You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by se...@apache.org on 2014/03/20 09:08:19 UTC
[2/3] Closes #2: fixed images links, tables, toctree
http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/08b01f0d/source/networking2.rst
----------------------------------------------------------------------
diff --git a/source/networking2.rst b/source/networking2.rst
index 4072f3c..cfdab2b 100644
--- a/source/networking2.rst
+++ b/source/networking2.rst
@@ -23,7 +23,7 @@ have a private LAN. The CloudStack virtual router is the main component
providing networking features for guest traffic.
Guest Traffic
--------------------
+-------------
A network can carry guest traffic only between VMs within one zone.
Virtual machines in different zones cannot communicate with each other
@@ -32,7 +32,7 @@ routing through a public IP address.
See a typical guest traffic setup given below:
-|guest-traffic-setup.png: Depicts a guest traffic setup|
+|guest-traffic-setup.png|
Typically, the Management Server automatically creates a virtual router
for each network. A virtual router is a special virtual machine that
@@ -54,7 +54,7 @@ Source NAT is automatically configured in the virtual router to forward
outbound traffic for all guest VMs
Networking in a Pod
--------------------------
+-------------------
The figure below illustrates network setup within a single pod. The
hosts are connected to a pod-level switch. At a minimum, the hosts
@@ -62,7 +62,7 @@ should have one physical uplink to each switch. Bonded NICs are
supported as well. The pod-level switch is a pair of redundant gigabit
switches with 10 G uplinks.
-|networksinglepod.png: diagram showing logical view of network in a pod|
+|networksinglepod.png|
Servers are connected as follows:
@@ -86,11 +86,11 @@ each network interface as well as redundant switch fabric in order to
maximize throughput and improve reliability.
Networking in a Zone
---------------------------
+--------------------
The following figure illustrates the network setup within a single zone.
-|networksetupzone.png: Depicts network setup in a single zone|
+|networksetupzone.png|
A firewall for management traffic operates in the NAT mode. The network
typically is assigned IP addresses in the 192.168.0.0/16 Class B private
@@ -101,7 +101,7 @@ Each zone has its own set of public IP addresses. Public IP addresses
from different zones do not overlap.
Basic Zone Physical Network Configuration
------------------------------------------------
+-----------------------------------------
In a basic network, configuring the physical network is fairly
straightforward. You only need to configure one guest network to carry
@@ -109,14 +109,14 @@ traffic that is generated by guest VMs. When you first add a zone to
CloudStack, you set up the guest network through the Add Zone screens.
Advanced Zone Physical Network Configuration
---------------------------------------------------
+--------------------------------------------
Within a zone that uses advanced networking, you need to tell the
Management Server how the physical network is set up to carry different
kinds of traffic in isolation.
Configure Guest Traffic in an Advanced Zone
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
These steps assume you have already logged in to the CloudStack UI. To
configure the base guest network:
@@ -136,7 +136,7 @@ configure the base guest network:
The Add guest network window is displayed:
- |addguestnetwork.png: Add Guest network setup in a single zone|
+ |addguestnetwork.png|
#.
@@ -174,13 +174,13 @@ configure the base guest network:
Click OK.
Configure Public Traffic in an Advanced Zone
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In a zone that uses advanced networking, you need to configure at least
one range of IP addresses for Internet traffic.
Configuring a Shared Guest Network
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -313,7 +313,7 @@ Configuring a Shared Guest Network
Click OK to confirm.
Using Multiple Guest Networks
------------------------------------
+-----------------------------
In zones that use advanced networking, additional networks for guest
traffic may be added at any time after the initial installation. You can
@@ -339,7 +339,7 @@ no isolation between guests.Networks that are assigned to a specific
account provide strong isolation.
Adding an Additional Guest Network
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -389,7 +389,7 @@ Adding an Additional Guest Network
Click Create.
Reconfiguring Networks in VMs
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CloudStack provides you the ability to move VMs between networks and
reconfigure a VM's network. You can remove a VM from a network and add
@@ -400,13 +400,13 @@ be accommodated with ease.
This feature is supported on XenServer, VMware, and KVM hypervisors.
Prerequisites
-^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^
Ensure that vm-tools are running on guest VMs for adding or removing
networks to work on VMware hypervisor.
Adding a Network
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^
#.
@@ -471,7 +471,7 @@ Adding a Network
CIDR (for IPv6)
Removing a Network
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^
#.
@@ -495,14 +495,14 @@ Removing a Network
#.
- Click Remove NIC button. |remove-nic.png: button to remove a NIC|
+ Click Remove NIC button. |remove-nic.png|
#.
Click Yes to confirm.
Selecting the Default Network
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#.
@@ -526,15 +526,14 @@ Selecting the Default Network
#.
- Click the Set default NIC button. |set-default-nic.png: button to set
- a NIC as default one.|
+ Click the Set default NIC button. |set-default-nic.png|.
#.
Click Yes to confirm.
Changing the Network Offering on a Guest Network
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A user or administrator can change the network offering that is
associated with an existing guest network.
@@ -559,8 +558,7 @@ associated with an existing guest network.
#.
- In the Details tab, click Edit. |EditButton.png: button to edit a
- network|
+ In the Details tab, click Edit. |edit-icon.png|
#.
@@ -585,7 +583,7 @@ associated with an existing guest network.
If you stopped any VMs, restart them.
IP Reservation in Isolated Guest Networks
------------------------------------------------
+-----------------------------------------
In isolated guest networks, a part of the guest IP address space can be
reserved for non-CloudStack VMs or physical servers. To do so, you
@@ -609,7 +607,7 @@ addresses. CloudStack guest VMs cannot acquire IPs from the Reserved IP
Range.
IP Reservation Considerations
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Consider the following before you reserve an IP range for non-CloudStack
machines:
@@ -692,7 +690,7 @@ machines:
UI.
Limitations
-~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~
-
@@ -707,7 +705,7 @@ Limitations
Reservation in the new re-implemeted network.
Best Practices
-~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~
Apply IP Reservation to the guest network as soon as the network state
changes to Implemented. If you apply reservation soon after the first
@@ -715,7 +713,7 @@ guest VM is deployed, lesser conflicts occurs while applying
reservation.
Reserving an IP Range
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~
#.
@@ -731,8 +729,7 @@ Reserving an IP Range
#.
- In the Details tab, click Edit. |edit-icon.png: button to edit a
- network|
+ In the Details tab, click Edit. |edit-icon.png|
The CIDR field changes to editable one.
@@ -748,7 +745,7 @@ Reserving an IP Range
Range are displayed on the Details page.
Reserving Public IP Addresses and VLANs for Accounts
-----------------------------------------------------------
+----------------------------------------------------
CloudStack provides you the ability to reserve a set of public IP
addresses and VLANs exclusively for an account. During zone creation,
@@ -789,7 +786,7 @@ This feature provides you the following capabilities:
The maximum IPs per account limit cannot be superseded.
Dedicating IP Address Ranges to an Account
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -832,8 +829,7 @@ Dedicating IP Address Ranges to an Account
#.
- Click Add Account |addAccount-icon.png: button to assign an IP
- range to an account.| button.
+ Click Add Account |addAccount-icon.png| button.
The Add Account dialog is displayed.
@@ -910,7 +906,7 @@ Dedicating IP Address Ranges to an Account
Click Add.
Dedicating VLAN Ranges to an Account
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -966,7 +962,7 @@ Dedicating VLAN Ranges to an Account
****Domain****: The domain associated with the account.
Configuring Multiple IP Addresses on a Single NIC
--------------------------------------------------------
+-------------------------------------------------
CloudStack provides you the ability to associate multiple private IP
addresses per guest VM NIC. In addition to the primary IP, you can
@@ -986,7 +982,7 @@ This feature is supported on XenServer, KVM, and VMware hypervisors.
Note that Basic zone security groups are not supported on VMware.
Use Cases
-~~~~~~~~~~~~~~~~~
+~~~~~~~~~
Some of the use cases are described below:
@@ -1009,13 +1005,13 @@ Some of the use cases are described below:
a distinct IP address.
Guidelines
-~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~
To prevent IP conflict, configure different subnets when multiple
networks are connected to the same VM.
Assigning Additional IPs to a VM
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -1051,7 +1047,7 @@ Assigning Additional IPs to a VM
StaticNAT rules.
Port Forwarding and StaticNAT Services Changes
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Because multiple IPs can be associated per NIC, you are allowed to
select a desired IP for the Port Forwarding and StaticNAT services. The
@@ -1063,7 +1059,7 @@ is configured on the specified private IP of the VM. if not passed, NAT
is configured on the primary IP of the VM.
About Multiple IP Ranges
--------------------------------
+------------------------
.. note:: The feature can only be implemented on IPv4 addresses.
@@ -1091,7 +1087,7 @@ subnet, the remove operation fails.
This feature is supported on KVM, xenServer, and VMware hypervisors.
