You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ke...@apache.org on 2014/01/28 03:23:28 UTC
[07/11] networking2.rst
http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/4bbce96f/source/networking.rst
----------------------------------------------------------------------
diff --git a/source/networking.rst b/source/networking.rst
new file mode 100644
index 0000000..d310064
--- /dev/null
+++ b/source/networking.rst
@@ -0,0 +1,658 @@
+Setting Up Networking for Users
+===============================
+
+Overview of Setting Up Networking for Users
+------------------------------------------------
+
+People using cloud infrastructure have a variety of needs and
+preferences when it comes to the networking services provided by the
+cloud. As a CloudStack administrator, you can do the following things to
+set up networking for your users:
+
+-
+
+ Set up physical networks in zones
+
+-
+
+ Set up several different providers for the same service on a single
+ physical network (for example, both Cisco and Juniper firewalls)
+
+-
+
+ Bundle different types of network services into network offerings, so
+ users can choose the desired network services for any given virtual
+ machine
+
+-
+
+ Add new network offerings as time goes on so end users can upgrade to
+ a better class of service on their network
+
+-
+
+ Provide more ways for a network to be accessed by a user, such as
+ through a project of which the user is a member
+
+About Virtual Networks
+---------------------------
+
+A virtual network is a logical construct that enables multi-tenancy on a
+single physical network. In CloudStack a virtual network can be shared
+or isolated.
+
+Isolated Networks
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+An isolated network can be accessed only by virtual machines of a single
+account. Isolated networks have the following properties.
+
+-
+
+ Resources such as VLAN are allocated and garbage collected
+ dynamically
+
+-
+
+ There is one network offering for the entire network
+
+-
+
+ The network offering can be upgraded or downgraded but it is for the
+ entire network
+
+For more information, see `Section 15.5.1, “Configure Guest Traffic in
+an Advanced Zone” <#configure-guest-traffic-in-advanced-zone>`__.
+
+Shared Networks
+~~~~~~~~~~~~~~~~~~~~~~
+
+A shared network can be accessed by virtual machines that belong to many
+different accounts. Network Isolation on shared networks is accomplished
+by using techniques such as security groups, which is supported only in
+Basic zones in CloudStack 3.0.3 and later versions.
+
+-
+
+ Shared Networks are created by the administrator
+
+-
+
+ Shared Networks can be designated to a certain domain
+
+-
+
+ Shared Network resources such as VLAN and physical network that it
+ maps to are designated by the administrator
+
+-
+
+ Shared Networks can be isolated by security groups
+
+-
+
+ Public Network is a shared network that is not shown to the end users
+
+-
+
+ Source NAT per zone is not supported in Shared Network when the
+ service provider is virtual router. However, Source NAT per account
+ is supported.
+
+For information, see `Section 15.5.3, “Configuring a Shared Guest
+Network” <#creating-shared-network>`__.
+
+Runtime Allocation of Virtual Network Resources
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When you define a new virtual network, all your settings for that
+network are stored in CloudStack. The actual network resources are
+activated only when the first virtual machine starts in the network.
+When all virtual machines have left the virtual network, the network
+resources are garbage collected so they can be allocated again. This
+helps to conserve network resources.
+
+Network Service Providers
+------------------------------
+
+.. note:: For the most up-to-date list of supported network service providers, see
+the CloudStack UI or call listNetworkServiceProviders.
+
+A service provider (also called a network element) is hardware or
+virtual appliance that makes a network service possible; for example, a
+firewall appliance can be installed in the cloud to provide firewall
+service. On a single network, multiple providers can provide the same
+network service. For example, a firewall service may be provided by
+Cisco or Juniper devices in the same physical network.
+
+You can have multiple instances of the same service provider in a
+network (say, more than one Juniper SRX device).
+
+If different providers are set up to provide the same service on the
+network, the administrator can create network offerings so users can
+specify which network service provider they prefer (along with the other
+choices offered in network offerings). Otherwise, CloudStack will choose
+which provider to use whenever the service is called for.
