Re: ACS setup with 200+ accounts per domain

[Antoine Boucher <an...@haltondc.com>]

Hi Daan,

Thank you again for your response.

We decided to implement the following for our school customers from our limited knowledge of CloudStack and our time constraints.  

Here is our v1:

Initial Setup
A) We provisioned an external router for each school capable of supporting hundreds of VLAN and client-VPNs. Fortunately, a Mikrotik hEX does an excellent job for less than $100 CAD.

B) We provisioned a VPN and a /24 subnet with gateway on a dedicated VLAN for each student. 

C) For every school, we created a Domain, domain administrators, and enough accounts for every student; xxx-account01, xxx-account02, etc., with the user to accounts removed.

D) We created a new Shared Network Offering with no ACS services; no DHCP,etc. such that no virtual routers are created during instantiation. 

E) For each subnet VLAN of B) we created a shared network using D) and associated the network to a corresponding account; xxxx-network01 to xxxx-account01, xxxx-network02 to xxxx-account02, etc.

Ongoing Management
Domain admins (the schools) can now add and remove users to the created accounts and manage the client-VPNs throughout the school year.

All is automated on Mikrotik, and from what I read, it should also be simple to automate on ACS.

My top improvement request would be on the Implicit Dedication. I will follow up on a separate message.

Regards,
Antoine
  

Antoine Boucher
AntoineB@haltondc.com
[o] +1-226-505-9734
www.haltondc.com

“Data security made simple and affordable”





Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.


> On Jan 26, 2022, at 8:53 AM, Daan Hoogland <da...@gmail.com> wrote:
> 
> Antoine, I hop you get your design right. I'm sure I would not help a lot
> except for confusing things, but let me try:
> 
> You could install a dedicated set of resources (zone/pods/clusters/hosts)
> per department/institution and assign resource admin role to a local guru
> to instantiate networks.
> You could create VPCs for lower level organisational units and let people
> organise themselves in tiers/guestnetworks.
> installing an IPv6 environment will be your way forward, but this is not
> yet supported by all parts of cloudstack.
> 
> please let us know if you succeed in designing something acceptable and let
> us know if there are any features you need/miss.
> 
> On Wed, Jan 19, 2022 at 7:09 PM Antoine Boucher <an...@haltondc.com>
> wrote:
> 
>> Hello,
>> 
>> We have been slowly migrating our various customer VMs to ACS configured
>> with Advanced Networking (without Security Group enabled) configured with
>> multiple KVM and XCP-NG clusters with great success.  After experimenting
>> with Open Nebula and Open Stack for most of last year we are impressed with
>> ACS.
>> 
>> In addition to our traditional enterprise customers, we also have
>> education institutions using our infrastructure for classes and training.
>> What would be the best way to support a Domains with 200+ accounts with
>> their respective isolated network and some shared networks in ACS?
>> 
>> We can assign new hosts, external gateways, vlan, vxlan, etc., but one
>> public ipv4 per account would be undesirable.
>> 
>> We our current knowledge, the out-of-the-box networking scalability seems
>> to be a limiting factor for us. We have been experimenting with different
>> permutations for a few weeks.
>> 
>> We've also tried using hardware routers for gateway and VPN termination.
>> As such, we dedicated a router for VPNs with 200 predefined VLANs and
>> subnets. 200 L2 networks are then defined with each VLAN-id and assigned to
>> an account as their "isolated" network (with Source NAT). A domain shared
>> network is also defined for intra-account communication. However, the root
>> admin can only do the network definition and association to the account.
>> Ideally, the use case would be for the domain admin to define and assign or
>> the account to create the "isolated" network.
>> 
>> We could always deploy a new zone with different networking configuration
>> if it would help.
>> 
>> Any suggestion would be appreciated.
>> 
>> Regards,
>> Antoine
>> 
>> 
> 
> -- 
> Daan