About Elastic IP
------------------------
+----------------
Elastic IP (EIP) addresses are the IP addresses that are associated with
an account, and act as static IP addresses. The account owner has the
@@ -1110,7 +1106,7 @@ DefaultSharedNetscalerEIPandELBNetworkOffering, provides your network
with EIP and ELB network services if a NetScaler device is deployed in
your zone. Consider the following illustration for more details.
-|eip-ns-basiczone.png: Elastic IP in a NetScaler-enabled Basic Zone.|
+|eip-ns-basiczone.png|
In the illustration, a NetScaler appliance is the default entry or exit
point for the CloudStack instances, and firewall is the default entry or
@@ -1136,12 +1132,13 @@ The EIP work flow is as follows:
Network Address Translation (INAT) and Reverse NAT (RNAT) rules
between the public IP and the private IP.
- .. note:: Inbound NAT (INAT) is a type of NAT supported by NetScaler, in which
- the destination IP address is replaced in the packets from the public
- network, such as the Internet, with the private IP address of a VM in
- the private network. Reverse NAT (RNAT) is a type of NAT supported by
- NetScaler, in which the source IP address is replaced in the packets
- generated by a VM in the private network with the public IP address.
+ .. note::
+ Inbound NAT (INAT) is a type of NAT supported by NetScaler, in which
+ the destination IP address is replaced in the packets from the public
+ network, such as the Internet, with the private IP address of a VM in
+ the private network. Reverse NAT (RNAT) is a type of NAT supported by
+ NetScaler, in which the source IP address is replaced in the packets
+ generated by a VM in the private network with the public IP address.
-
@@ -1176,19 +1173,20 @@ For more information on the Associate Public IP option, see
`Section 9.4.1, “Creating a New Network
Offering” <#creating-network-offerings>`__.
-.. note:: The Associate Public IP feature is designed only for use with user VMs.
-The System VMs continue to get both public IP and private by default,
-irrespective of the network offering configuration.
+.. note::
+ The Associate Public IP feature is designed only for use with user VMs.
+ The System VMs continue to get both public IP and private by default,
+ irrespective of the network offering configuration.
New deployments which use the default shared network offering with EIP
and ELB services to create a shared network in the Basic zone will
continue allocating public IPs to each user VM.
Portable IPs
--------------------
+------------
About Portable IP
-~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~
Portable IPs in CloudStack are region-level pool of IPs, which are
elastic in nature, that can be transferred across geographically
@@ -1226,14 +1224,14 @@ The salient features of Portable IP are as follows:
Portable IP transfer is available only for static NAT.
Guidelines
-''''''''''
+^^^^^^^^^^
Before transferring to another network, ensure that no network rules
(Firewall, Static NAT, Port Forwarding, and so on) exist on that
portable IP.
Configuring Portable IPs
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -1286,7 +1284,7 @@ Configuring Portable IPs
Click OK.
Acquiring a Portable IP
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -1323,7 +1321,7 @@ Acquiring a Portable IP
static NAT rules.
Transferring Portable IP
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~
An IP can be transferred from one network to another only if Static NAT
is enabled. However, when a portable IP is associated with a network,
@@ -1345,7 +1343,7 @@ following:
http://localhost:8096/client/api?command=enableStaticNat&response=json&ipaddressid=a4bc37b2-4b4e-461d-9a62-b66414618e36&virtualmachineid=Y&networkid=X
Multiple Subnets in Shared Network
------------------------------------------
+----------------------------------
CloudStack provides you with the flexibility to add guest IP ranges from
different subnets in Basic zones and security groups-enabled Advanced
@@ -1358,7 +1356,7 @@ address management overhead. You can delete the IP ranges you have
added.
Prerequisites and Guidelines
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
@@ -1387,7 +1385,7 @@ Prerequisites and Guidelines
subnets are not currently supported
Adding Multiple Subnets to a Shared Network
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -1428,7 +1426,7 @@ Adding Multiple Subnets to a Shared Network
The Add IP Range dialog is displayed, as follows:
- |add-ip-range.png: adding an IP range to a network.|
+ |add-ip-range.png|
#.
@@ -1463,7 +1461,7 @@ Adding Multiple Subnets to a Shared Network
Click OK.
Isolation in Advanced Zone Using Private VLAN
-----------------------------------------------------
+---------------------------------------------
Isolation of guest traffic in shared networks can be achieved by using
Private VLANs (PVLAN). PVLANs provide Layer 2 isolation between ports
@@ -1488,7 +1486,7 @@ VMs.
guest VM.
About Private VLAN
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~
In an Ethernet switch, a VLAN is a broadcast domain where hosts can
establish direct communication with each another at Layer 2. Private
@@ -1545,27 +1543,27 @@ For further reading:
-
`Understanding Private
- VLANs <http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swpvlan.html#wp1038379>`__
+ VLANs <http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swpvlan.html#wp1038379>`_
-
`Cisco Systems' Private VLANs: Scalable Security in a Multi-Client
- Environment <http://tools.ietf.org/html/rfc5517>`__
+ Environment <http://tools.ietf.org/html/rfc5517>`_
-
`Private VLAN (PVLAN) on vNetwork Distributed Switch - Concept
- Overview (1010691) <http://kb.vmware.com>`__
+ Overview (1010691) <http://kb.vmware.com>`_
Prerequisites
-~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~
-
Use a PVLAN supported switch.
See `Private VLAN Catalyst Switch Support
- Matrix <http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml>`__\ for
+ Matrix <http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml>`_ for
more information.
-
@@ -1591,12 +1589,13 @@ Prerequisites
Before you use PVLAN on XenServer and KVM, enable Open vSwitch (OVS).
- .. note:: OVS on XenServer and KVM does not support PVLAN natively. Therefore,
- CloudStack managed to simulate PVLAN on OVS for XenServer and KVM by
- modifying the flow table.
+ .. note::
+ OVS on XenServer and KVM does not support PVLAN natively. Therefore,
+ CloudStack managed to simulate PVLAN on OVS for XenServer and KVM by
+ modifying the flow table.
Creating a PVLAN-Enabled Guest Network
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -1660,7 +1659,7 @@ Creating a PVLAN-Enabled Guest Network
Isolated VLAN.
For the description on Secondary Isolated VLAN, see
- `Section 15.14.1, “About Private VLAN” <#about-pvlan>`__.
+ `Section 15.14.1, “About Private VLAN” <#about-pvlan>`_.
-
@@ -1722,10 +1721,10 @@ Creating a PVLAN-Enabled Guest Network
Click OK to confirm.
Security Groups
-----------------------
+---------------
About Security Groups
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~
Security groups provide a way to isolate traffic to VMs. A security
group is a group of VMs that filter their incoming and outgoing traffic
@@ -1736,8 +1735,8 @@ useful in zones that use basic networking, because there is a single
guest network for all guest VMs. In advanced zones, security groups are
supported only on the KVM hypervisor.
-.. note:: In a zone that uses advanced networking, you can instead define multiple
-guest networks to isolate traffic to VMs.
+.. note::
+ In a zone that uses advanced networking, you can instead define multiple guest networks to isolate traffic to VMs.
Each CloudStack account comes with a default security group that denies
all inbound traffic and allows all outbound traffic. The default
@@ -1760,7 +1759,7 @@ except for responses to any traffic that has been allowed out through an
egress rule.
Adding a Security Group
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~
A user or administrator can define a new security group.
@@ -1796,7 +1795,7 @@ A user or administrator can define a new security group.
Egress Rules to a Security Group.
Security Groups in Advanced Zones (KVM Only)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CloudStack provides the ability to use security groups to provide
isolation between guests on a single shared, zone-wide network in an
@@ -1805,7 +1804,7 @@ advanced zones rather than multiple VLANs allows a greater range of
options for setting up guest isolation in a cloud.
Limitations
-'''''''''''
+^^^^^^^^^^^
The following are not supported for this feature:
@@ -1831,7 +1830,7 @@ Security groups must be enabled in the zone in order for this feature to
be used.
Enabling Security Groups
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~
In order for security groups to function in a zone, the security groups
feature must first be enabled for the zone. The administrator can do
@@ -1842,7 +1841,7 @@ not enable security groups for an existing zone, only when creating a
new zone.
Adding Ingress and Egress Rules to a Security Group
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -1909,7 +1908,7 @@ Adding Ingress and Egress Rules to a Security Group
The following example allows inbound HTTP access from anywhere:
- |httpaccess.png: allows inbound HTTP access from anywhere|
+ |httpaccess.png|
#.
@@ -1969,7 +1968,7 @@ Adding Ingress and Egress Rules to a Security Group
Click Add.
External Firewalls and Load Balancers
---------------------------------------------
+-------------------------------------
CloudStack is capable of replacing its Virtual Router with an external
Juniper SRX device and an optional external NetScaler or F5 load
@@ -1977,15 +1976,15 @@ balancer for gateway and load balancing services. In this case, the VMs
use the SRX as their gateway.
About Using a NetScaler Load Balancer
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Citrix NetScaler is supported as an external network element for load
balancing in zones that use isolated networking in advanced zones. Set
up an external load balancer when you want to provide load balancing
through means other than CloudStack’s provided virtual router.