+
+Supported Network Service Providers
+'''''''''''''''''''''''''''''''''''
+
+CloudStack ships with an internal list of the supported service
+providers, and you can choose from this list when creating a network
+offering.
+
+Virtual Router
+
+Citrix NetScaler
+
+Juniper SRX
+
+F5 BigIP
+
+Host based (KVM/Xen)
+
+Remote Access VPN
+
+Yes
+
+No
+
+No
+
+No
+
+No
+
+DNS/DHCP/User Data
+
+Yes
+
+No
+
+No
+
+No
+
+No
+
+Firewall
+
+Yes
+
+No
+
+Yes
+
+No
+
+No
+
+Load Balancing
+
+Yes
+
+Yes
+
+No
+
+Yes
+
+No
+
+Elastic IP
+
+No
+
+Yes
+
+No
+
+No
+
+No
+
+Elastic LB
+
+No
+
+Yes
+
+No
+
+No
+
+No
+
+Source NAT
+
+Yes
+
+No
+
+Yes
+
+No
+
+No
+
+Static NAT
+
+Yes
+
+Yes
+
+Yes
+
+No
+
+No
+
+Port Forwarding
+
+Yes
+
+No
+
+Yes
+
+No
+
+No
+
+Network Offerings
+----------------------
+
+.. note:: For the most up-to-date list of supported network services, see the
+CloudStack UI or call listNetworkServices.
+
+A network offering is a named set of network services, such as:
+
+-
+
+ DHCP
+
+-
+
+ DNS
+
+-
+
+ Source NAT
+
+-
+
+ Static NAT
+
+-
+
+ Port Forwarding
+
+-
+
+ Load Balancing
+
+-
+
+ Firewall
+
+-
+
+ VPN
+
+-
+
+ (Optional) Name one of several available providers to use for a given
+ service, such as Juniper for the firewall
+
+-
+
+ (Optional) Network tag to specify which physical network to use
+
+When creating a new VM, the user chooses one of the available network
+offerings, and that determines which network services the VM can use.
+
+The CloudStack administrator can create any number of custom network
+offerings, in addition to the default network offerings provided by
+CloudStack. By creating multiple custom network offerings, you can set
+up your cloud to offer different classes of service on a single
+multi-tenant physical network. For example, while the underlying
+physical wiring may be the same for two tenants, tenant A may only need
+simple firewall protection for their website, while tenant B may be
+running a web server farm and require a scalable firewall solution, load
+balancing solution, and alternate networks for accessing the database
+backend.
+
+.. note:: If you create load balancing rules while using a network service
+offering that includes an external load balancer device such as
+NetScaler, and later change the network service offering to one that
+uses the CloudStack virtual router, you must create a firewall rule on
+the virtual router for each of your existing load balancing rules so
+that they continue to function.
+
+When creating a new virtual network, the CloudStack administrator
+chooses which network offering to enable for that network. Each virtual
+network is associated with one network offering. A virtual network can
+be upgraded or downgraded by changing its associated network offering.
+If you do this, be sure to reprogram the physical network to match.
+
+CloudStack also has internal network offerings for use by CloudStack
+system VMs. These network offerings are not visible to users but can be
+modified by administrators.
+
+Creating a New Network Offering
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To create a network offering:
+
+#.
+
+ Log in with admin privileges to the CloudStack UI.
+
+#.
+
+ In the left navigation bar, click Service Offerings.
+
+#.
+
+ In Select Offering, choose Network Offering.
+
+#.
+
+ Click Add Network Offering.
+
+#.
+
+ In the dialog, make the following choices:
+
+ -
+
+ **Name**. Any desired name for the network offering.
+
+ -
+
+ **Description**. A short description of the offering that can be
+ displayed to users.
+
+ -
+
+ **Network Rate**. Allowed data transfer rate in MB per second.
+
+ -
+
+ **Guest Type**. Choose whether the guest network is isolated or
+ shared.
