optional Nicira NVP Integration
Basic Networking
6. www.shapeblue.com @CloudStackGuru
Isolate traffic between VMs
Available for both Basic and Advanced Networking
Only supported on XenServer 6.x and KVM
XenServer 6.0.x requires the Cloud Support Package
XenServer must use Linux Bridge and not Open vSwitch
xe-switch-network-backend bridge
Must be implemented before adding to CloudStack
Security Groups
8. www.shapeblue.com @CloudStackGuru
This network model provides the most flexibility in defining
guest networks and providing custom network offerings such as
firewall, VPN, Load Balancer & VPC functionality.
Guest isolation is provided through layer-2 means such as VLANs
or SDN technologies
Advanced Networking
9. www.shapeblue.com @CloudStackGuru
Private and Shared Guest Networks
Multiple Physical Networks
Virtual Router for each Network providing:
DNS & DHCP
Firewall
Client VPN
Load Balancing
Source / Static NAT
Port Forwarding
Advanced Networking
10. www.shapeblue.com @CloudStackGuru
Effectively enables the deployment of multiple ‘Basic’ style
networks which use Security Groups for isolation of VMs, but
with each Network encapsulated within a unique VLAN.
Advanced Networking & Security Groups
32. www.shapeblue.com @CloudStackGuru
Lots of great technical info on http://shapeblue.com/blog/
These slides can be found at www.slideshare.net/shapeblue
geoff.higginbottom@shapeblue.com
@CloudStackGuru
Further Information
Notes de l'éditeur
eSkyCityBroker BinSunGardCiscoOrangeT-Mobile
Guest VMs and Hosts can be on different VLANs even though Admin Guide states they cannot
XenServer requires the CloudStack Support Package to be installed BEFORE adding to CloudStack in order to use Security GroupsSecurity Groups - Guest VM will be assigned to ‘default’ security Group if none is specified – Denies all inbound but allows all outbound. VMs can belong to multiple security groups but not the Default SG and another SG. Ingress and Egress rules control the flow of traffic into and out of Security Groups. If no Egress rules have been specified all outbound traffic is allowed, however once an Egress Rule has been created, only traffic specified by Egress Rules, in response to an Ingress Rule or related to DHCP & DNS queries is allowed out.
A Zone can be either Basic OR Advanced
Private – limited to one accountShared – Accessible to either the whole Zone, a Domain (with or without subdomains), an Account or Project
A Zone can be either Basic OR Advanced
Traffic between CloudStack Management Servers and the various cloud componentsSecondary Storage also uses the Management Network of the optional ‘Storage’ network has not been configured.
Traffic between VMs within an Account, and their Virtual Router, Physical Load Balancer or Physical Firewall
Traffic between VMs and the Internal Interface of the NetScaler
Traffic between the Virtual Router and the Internet GatewayBasic Zone but only when using a NetScaler for EIP/ELB
SSVM & CPVM each have a Public Interface
Traffic between SSVM and the Secondary StorageOptional Network, traffic will use the Management Network if not configured. If configured, there must be a route between Management and Storage NetworksIt is NOT for Primary Storage Traffic