-.. note:: In a Basic zone, load balancing service is supported only if Elastic IP
-or Elastic LB services are enabled.
+.. note::
+ In a Basic zone, load balancing service is supported only if Elastic IP or Elastic LB services are enabled.
When NetScaler load balancer is used to provide EIP or ELB services in a
Basic zone, ensure that all guest VM traffic must enter and exit through
@@ -1999,7 +1998,7 @@ policy-based route must be set up so that all traffic originated from
the guest VM's are directed to NetScaler device. This is required to
ensure that the outbound traffic from the guest VM's is routed to a
public IP by using NAT.For more information on Elastic IP, see
-`Section 15.11, “About Elastic IP” <#elastic-ip>`__.
+`Section 15.11, “About Elastic IP” <#elastic-ip>`_.
The NetScaler can be set up in direct (outside the firewall) mode. It
must be added before any load balancing rules are deployed on guest VMs
@@ -2052,7 +2051,7 @@ is required. Once a VPX instance is added into CloudStack, it is treated
the same as a VPX on an ESXi host.
Configuring SNMP Community String on a RHEL Server
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The SNMP Community string is similar to a user id or password that
provides access to a network device, such as router. This string is sent
@@ -2069,7 +2068,7 @@ communication between the NetScaler device and the RHEL machine.
Ensure that you installed SNMP on RedHat. If not, run the following
command:
- .. code:: screen
+ .. code:: bash
yum install net-snmp-utils
@@ -2083,10 +2082,11 @@ communication between the NetScaler device and the RHEL machine.
Map the community name into a security name (local and mynetwork,
depending on where the request is coming from):
- .. note:: Use a strong password instead of public when you edit the
- following table.
+ .. note::
+ Use a strong password instead of public when you edit the
+ following table.
- .. code:: screen
+ .. code:: bash
# sec.name source community
com2sec local localhost public
@@ -2098,7 +2098,7 @@ communication between the NetScaler device and the RHEL machine.
Map the security names into group names:
- .. code:: screen
+ .. code:: bash
# group.name sec.model sec.name
group MyRWGroup v1 local
@@ -2110,7 +2110,7 @@ communication between the NetScaler device and the RHEL machine.
Create a view to allow the groups to have the permission to:
- .. code:: screen
+ .. code:: bash
incl/excl subtree mask view all included .1
@@ -2119,7 +2119,7 @@ communication between the NetScaler device and the RHEL machine.
Grant access with different write permissions to the two groups to
the view you created.
- .. code:: screen
+ .. code:: bash
# context sec.model sec.level prefix read write notif
access MyROGroup "" any noauth exact all none none
@@ -2129,7 +2129,7 @@ communication between the NetScaler device and the RHEL machine.
Unblock SNMP in iptables.
- .. code:: screen
+ .. code:: bash
iptables -A INPUT -p udp --dport 161 -j ACCEPT
@@ -2137,7 +2137,7 @@ communication between the NetScaler device and the RHEL machine.
Start the SNMP service:
- .. code:: screen
+ .. code:: bash
service snmpd start
@@ -2146,12 +2146,12 @@ communication between the NetScaler device and the RHEL machine.
Ensure that the SNMP service is started automatically during the
system startup:
- .. code:: screen
+ .. code:: bash
chkconfig snmpd on
Initial Setup of External Firewalls and Load Balancers
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When the first VM is created for a new account, CloudStack programs the
external firewall and load balancer to work with the VM. The following
@@ -2186,7 +2186,7 @@ The following objects are created on the load balancer:
private subnet (e.g. 10.1.1.2).
Ongoing Configuration of External Firewalls and Load Balancers
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Additional user actions (e.g. setting a port forward) will cause further
programming of the firewall and load balancer. A user may request
@@ -2218,22 +2218,23 @@ element. This data is collected on a regular basis and stored in the
CloudStack database.
Load Balancer Rules
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~
A CloudStack user or administrator may create load balancing rules that
balance traffic received at a public IP to one or more VMs. A user
creates a rule, specifies an algorithm, and assigns the rule to a set of
VMs.
-.. note:: If you create load balancing rules while using a network service
-offering that includes an external load balancer device such as
-NetScaler, and later change the network service offering to one that
-uses the CloudStack virtual router, you must create a firewall rule on
-the virtual router for each of your existing load balancing rules so
-that they continue to function.
+.. note::
+ If you create load balancing rules while using a network service
+ offering that includes an external load balancer device such as
+ NetScaler, and later change the network service offering to one that
+ uses the CloudStack virtual router, you must create a firewall rule on
+ the virtual router for each of your existing load balancing rules so
+ that they continue to function.
Adding a Load Balancer Rule
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
#.
@@ -2267,7 +2268,7 @@ Adding a Load Balancer Rule
Addresses page when the rule is created.
To do that, select the name of the network, then click Add Load
- Balancer tab. Continue with `7 <#config-lb>`__.
+ Balancer tab. Continue with `7 <#config-lb>`_.
#.
@@ -2351,7 +2352,7 @@ Adding a Load Balancer Rule
steps to add more load balancer rules for this IP address.
Sticky Session Policies for Load Balancer Rules
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sticky sessions are used in Web-based applications to ensure continued
availability of information across the multiple requests in a user's
@@ -2378,7 +2379,7 @@ CloudStack UI or call listNetworks and check the
SupportedStickinessMethods capability.
Health Checks for Load Balancer Rules
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(NetScaler load balancer only; requires NetScaler version 10.0)
@@ -2416,7 +2417,7 @@ For details on how to set a health check policy using the UI, see
Rule” <#add-load-balancer-rule>`__.
Configuring AutoScale
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~
AutoScaling allows you to scale your back-end services or application
VMs up or down seamlessly and automatically according to the conditions
@@ -2439,11 +2440,10 @@ CloudStack uses the NetScaler load balancer to monitor all aspects of a
system's health and work in unison with CloudStack to initiate scale-up
or scale-down actions.
-.. note:: AutoScale is supported on NetScaler Release 10 Build 74.4006.e and
-beyond.
+.. note:: AutoScale is supported on NetScaler Release 10 Build 74.4006.e and beyond.
Prerequisites
-'''''''''''''
+^^^^^^^^^^^^^
Before you configure an AutoScale rule, consider the following:
@@ -2453,9 +2453,10 @@ Before you configure an AutoScale rule, consider the following:
AutoScale. When a VM is deployed by using a template and when it
comes up, the application should be up and running.
- .. note:: If the application is not running, the NetScaler device considers the
- VM as ineffective and continues provisioning the VMs unconditionally
- until the resource limit is exhausted.
+ .. note::
+ If the application is not running, the NetScaler device considers the
+ VM as ineffective and continues provisioning the VMs unconditionally
+ until the resource limit is exhausted.
-
@@ -2506,11 +2507,11 @@ Before you configure an AutoScale rule, consider the following:
configuring AutoScale.
Configuration
-'''''''''''''
+^^^^^^^^^^^^^
Specify the following:
-|autoscaleateconfig.png: Configuring AutoScale|
+|autoscaleateconfig.png|
-
@@ -2539,15 +2540,16 @@ Specify the following:
rule has at least the configured number of active VM instances are
available to serve the traffic.
- .. note:: If an application, such as SAP, running on a VM instance is down for
- some reason, the VM is then not counted as part of Min Instance
- parameter, and the AutoScale feature initiates a scaleup action if
- the number of active VM instances is below the configured value.
- Similarly, when an application instance comes up from its earlier
- down state, this application instance is counted as part of the
- active instance count and the AutoScale process initiates a scaledown
- action when the active instance count breaches the Max instance
- value.
+ .. note::
+ If an application, such as SAP, running on a VM instance is down for
+ some reason, the VM is then not counted as part of Min Instance
+ parameter, and the AutoScale feature initiates a scaleup action if
+ the number of active VM instances is below the configured value.
+ Similarly, when an application instance comes up from its earlier
+ down state, this application instance is counted as part of the
+ active instance count and the AutoScale process initiates a scaledown
+ action when the active instance count breaches the Max instance
+ value.
-
@@ -2561,13 +2563,14 @@ Specify the following:
leads to a single load balancing rule exhausting the VM instances
limit specified at the account or domain level.
- .. note:: If an application, such as SAP, running on a VM instance is down for
- some reason, the VM is not counted as part of Max Instance parameter.
- So there may be scenarios where the number of VMs provisioned for a
- scaleup action might be more than the configured Max Instance value.
- Once the application instances in the VMs are up from an earlier down
- state, the AutoScale feature starts aligning to the configured Max
- Instance value.
+ .. note::
+ If an application, such as SAP, running on a VM instance is down for
+ some reason, the VM is not counted as part of Max Instance parameter.
+ So there may be scenarios where the number of VMs provisioned for a
+ scaleup action might be more than the configured Max Instance value.
+ Once the application instances in the VMs are up from an earlier down
+ state, the AutoScale feature starts aligning to the configured Max
+ Instance value.