+
+ For a description of this term, see `Section 9.2, “About Virtual
+ Networks” <#about-virtual-networks>`__.
+
+ -
+
+ **Persistent**. Indicate whether the guest network is persistent
+ or not. The network that you can provision without having to
+ deploy a VM on it is termed persistent network. For more
+ information, see `Section 15.28, “Persistent
+ Networks” <#persistent-network>`__.
+
+ -
+
+ **Specify VLAN**. (Isolated guest networks only) Indicate whether
+ a VLAN could be specified when this offering is used. If you
+ select this option and later use this network offering while
+ creating a VPC tier or an isolated network, you will be able to
+ specify a VLAN ID for the network you create.
+
+ -
+
+ **VPC**. This option indicate whether the guest network is Virtual
+ Private Cloud-enabled. A Virtual Private Cloud (VPC) is a private,
+ isolated part of CloudStack. A VPC can have its own virtual
+ network topology that resembles a traditional physical network.
+ For more information on VPCs, see `Section 15.27.1, “About Virtual
+ Private Clouds” <#vpc>`__.
+
+ -
+
+ **Supported Services**. Select one or more of the possible network
+ services. For some services, you must also choose the service
+ provider; for example, if you select Load Balancer, you can choose
+ the CloudStack virtual router or any other load balancers that
+ have been configured in the cloud. Depending on which services you
+ choose, additional fields may appear in the rest of the dialog
+ box.
+
+ Based on the guest network type selected, you can see the
+ following supported services:
+
+ Supported Services
+
+ Description
+
+ Isolated
+
+ Shared
+
+ DHCP
+
+ For more information, see `Section 15.24, “DNS and
+ DHCP” <#dns-dhcp>`__.
+
+ Supported
+
+ Supported
+
+ DNS
+
+ For more information, see `Section 15.24, “DNS and
+ DHCP” <#dns-dhcp>`__.
+
+ Supported
+
+ Supported
+
+ Load Balancer
+
+ If you select Load Balancer, you can choose the CloudStack virtual
+ router or any other load balancers that have been configured in
+ the cloud.
+
+ Supported
+
+ Supported
+
+ Firewall
+
+ For more information, see the Administration Guide.
+
+ Supported
+
+ Supported
+
+ Source NAT
+
+ If you select Source NAT, you can choose the CloudStack virtual
+ router or any other Source NAT providers that have been configured
+ in the cloud.
+
+ Supported
+
+ Supported
+
+ Static NAT
+
+ If you select Static NAT, you can choose the CloudStack virtual
+ router or any other Static NAT providers that have been configured
+ in the cloud.
+
+ Supported
+
+ Supported
+
+ Port Forwarding
+
+ If you select Port Forwarding, you can choose the CloudStack
+ virtual router or any other Port Forwarding providers that have
+ been configured in the cloud.
+
+ Supported
+
+ Not Supported
+
+ VPN
+
+ For more information, see `Section 15.25, “Remote Access
+ VPN” <#vpn>`__.
+
+ Supported
+
+ Not Supported
+
+ User Data
+
+ For more information, see `Section 20.2, “User Data and Meta
+ Data” <#user-data-and-meta-data>`__.
+
+ Not Supported
+
+ Supported
+
+ Network ACL
+
+ For more information, see `Section 15.27.4, “Configuring Network
+ Access Control List” <#configure-acl>`__.
+
+ Supported
+
+ Not Supported
+
+ Security Groups
+
+ For more information, see `Section 15.15.2, “Adding a Security
+ Group” <#add-security-group>`__.
+
+ Not Supported
+
+ Supported
+
+ -
+
+ **System Offering**. If the service provider for any of the
+ services selected in Supported Services is a virtual router, the
+ System Offering field appears. Choose the system service offering
+ that you want virtual routers to use in this network. For example,
+ if you selected Load Balancer in Supported Services and selected a
+ virtual router to provide load balancing, the System Offering
+ field appears so you can choose between the CloudStack default
+ system service offering and any custom system service offerings
+ that have been defined by the CloudStack root administrator.