Specify the following scale-up and scale-down policies:
@@ -2667,24 +2670,22 @@ advanced settings, and specify the following:
**Apply**: Click Apply to create the AutoScale configuration.
Disabling and Enabling an AutoScale Configuration
-'''''''''''''''''''''''''''''''''''''''''''''''''
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you want to perform any maintenance operation on the AutoScale VM
instances, disable the AutoScale configuration. When the AutoScale
configuration is disabled, no scaleup or scaledown action is performed.
You can use this downtime for the maintenance activities. To disable the
-AutoScale configuration, click the Disable AutoScale |EnableDisable.png:
-button to enable or disable AutoScale.| button.
+AutoScale configuration, click the Disable AutoScale |EnableDisable.png| button.
The button toggles between enable and disable, depending on whether
AutoScale is currently enabled or not. After the maintenance operations
are done, you can enable the AutoScale configuration back. To enable,
open the AutoScale configuration page again, then click the Enable
-AutoScale |EnableDisable.png: button to enable or disable AutoScale.|
-button.
+AutoScale |EnableDisable.png| button.
Updating an AutoScale Configuration
-'''''''''''''''''''''''''''''''''''
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can update the various parameters and add or delete the conditions
in a scaleup or scaledown rule. Before you update an AutoScale
@@ -2696,7 +2697,7 @@ apply the new AutoScale policies, open the AutoScale configuration page
again, then click the Enable AutoScale button.
Runtime Considerations
-''''''''''''''''''''''
+^^^^^^^^^^^^^^^^^^^^^^
-
@@ -2721,7 +2722,7 @@ Runtime Considerations
rule.
Global Server Load Balancing Support
--------------------------------------------
+------------------------------------
CloudStack supports Global Server Load Balancing (GSLB) functionalities
to provide business continuity, and enable seamless resource movement
@@ -2739,7 +2740,7 @@ provider in CloudStack. GSLB functionality works in an Active-Active
data center environment.
About Global Server Load Balancing
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Global Server Load Balancing (GSLB) is an extension of load balancing
functionality, which is highly efficient in avoiding downtime. Based on
@@ -2752,7 +2753,7 @@ accessing a resource in the event of a failure, or to provide a means of
shifting traffic easily to simplify maintenance, or both.
Components of GSLB
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^
A typical GSLB environment is comprised of the following components:
@@ -2819,7 +2820,7 @@ A typical GSLB environment is comprised of the following components:
ADNS service IP and port.
How Does GSLB Works in CloudStack?
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Global server load balancing is used to manage the traffic flow to a web
site hosted on two separate zones that ideally are in different
@@ -2856,7 +2857,7 @@ the mechanism to monitor health of virtual servers both at local and
remote sites. The cloud admin enables GSLB as a service to the tenants
that use zones 1 and 2.
-|gslb.png: GSLB architecture|
+|gslb.png|
Tenant-A wishes to leverage the GSLB service provided by the xyztelco
cloud. Tenant-A configures a GSLB rule to load balance traffic across
@@ -2886,7 +2887,7 @@ will be resolved to the public IP associated with the selected virtual
server.
Configuring GSLB
-~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~
To configure a GSLB deployment, you must first configure a standard load
balancing setup for each zone. This enables you to balance load across
@@ -2912,7 +2913,7 @@ above, the administrator of xyztelco is the one who sets up GSLB:
On the NetScaler side, configure GSLB as given in `Configuring Global
Server Load Balancing
- (GSLB) <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-con.html>`__:
+ (GSLB) <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-con.html>`_:
#.
@@ -2922,7 +2923,7 @@ above, the administrator of xyztelco is the one who sets up GSLB:
Configure Authoritative DNS, as explained in `Configuring an
Authoritative DNS
- Service <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-adns-svc-tsk.html>`__.
+ Service <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-adns-svc-tsk.html>`_.
#.
@@ -2936,28 +2937,28 @@ above, the administrator of xyztelco is the one who sets up GSLB:
and B.xyztelco.com.
For more information, see `Configuring a Basic GSLB
- Site <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-basic-site-tsk.html>`__.
+ Site <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-basic-site-tsk.html>`_.
#.
Configure a GSLB virtual server.
For more information, see `Configuring a GSLB Virtual
- Server <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-vsvr-tsk.html>`__.
+ Server <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-vsvr-tsk.html>`_.
#.
Configure a GSLB service for each virtual server.
For more information, see `Configuring a GSLB
- Service <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-svc-tsk.html>`__.
+ Service <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-svc-tsk.html>`_.
#.
Bind the GSLB services to the GSLB virtual server.
For more information, see `Binding GSLB Services to a GSLB Virtual
- Server <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-bind-svc-vsvr-tsk.html>`__.
+ Server <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-bind-svc-vsvr-tsk.html>`_.
#.
@@ -2965,7 +2966,7 @@ above, the administrator of xyztelco is the one who sets up GSLB:
from the domain details.
For more information, see `Binding a Domain to a GSLB Virtual
- Server <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-bind-dom-vsvr-tsk.html>`__.
+ Server <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-bind-dom-vsvr-tsk.html>`_.
#.
@@ -2973,7 +2974,7 @@ above, the administrator of xyztelco is the one who sets up GSLB:
NetScaler device.
For more information, see `Section 15.17.2.2, “Enabling GSLB in
- NetScaler” <#enable-glsb-ns>`__.
+ NetScaler” <#enable-glsb-ns>`_.
As a domain administrator/ user perform the following:
@@ -2981,17 +2982,17 @@ As a domain administrator/ user perform the following:
Add a GSLB rule on both the sites.
- See `Section 15.17.2.3, “Adding a GSLB Rule” <#gslb-add>`__.
+ See `Section 15.17.2.3, “Adding a GSLB Rule” <#gslb-add>`_.
#.
Assign load balancer rules.
See `Section 15.17.2.4, “Assigning Load Balancing Rules to
- GSLB” <#assign-lb-gslb>`__.
+ GSLB” <#assign-lb-gslb>`_.
Prerequisites and Guidelines
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
@@ -3070,7 +3071,7 @@ Prerequisites and Guidelines
Statistics is collected from each GSLB virtual server.
Enabling GSLB in NetScaler
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^
In each zone, add GSLB-enabled NetScaler device for load balancing.
@@ -3173,7 +3174,7 @@ In each zone, add GSLB-enabled NetScaler device for load balancing.
Click OK.
Adding a GSLB Rule
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^
#.
@@ -3197,7 +3198,7 @@ Adding a GSLB Rule
The Add GSLB page is displayed as follows:
- |gslb-add.png: adding a gslb rule|
+ |gslb-add.png|
#.
@@ -3242,7 +3243,7 @@ Adding a GSLB Rule
Click OK to confirm.
Assigning Load Balancing Rules to GSLB
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#.
@@ -3281,14 +3282,14 @@ Assigning Load Balancing Rules to GSLB
Click OK to confirm.
Known Limitation
-~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~
Currently, CloudStack does not support orchestration of services across
the zones. The notion of services and service providers in region are to
be introduced.
Guest IP Ranges
-----------------------
+---------------
The IP ranges for guest network traffic are set on a per-account basis
by the user. This allows the users to configure their network in a
@@ -3302,7 +3303,7 @@ For more information, see `Section 15.10, “About Multiple IP
Ranges” <#multiple-ip-range>`__.
Acquiring a New IP Address
----------------------------------
+--------------------------
#.
@@ -3334,14 +3335,14 @@ Acquiring a New IP Address
want a normal Public IP click No.
For more information on Portable IP, see `Section 15.12, “Portable
- IPs” <#portable-ip>`__.
+ IPs” <#portable-ip>`_.
Within a few moments, the new IP address should appear with the state
Allocated. You can now use the IP address in port forwarding or
static NAT rules.
Releasing an IP Address
-------------------------------
+-----------------------
When the last rule for an IP address is removed, you can release that IP
address. The IP address still belongs to the VPC; however, it can be
@@ -3369,8 +3370,8 @@ picked up for any guest network again.
#.
- Click the Release IP button. |ReleaseIPButton.png: button to release
- an IP|
+ Click the Release IP button. |ReleaseIPButton.png|
+
Static NAT
-----------------
@@ -3382,7 +3383,7 @@ This section tells how to enable or disable static NAT for a particular
IP address.
Enabling or Disabling Static NAT
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If port forwarding rules are already in effect for an IP address, you
cannot enable static NAT to that IP.
@@ -3412,7 +3413,7 @@ function only if they are defined on the default network.
#.
- Click the Static NAT |enabledisablenat.png: button to enable/disable NAT|
+ Click the Static NAT |enabledisablenat.png|
button.
The button toggles between Enable and Disable, depending on whether
@@ -3424,7 +3425,7 @@ function only if they are defined on the default network.
the destination VM and click Apply.
IP Forwarding and Firewalling
-------------------------------------
+-----------------------------
By default, all incoming traffic to the public IP address is rejected.
All outgoing traffic from the guests is also blocked by default.
@@ -3441,7 +3442,7 @@ forwarding rule could route incoming traffic on the public IP's port 33
to port 100 on one user VM's private IP.
Firewall Rules
-~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~
By default, all incoming traffic to the public IP address is rejected by
the firewall. To allow external traffic, you can open firewall ports by
@@ -3452,11 +3453,11 @@ incoming requests from certain IP addresses.
You cannot use firewall rules to open ports for an elastic IP address.
When elastic IP is used, outside access is instead controlled through
the use of security groups. See `Section 15.15.2, “Adding a Security
-Group” <#add-security-group>`__.
+Group” <#add-security-group>`_.
In an advanced zone, you can also create egress firewall rules by using
the virtual router. For more information, see `Section 15.22.2, “Egress
-Firewall Rules in an Advanced Zone” <#egress-firewall-rule>`__.
+Firewall Rules in an Advanced Zone” <#egress-firewall-rule>`_.
Firewall rules can be created using the Firewall tab in the Management
Server UI. This tab is not displayed by default when CloudStack is
@@ -3520,7 +3521,7 @@ To create a firewall rule:
Click Add.
Egress Firewall Rules in an Advanced Zone
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The egress traffic originates from a private network to a public
network, such as the Internet. By default, the egress traffic is blocked
@@ -3532,7 +3533,7 @@ allowed and the remaining traffic is blocked. When all the firewall
rules are removed the default policy, Block, is applied.
Prerequisites and Guidelines
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Consider the following scenarios to apply egress firewall rules:
@@ -3566,7 +3567,7 @@ Consider the following scenarios to apply egress firewall rules:
will have the default egress policy Deny.
Configuring an Egress Firewall Rule
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#.
@@ -3587,7 +3588,7 @@ Configuring an Egress Firewall Rule
following fields to specify what type of traffic is allowed to be
sent out of VM instances in this guest network:
- |egress-firewall-rule.png: adding an egress firewall rule|
+ |egress-firewall-rule.png|
-
@@ -3620,7 +3621,7 @@ Configuring an Egress Firewall Rule
Click Add.
Configuring the Default Egress Policy
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The default egress policy for Isolated guest network is configured by
using Network offering. Use the create network offering option to
@@ -3694,7 +3695,7 @@ This feature is supported only on virtual router and Juniper SRX.
traffic blocked or allowed.
Port Forwarding
-~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~
A port forward service is a set of port forwarding rules that define a
policy. A port forward service is then applied to one or more guest VMs.
@@ -3776,7 +3777,7 @@ To set up port forwarding:
Click Add.
IP Load Balancing
-------------------------
+-----------------
The user may choose to associate the same public IP for multiple guests.
CloudStack implements a TCP-level load balancer with the following
@@ -3798,14 +3799,14 @@ This is similar to port forwarding but the destination may be multiple
IP addresses.
DNS and DHCP
--------------------
+------------
The Virtual Router provides DNS and DHCP services to the guests. It
proxies DNS requests to the DNS server configured on the Availability
Zone.
Remote Access VPN
-------------------------
+-----------------
CloudStack account owners can create virtual private networks (VPN) to
access their virtual machines. If the guest network is instantiated from
@@ -3821,9 +3822,10 @@ The VPN user database is shared across all the VPNs created by the
account owner. All VPN users get access to all VPNs created by the
account owner.
-.. note:: Make sure that not all traffic goes through the VPN. That is, the route
-installed by the VPN should be only for the guest network and not for
-all traffic.
+.. note::
+ Make sure that not all traffic goes through the VPN. That is, the route
+ installed by the VPN should be only for the guest network and not for
+ all traffic.
-
@@ -3845,7 +3847,7 @@ all traffic.
Connection” <#site-to-site-vpn>`__
Configuring Remote Access VPN
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To set up VPN for the cloud:
@@ -3900,12 +3902,12 @@ To enable VPN for a particular network:
#.
- Click the Enable VPN button. |EnableVPNButton.png: button to enable a VPN|
+ Click the Enable VPN button. |vpn-icon.png|
The IPsec key is displayed in a popup window.
Configuring Remote Access VPN in VPC
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On enabling Remote Access VPN on a VPC, any VPN client present outside
the VPC can access VMs present in the VPC by using the Remote VPN
@@ -3985,7 +3987,7 @@ To enable VPN for a VPC:
#.
- Click the Enable VPN button. |vpn-icon.png: button to enable VPN|
+ Click the Enable VPN button. |vpn-icon.png|
Click OK to confirm. The IPsec key is displayed in a pop-up window.
@@ -4013,7 +4015,7 @@ Now, you need to add the VPN users.
Repeat the same steps to add the VPN users.
Using Remote Access VPN with Windows
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The procedure to use VPN varies by Windows version. Generally, the user
must edit the VPN properties and make sure that the default route is not
@@ -4066,11 +4068,11 @@ Vista. The commands should be similar for other Windows versions.
Right-click the new connection and select Properties. In the
Properties dialog, select the Networking tab.
-#.
+#.
In Type of VPN, choose L2TP IPsec VPN, then click IPsec settings.
Select Use preshared key. Enter the preshared key from step
- `1 <#source-nat>`__.
+ `1 <#source-nat>`_.
#.
@@ -4079,10 +4081,10 @@ Vista. The commands should be similar for other Windows versions.
#.
- Enter the user name and password from step `1 <#source-nat>`__.
+ Enter the user name and password from step `1 <#source-nat>`_.
Using Remote Access VPN with Mac OS X
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
First, be sure you've configured the VPN settings in your CloudStack
install. This section is only concerned with connecting via Mac OS X to
@@ -4138,7 +4140,7 @@ differ slightly in older or newer releases of Mac OS X.
Now click "Connect" and you will be connected to the CloudStack VPN.
Setting Up a Site-to-Site VPN Connection
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A Site-to-Site VPN connection helps you establish a secure connection
from an enterprise datacenter to the cloud infrastructure. This allows
@@ -4169,9 +4171,10 @@ The supported endpoints on the remote datacenters are:
CloudStack virtual routers
-.. note:: In addition to the specific Cisco and Juniper devices listed above, the
-expectation is that any Cisco or Juniper device running on the supported
-operating systems are able to establish VPN connections.
+.. note::
+ In addition to the specific Cisco and Juniper devices listed above, the
+ expectation is that any Cisco or Juniper device running on the supported
+ operating systems are able to establish VPN connections.
To set up a Site-to-Site VPN connection, perform the following:
@@ -4180,7 +4183,7 @@ To set up a Site-to-Site VPN connection, perform the following:
Create a Virtual Private Cloud (VPC).
See `Section 15.27, “Configuring a Virtual Private
- Cloud” <#configure-vpc>`__.
+ Cloud” <#configure-vpc>`_.
#.
@@ -4196,10 +4199,10 @@ To set up a Site-to-Site VPN connection, perform the following:
gateway.
Creating and Updating a VPN Customer Gateway
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-.. note:: A VPN customer gateway can be connected to only one VPN gateway at a
-time.
+.. note::
+ A VPN customer gateway can be connected to only one VPN gateway at a time.
To add a VPN Customer Gateway:
@@ -4219,7 +4222,7 @@ To add a VPN Customer Gateway:
Click Add VPN Customer Gateway.
- |addvpncustomergateway.png: adding a customer gateway.|
+ |addvpncustomergateway.png|
Provide the following information:
@@ -4245,12 +4248,13 @@ To add a VPN Customer Gateway:
authenticate the customer gateway and the VPC VPN gateway to each
other.
- .. note:: The IKE peers (VPN end points) authenticate each other by
- computing and sending a keyed hash of data that includes the
- Preshared key. If the receiving peer is able to create the same
- hash independently by using its Preshared key, it knows that both
- peers must share the same secret, thus authenticating the customer
- gateway.
+ .. note::
+ The IKE peers (VPN end points) authenticate each other by
+ computing and sending a keyed hash of data that includes the
+ Preshared key. If the receiving peer is able to create the same
+ hash independently by using its Preshared key, it knows that both
+ peers must share the same secret, thus authenticating the customer
+ gateway.
-
@@ -4259,11 +4263,12 @@ To add a VPN Customer Gateway:
AES256, and 3DES. Authentication is accomplished through the
Preshared Keys.
- .. note:: The phase-1 is the first phase in the IKE process. In this initial
- negotiation phase, the two VPN endpoints agree on the methods to
- be used to provide security for the underlying IP traffic. The
- phase-1 authenticates the two VPN gateways to each other, by
- confirming that the remote gateway has a matching Preshared Key.
+ .. note::
+ The phase-1 is the first phase in the IKE process. In this initial
+ negotiation phase, the two VPN endpoints agree on the methods to
+ be used to provide security for the underlying IP traffic. The
+ phase-1 authenticates the two VPN gateways to each other, by
+ confirming that the remote gateway has a matching Preshared Key.
-
@@ -4284,11 +4289,12 @@ To add a VPN Customer Gateway:
within phase-2. The supported encryption algorithms are AES128,
AES192, AES256, and 3DES.