+
+ For more information, see `Section 8.2, “System Service
+ Offerings” <#system-service-offerings>`__.
+
+ -
+
+ **LB Isolation**: Specify what type of load balancer isolation you
+ want for the network: Shared or Dedicated.
+
+ **Dedicated**: If you select dedicated LB isolation, a dedicated
+ load balancer device is assigned for the network from the pool of
+ dedicated load balancer devices provisioned in the zone. If no
+ sufficient dedicated load balancer devices are available in the
+ zone, network creation fails. Dedicated device is a good choice
+ for the high-traffic networks that make full use of the device's
+ resources.
+
+ **Shared**: If you select shared LB isolation, a shared load
+ balancer device is assigned for the network from the pool of
+ shared load balancer devices provisioned in the zone. While
+ provisioning CloudStack picks the shared load balancer device that
+ is used by the least number of accounts. Once the device reaches
+ its maximum capacity, the device will not be allocated to a new
+ account.
+
+ -
+
+ **Mode**: You can select either Inline mode or Side by Side mode:
+
+ **Inline mode**: Supported only for Juniper SRX firewall and BigF5
+ load balancer devices. In inline mode, a firewall device is placed
+ in front of a load balancing device. The firewall acts as the
+ gateway for all the incoming traffic, then redirect the load
+ balancing traffic to the load balancer behind it. The load
+ balancer in this case will not have the direct access to the
+ public network.
+
+ **Side by Side**: In side by side mode, a firewall device is
+ deployed in parallel with the load balancer device. So the traffic
+ to the load balancer public IP is not routed through the firewall,
+ and therefore, is exposed to the public network.
+
+ -
+
+ **Associate Public IP**: Select this option if you want to assign
+ a public IP address to the VMs deployed in the guest network. This
+ option is available only if
+
+ -
+
+ Guest network is shared.
+
+ -
+
+ StaticNAT is enabled.
+
+ -
+
+ Elastic IP is enabled.
+
+ For information on Elastic IP, see `Section 15.11, “About Elastic
+ IP” <#elastic-ip>`__.
+
+ -
+
+ **Redundant router capability**: Available only when Virtual
+ Router is selected as the Source NAT provider. Select this option
+ if you want to use two virtual routers in the network for
+ uninterrupted connection: one operating as the master virtual
+ router and the other as the backup. The master virtual router
+ receives requests from and sends responses to the user’s VM. The
+ backup virtual router is activated only when the master is down.
+ After the failover, the backup becomes the master virtual router.
+ CloudStack deploys the routers on different hosts to ensure
+ reliability if one host is down.
+
+ -
+
+ **Conserve mode**: Indicate whether to use conserve mode. In this
+ mode, network resources are allocated only when the first virtual
+ machine starts in the network. When conservative mode is off, the
+ public IP can only be used for a single service. For example, a
+ public IP used for a port forwarding rule cannot be used for
+ defining other services, such as StaticNAT or load balancing. When
+ the conserve mode is on, you can define more than one service on
+ the same public IP.
+
+ .. note:: If StaticNAT is enabled, irrespective of the status of the
+ conserve mode, no port forwarding or load balancing rule can be
+ created for the IP. However, you can add the firewall rules by
+ using the createFirewallRule command.
+
+ -
+
+ **Tags**: Network tag to specify which physical network to use.
+
+ -
+
+ **Default egress policy**: Configure the default policy for
+ firewall egress rules. Options are Allow and Deny. Default is
+ Allow if no egress policy is specified, which indicates that all
+ the egress traffic is accepted when a guest network is created
+ from this offering.
+
+ To block the egress traffic for a guest network, select Deny. In
+ this case, when you configure an egress rules for an isolated
+ guest network, rules are added to allow the specified traffic.
+
+#.
+
+ Click Add.
+