- .. note:: The phase-2 is the second phase in the IKE process. The purpose of
- IKE phase-2 is to negotiate IPSec security associations (SA) to
- set up the IPSec tunnel. In phase-2, new keying material is
- extracted from the Diffie-Hellman key exchange in phase-1, to
- provide session keys to use in protecting the VPN data flow.
+ .. note::
+ The phase-2 is the second phase in the IKE process. The purpose of
+ IKE phase-2 is to negotiate IPSec security associations (SA) to
+ set up the IPSec tunnel. In phase-2, new keying material is
+ extracted from the Diffie-Hellman key exchange in phase-1, to
+ provide session keys to use in protecting the VPN data flow.
-
@@ -4307,11 +4313,12 @@ To add a VPN Customer Gateway:
of the key exchanges increase as the DH groups grow larger, as
does the time of the exchanges.
- .. note:: When PFS is turned on, for every negotiation of a new phase-2 SA
- the two gateways must generate a new set of phase-1 keys. This
- adds an extra layer of protection that PFS adds, which ensures if
- the phase-2 SA’s have expired, the keys used for new phase-2 SA’s
- have not been generated from the current phase-1 keying material.
+ .. note::
+ When PFS is turned on, for every negotiation of a new phase-2 SA
+ the two gateways must generate a new set of phase-1 keys. This
+ adds an extra layer of protection that PFS adds, which ensures if
+ the phase-2 SA’s have expired, the keys used for new phase-2 SA’s
+ have not been generated from the current phase-1 keying material.
-
@@ -4363,19 +4370,19 @@ related VPN connection is in error state.
#.
To modify the required parameters, click the Edit VPN Customer
- Gateway button |edit.png: button to edit a VPN customer gateway|
+ Gateway button |edit-icon.png|
#.
To remove the VPN customer gateway, click the Delete VPN Customer
- Gateway button |delete.png: button to remove a VPN customer gateway|
+ Gateway button |delete.png|
#.
Click OK.
Creating a VPN gateway for the VPC
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#.
@@ -4470,7 +4477,7 @@ Creating a VPN gateway for the VPC
Domain
Creating a VPN Connection
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^
.. note:: CloudStack supports creating up to 8 VPN connections.
@@ -4557,8 +4564,7 @@ Creating a VPN Connection
The Create VPN Connection dialog is displayed:
- |createvpnconnection.png: creating a VPN connection to the customer
- gateway.|
+ |createvpnconnection.png|
#.
@@ -4608,7 +4614,7 @@ Creating a VPN Connection
ESP Policy
Site-to-Site VPN Connection Between VPC Networks
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
CloudStack provides you with the ability to establish a site-to-site VPN
connection between CloudStack virtual routers. To achieve that, add a
@@ -4665,7 +4671,7 @@ This feature is supported on all the hypervisors.
connections to show the Connected state.
Restarting and Removing a VPN Connection
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#.
@@ -4756,11 +4762,10 @@ Restarting and Removing a VPN Connection
#.
To remove a VPN connection, click the Delete VPN connection button
- |remove-vpn.png: button to remove a VPN connection|
+ |remove-vpn.png|
To restart a VPN connection, click the Reset VPN connection button
- present in the Details tab. |reset-vpn.png: button to reset a VPN
- connection|
+ present in the Details tab. |reset-vpn.png|
About Inter-VLAN Routing (nTier Apps)
--------------------------------------------
@@ -4789,8 +4794,8 @@ The major advantages are:
from a pre-specified set of guest VLANs. All the VMs of a certain
tier of an account reside on the guest VLAN allotted to that account.
- .. note:: A VLAN allocated for an account cannot be shared between multiple
- accounts.
+ .. note::
+ A VLAN allocated for an account cannot be shared between multiple accounts.
-
@@ -4813,7 +4818,7 @@ The major advantages are:
**VPN Gateway**: For more information, see `Section 15.25.5.2,
“Creating a VPN gateway for the
- VPC” <#create-vpn-gateway-for-vpc>`__.
+ VPC” <#create-vpn-gateway-for-vpc>`_.
-
@@ -4825,7 +4830,7 @@ The major advantages are:
-
**Private Gateway**: For more information, see `Section 15.27.5,
- “Adding a Private Gateway to a VPC” <#add-gateway-vpc>`__.
+ “Adding a Private Gateway to a VPC” <#add-gateway-vpc>`_.
-
@@ -4859,16 +4864,16 @@ The major advantages are:
The following figure shows the possible deployment scenarios of a
Inter-VLAN setup:
-|mutltier.png: a multi-tier setup.|
+|mutltier.png|
To set up a multi-tier Inter-VLAN deployment, see `Section 15.27,
-“Configuring a Virtual Private Cloud” <#configure-vpc>`__.
+“Configuring a Virtual Private Cloud” <#configure-vpc>`_.
Configuring a Virtual Private Cloud
-------------------------------------------
+-----------------------------------
About Virtual Private Clouds
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CloudStack Virtual Private Cloud is a private, isolated part of
CloudStack. A VPC can have its own virtual network topology that
@@ -4883,7 +4888,7 @@ networks can have the network ranges 10.0.1.0/24, 10.0.2.0/24,
10.0.3.0/24, and so on.
Major Components of a VPC:
-''''''''''''''''''''''''''
+^^^^^^^^^^^^^^^^^^^^^^^^^^
A VPC is comprised of the following network components:
@@ -4920,7 +4925,7 @@ A VPC is comprised of the following network components:
**Private Gateway**: All the traffic to and from a private network
routed to the VPC through the private gateway. For more information,
see `Section 15.27.5, “Adding a Private Gateway to a
- VPC” <#add-gateway-vpc>`__.
+ VPC” <#add-gateway-vpc>`_.
-
@@ -4931,20 +4936,20 @@ A VPC is comprised of the following network components:
**Site-to-Site VPN Connection**: A hardware-based VPN connection
between your VPC and your datacenter, home network, or co-location
facility. For more information, see `Section 15.25.5, “Setting Up a
- Site-to-Site VPN Connection” <#site-to-site-vpn>`__.
+ Site-to-Site VPN Connection” <#site-to-site-vpn>`_.
-
**Customer Gateway**: The customer side of a VPN Connection. For more
information, see `Section 15.25.5.1, “Creating and Updating a VPN
- Customer Gateway” <#create-vpn-customer-gateway>`__.
+ Customer Gateway” <#create-vpn-customer-gateway>`_.
-
**NAT Instance**: An instance that provides Port Address Translation
for instances to access the Internet via the public gateway. For more
information, see `Section 15.27.10, “Enabling or Disabling Static NAT
- on a VPC” <#enable-disable-static-nat-vpc>`__.
+ on a VPC” <#enable-disable-static-nat-vpc>`_.
-
@@ -4953,10 +4958,10 @@ A VPC is comprised of the following network components:
starting with the lowest numbered rule. These rules determine whether
traffic is allowed in or out of any tier associated with the network
ACL. For more information, see `Section 15.27.4, “Configuring Network
- Access Control List” <#configure-acl>`__.
+ Access Control List” <#configure-acl>`_.
Network Architecture in a VPC
-'''''''''''''''''''''''''''''
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In a VPC, the following four basic options of network architectures are
present:
@@ -4978,7 +4983,7 @@ present:
VPC with a private gateway only and site-to-site VPN access
Connectivity Options for a VPC
-''''''''''''''''''''''''''''''
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can connect your VPC to:
@@ -4997,7 +5002,7 @@ You can connect your VPC to:
public gateway and a VPN gateway.
VPC Network Considerations
-''''''''''''''''''''''''''
+^^^^^^^^^^^^^^^^^^^^^^^^^^
Consider the following before you create a VPC:
@@ -5083,7 +5088,7 @@ Consider the following before you create a VPC:
Remote access VPN is not supported in VPC networks.
Adding a Virtual Private Cloud
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When creating the VPC, you simply provide the zone and a set of IP
addresses for the VPC network address space. You specify this set of
@@ -5105,7 +5110,7 @@ addresses in the form of a Classless Inter-Domain Routing (CIDR) block.
Click Add VPC. The Add VPC page is displayed as follows:
- |add-vpc.png: adding a vpc.|
+ |add-vpc.png|
Provide the following information:
@@ -5146,7 +5151,7 @@ addresses in the form of a Classless Inter-Domain Routing (CIDR) block.
Click OK.
Adding Tiers
-~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~
Tiers are distinct locations within a VPC that act as isolated networks,
which do not have access to other tiers by default. Tiers are set up on
@@ -5169,8 +5174,9 @@ other tiers within the VPC.
All the VPC that you have created for the account is listed in the
page.
- .. note:: The end users can see their own VPCs, while root and domain admin can
- see any VPC they are authorized to see.
+ .. note::
+ The end users can see their own VPCs, while root and domain admin can
+ see any VPC they are authorized to see.
#.
@@ -5183,7 +5189,7 @@ other tiers within the VPC.
The Add new tier dialog is displayed, as follows:
- |add-tier.png: adding a tier to a vpc.|
+ |add-tier.png|
If you have already created tiers, the VPC diagram is displayed.
Click Create Tier to add a new tier.
@@ -5242,7 +5248,7 @@ other tiers within the VPC.
Continue with configuring access control list for the tier.
Configuring Network Access Control List
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Define Network Access Control List (ACL) on the VPC virtual router to
control incoming (ingress) and outgoing (egress) traffic between the VPC
@@ -5255,7 +5261,7 @@ network ACLs can be created for the tiers only if the NetworkACL service
is supported.
About Network ACL Lists
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^
In CloudStack terminology, Network ACL is a group of Network ACL items.
Network ACL items are nothing but numbered rules that are evaluated in
@@ -5272,38 +5278,15 @@ behavior is all the incoming traffic is blocked and outgoing traffic is
allowed from the tiers. Default network ACL cannot be removed or
modified. Contents of the default Network ACL is:
-Rule
-
-Protocol
-
-Traffic type
-
-Action
-
-CIDR
-
-1
-
-All
-
-Ingress
-
-Deny
-
-0.0.0.0/0
-
-2
-
-All
-
-Egress
-
-Deny
-
-0.0.0.0/0
+===== ======== ============ ====== =========
+Rule Protocol Traffic type Action CIDR
+===== ======== ============ ====== =========
+1 All Ingress Deny 0.0.0.0/0
+2 All Egress Deny 0.0.0.0/0
+===== ======== ============ ====== =========
Creating ACL Lists
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^
#.
@@ -5385,7 +5368,7 @@ Creating ACL Lists
displayed to users.
Creating an ACL Rule
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^
#.
@@ -5481,7 +5464,7 @@ Creating an ACL Rule
tab.
Creating a Tier with Custom ACL List
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#.
@@ -5506,7 +5489,7 @@ Creating a Tier with Custom ACL List
Click OK.
Assigning a Custom ACL List to a Tier
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#.
@@ -5534,8 +5517,7 @@ Assigning a Custom ACL List to a Tier
#.
- Click the Replace ACL List icon. |replace-acl-icon.png: button to
- replace an ACL list|
+ Click the Replace ACL List icon. |replace-acl-icon.png|
The Replace ACL List dialog is displayed.
@@ -5548,7 +5530,7 @@ Assigning a Custom ACL List to a Tier
Click OK.
Adding a Private Gateway to a VPC
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A private gateway can be added by the root admin only. The VPC private
network has 1:1 relationship with the NIC of the physical network. You
@@ -5632,7 +5614,7 @@ with duplicated VLAN and IP are allowed in the same data center.
Click Add new gateway:
- |add-new-gateway-vpc.png: adding a private gateway for the VPC.|
+ |add-new-gateway-vpc.png|
#.
@@ -5680,7 +5662,7 @@ with duplicated VLAN and IP are allowed in the same data center.
add more gateway for this VPC.
Source NAT on Private Gateway
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You might want to deploy multiple VPCs with the same super CIDR and
guest tier CIDR. Therefore, multiple guest VMs from different VPCs can
@@ -5698,7 +5680,7 @@ To enable source NAT on existing private gateways, delete them and
create afresh with source NAT.
ACL on Private Gateway
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^
The traffic on the VPC private gateway is controlled by creating both
ingress and egress network ACL rules. The ACLs contains both allow and
@@ -5719,11 +5701,11 @@ Alternatively, you can do the following:
-
- Use the Quickview. See `3 <#quickview>`__.
+ Use the Quickview. See `3 <#quickview>`_.
-
- Use the Details tab. See `4 <#details-tab>`__ through .
+ Use the Details tab. See `4 <#details-tab>`_ through .
#.
@@ -5737,7 +5719,7 @@ Alternatively, you can do the following:
#.
In the Detail tab, click the Replace ACL button.
- |replace-acl-icon.png: button to replace the default ACL behaviour.|
+ |replace-acl-icon.png|
The Replace ACL dialog is displayed.
@@ -5749,7 +5731,7 @@ Alternatively, you can do the following:
in the Details page.
Creating a Static Route
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^
CloudStack enables you to specify routing for the VPN connection you
create. You can enter one or CIDR addresses to indicate which traffic is
@@ -5779,7 +5761,7 @@ to be routed back to the gateway.
Wait for few seconds until the new route is created.
Blacklisting Routes
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^
CloudStack enables you to block a list of routes so that they are not
assigned to any of the VPC private gateways. Specify the list of routes
@@ -5790,7 +5772,7 @@ continue functioning. You cannot add a static route if the route is
blacklisted for the zone.
Deploying VMs to the Tier
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -5819,7 +5801,7 @@ Deploying VMs to the Tier
Click Virtual Machines tab of the tier to which you want to add a VM.
- |add-vm-vpc.png: adding a VM to a vpc.|
+ |add-vm-vpc.png|
The Add Instance page is displayed.
@@ -5827,7 +5809,7 @@ Deploying VMs to the Tier
on adding an instance, see the Installation Guide.
Deploying VMs to VPC Tier and Shared Networks
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CloudStack allows you deploy VMs on a VPC tier and one or more shared
networks. With this feature, VMs deployed in a multi-tier application
@@ -5866,8 +5848,7 @@ service provider.
You can deploy a VM to a VPC tier and multiple shared networks.
- |addvm-tier-sharednw.png: adding a VM to a VPC tier and shared
- network.|
+ |addvm-tier-sharednw.png|
#.
@@ -5876,7 +5857,7 @@ service provider.
Your VM will be deployed to the selected VPC tier and shared network.
Acquiring a New IP Address for a VPC
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When you acquire an IP address, all IP addresses are allocated to VPC,
not to the guest networks within the VPC. The IPs are associated to the
@@ -5963,7 +5944,7 @@ associated to more than one network at a time.
address in port forwarding, load balancing, and static NAT rules.
Releasing an IP Address Alloted to a VPC
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The IP address is a limited resource. If you no longer need a particular
IP, you can disassociate it from its VPC and return it to the pool of
@@ -6046,11 +6027,10 @@ still belongs to the same VPC.
#.
- In the Details tab, click the Release IP button |release-ip-icon.png:
- button to release an IP.|
+ In the Details tab, click the Release IP button |release-ip-icon.png|
Enabling or Disabling Static NAT on a VPC
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A static NAT rule maps a public IP address to the private IP address of
a VM in a VPC to allow Internet traffic to it. This section tells how to
@@ -6137,8 +6117,8 @@ function only if they are defined on the default network.
#.
- In the Details tab,click the Static NAT button. |enable-disable.png:
- button to enable Static NAT.| The button toggles between Enable and
+ In the Details tab,click the Static NAT button. |enable-disable.png|
+ The button toggles between Enable and
Disable, depending on whether static NAT is currently enabled for the
IP address.
@@ -6146,14 +6126,14 @@ function only if they are defined on the default network.
If you are enabling static NAT, a dialog appears as follows:
- |select-vmstatic-nat.png: selecting a tier to apply staticNAT.|
+ |select-vmstatic-nat.png|
#.
Select the tier and the destination VM, then click Apply.
Adding Load Balancing Rules on a VPC
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In a VPC, you can configure two types of load balancing—external LB and
internal LB. External LB is nothing but a LB rule created to redirect
@@ -6167,7 +6147,7 @@ load balancing devices are not supported for internal LB. The service is
provided by a internal LB VM configured on the target tier.
Load Balancing Within a Tier (External LB)
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
A CloudStack user or administrator may create load balancing rules that
balance traffic received at a public IP to one or more VMs that belong
@@ -6176,7 +6156,7 @@ creates a rule, specifies an algorithm, and assigns the rule to a set of
VMs within a tier.
Enabling NetScaler as the LB Provider on a VPC Tier
-'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+'''''''''''''''''''''''''''''''''''''''''''''''''''
#.
@@ -6208,7 +6188,7 @@ Enabling NetScaler as the LB Provider on a VPC Tier
Rule” <#ext-lb-vpc>`__.
Creating a Network Offering for External LB
-'''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+'''''''''''''''''''''''''''''''''''''''''''
To have external LB support on VPC, create a network offering as
follows:
@@ -6265,7 +6245,7 @@ follows:
isolated part of CloudStack. A VPC can have its own virtual
network topology that resembles a traditional physical network.
For more information on VPCs, see `Section 15.27.1, “About Virtual
- Private Clouds” <#vpc>`__.
+ Private Clouds” <#vpc>`_.
-
@@ -6302,7 +6282,7 @@ follows:
Click OK and the network offering is created.
Creating an External LB Rule
-''''''''''''''''''''''''''''''''''''''''''
+''''''''''''''''''''''''''''
#.
@@ -6437,19 +6417,19 @@ The new load balancing rule appears in the list. You can repeat these
steps to add more load balancing rules for this IP address.
Load Balancing Across Tiers
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
CloudStack supports sharing workload across different tiers within your
VPC. Assume that multiple tiers are set up in your environment, such as
Web tier and Application tier. Traffic to each tier is balanced on the
VPC virtual router on the public side, as explained in
`Section 15.27.11, “Adding Load Balancing Rules on a
-VPC” <#add-loadbalancer-rule-vpc>`__. If you want the traffic coming
+VPC” <#add-loadbalancer-rule-vpc>`_. If you want the traffic coming
from the Web tier to the Application tier to be balanced, use the
internal load balancing feature offered by CloudStack.
How Does Internal LB Work in VPC?
-'''''''''''''''''''''''''''''''''''''''''''''''
+'''''''''''''''''''''''''''''''''
In this figure, a public LB rule is created for the public IP
72.52.125.10 with public port 80 and private port 81. The LB rule,
@@ -6463,10 +6443,10 @@ configured on the VM, InternalLBVM1. Another internal LB rule for the
guest IP 10.10.10.6, with load balancer port 23 and instance port 25 is
configured on the VM, InternalLBVM2.
-|vpc-lb.png: Configuring internal LB for VPC|
+|vpc-lb.png|
Guidelines
-''''''''''''''''''''''''
+''''''''''
-
@@ -6497,7 +6477,7 @@ Guidelines
Only one tier can have Public LB support in a VPC.
Enabling Internal LB on a VPC Tier
-''''''''''''''''''''''''''''''''''''''''''''''''
+''''''''''''''''''''''''''''''''''
#.
@@ -6511,7 +6491,7 @@ Enabling Internal LB on a VPC Tier
Rule” <#int-lb-vpc>`__.
Creating a Network Offering for Internal LB
-'''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+'''''''''''''''''''''''''''''''''''''''''''
To have internal LB support on VPC, either use the default offering,
DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB, or create a
@@ -6601,7 +6581,7 @@ network offering as follows:
Click OK and the network offering is created.
Creating an Internal LB Rule
-''''''''''''''''''''''''''''''''''''''''''
+''''''''''''''''''''''''''''
When you create the Internal LB rule and applies to a VM, an Internal LB
VM, which is responsible for load balancing, is created.
@@ -6694,7 +6674,7 @@ the location.
Source
Adding a Port Forwarding Rule on a VPC
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#.
@@ -6813,7 +6793,7 @@ Adding a Port Forwarding Rule on a VPC
You can test the rule by opening an SSH session to the instance.
Removing Tiers
-~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~
You can remove a tier from a VPC. A removed tier cannot be revoked. When
a tier is removed, only the resources of the tier are expunged. All the
@@ -6851,12 +6831,12 @@ belonging to the same VPC.
#.
In the Network Details tab, click the Delete Network button.
- |del-tier.png: button to remove a tier|
+ |del-tier.png|
Click Yes to confirm. Wait for some time for the tier to be removed.
Editing, Restarting, and Removing a Virtual Private Cloud
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. note:: Ensure that all the tiers are removed before you remove a VPC.
@@ -6881,21 +6861,19 @@ Editing, Restarting, and Removing a Virtual Private Cloud
#.
- In the Details tab, click the Remove VPC button |remove-vpc.png:
- button to remove a VPC|
+ In the Details tab, click the Remove VPC button |remove-vpc.png|
You can remove the VPC by also using the remove button in the Quick
View.
You can edit the name and description of a VPC. To do that, select
- the VPC, then click the Edit button. |edit-icon.png: button to edit a
- VPC|
+ the VPC, then click the Edit button. |edit-icon.png|
To restart a VPC, select the VPC, then click the Restart button.
- |restart-vpc.png: button to restart a VPC|
+ |restart-vpc.png|
Persistent Networks
---------------------------
+-------------------
The network that you can provision without having to deploy any VMs on
it is called a persistent network. A persistent network can be part of a
@@ -6920,7 +6898,7 @@ therefore even if all its VMs are destroyed the services will not be
discontinued.
Persistent Network Considerations
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
@@ -6964,7 +6942,7 @@ Persistent Network Considerations
non-persistent.
Creating a Persistent Guest Network
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To create a persistent network, perform the following:
@@ -6973,7 +6951,7 @@ To create a persistent network, perform the following:
Create a network offering with the Persistent option enabled.
See `Section 9.4.1, “Creating a New Network
- Offering” <#creating-network-offerings>`__.
+ Offering” <#creating-network-offerings>`_.
#.
@@ -6995,4 +6973,82 @@ To create a persistent network, perform the following:
#.
- Click OK.
\ No newline at end of file
+ Click OK.
+
+.. |guest-traffic-setup.png| image:: _static/images/guest-traffic-setup.png
+ :alt: Depicts a guest traffic setup
+.. |networksinglepod.png| image:: _static/images/network-singlepod.png
+ :alt: diagram showing logical view of network in a pod.
+.. |networksetupzone.png| image:: _static/images/network-setup-zone.png
+ :alt: Depicts network setup in a single zone.
+.. |addguestnetwork.png| image:: _static/images/add-guest-network.png
+ :alt: Add Guest network setup in a single zone.
+.. |remove-nic.png| image:: _static/images/remove-nic.png
+ :alt: button to remove a NIC.
+.. |set-default-nic.png| image:: _static/images/set-default-nic.png
+ :alt: button to set a NIC as default one.
+.. |addAccount-icon.png| image:: _static/images/addAccount-icon.png
+ :alt: button to assign an IP range to an account.
+.. |eip-ns-basiczone.png| image:: _static/images/eip-ns-basiczone.png
+ :alt: Elastic IP in a NetScaler-enabled Basic Zone.
+.. |add-ip-range.png| image:: _static/images/add-ip-range.png
+ :alt: adding an IP range to a network.
+.. |httpaccess.png| image:: _static/images/http-access.png
+ :alt: allows inbound HTTP access from anywhere.
+.. |autoscaleateconfig.png| image:: _static/images/autoscale-config.png
+ :alt: Configuring AutoScale.
+.. |EnableDisable.png| image:: _static/images/enable-disable-autoscale.png
+ :alt: button to enable or disable AutoScale.
+.. |gslb.png| image:: _static/images/gslb.png
+ :alt: GSLB architecture
+.. |gslb-add.png| image:: _static/images/add-gslb.png
+ :alt: adding a gslb rule.
+.. |ReleaseIPButton.png| image:: _static/images/release-ip-icon.png
+ :alt: button to release an IP
+.. |enabledisablenat.png| image:: _static/images/enable-disable.png
+ :alt: button to enable/disable NAT.
+.. |egress-firewall-rule.png| image:: _static/images/egress-firewall-rule.png
+ :alt: adding an egress firewall rule.
+.. |vpn-icon.png| image:: _static/images/vpn-icon.png
+ :alt: button to enable VPN.
+.. |addvpncustomergateway.png| image:: _static/images/add-vpn-customer-gateway.png
+ :alt: adding a customer gateway.
+.. |delete.png| image:: _static/images/delete-button.png
+ :alt: button to remove a VPN customer gateway.
+.. |createvpnconnection.png| image:: _static/images/create-vpn-connection.png
+ :alt: creating a VPN connection to the customer gateway.
+.. |remove-vpn.png| image:: _static/images/remove-vpn.png
+ :alt: button to remove a VPN connection
+.. |reset-vpn.png| image:: _static/images/reset-vpn.png
+ :alt: button to reset a VPN connection
+.. |mutltier.png| image:: _static/images/multi-tier-app.png
+ :alt: a multi-tier setup.
+.. |add-vpc.png| image:: _static/images/add-vpc.png
+ :alt: adding a vpc.
+.. |add-tier.png| image:: _static/images/add-tier.png
+ :alt: adding a tier to a vpc.
+.. |replace-acl-icon.png| image:: _static/images/replace-acl-icon.png
+ :alt: button to replace an ACL list
+.. |add-new-gateway-vpc.png| image:: _static/images/add-new-gateway-vpc.png
+ :alt: adding a private gateway for the VPC.
+.. |add-vm-vpc.png| image:: _static/images/add-vm-vpc.png
+ :alt: adding a VM to a vpc.
+.. |addvm-tier-sharednw.png| image:: _static/images/addvm-tier-sharednw.png
+ :alt: adding a VM to a VPC tier and shared network.
+.. |release-ip-icon.png| image:: _static/images/release-ip-icon.png
+ :alt: button to release an IP.
+.. |enable-disable.png| image:: _static/images/enable-disable.png
+ :alt: button to enable Static NAT.
+.. |select-vmstatic-nat.png| image:: _static/images/select-vm-staticnat-vpc.png
+ :alt: selecting a tier to apply staticNAT.
+.. |vpc-lb.png| image:: _static/images/vpc-lb.png
+ :alt: Configuring internal LB for VPC
+.. |del-tier.png| image:: _static/images/del-tier.png
+ :alt: button to remove a tier
+.. |remove-vpc.png| image:: _static/images/remove-vpc.png
+ :alt: button to remove a VPC
+.. |edit-icon.png| image:: _static/images/edit-icon.png
+ :alt: button to edit.
+.. |restart-vpc.png| image:: _static/images/restart-vpc.png
+ :alt: button to restart a VPC
+