You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by jordan j <yo...@gmail.com> on 2022/10/17 10:26:16 UTC
security within same network?
Hey everyone,
Do you have any proposals for securing vms within the same network?
I know security groups feature is only available in KVM but we are
using XCP-NG for our ACS environment.
Best regards,
Jordan
Re: security within same network?
Posted by Wei ZHOU <us...@gmail.com>.
Hi Jordan,
You probably need to enable VirtualRouter (and VpcVirtualRouter if needed)
in the "network service providers" tab for the physical network.
-Wei
On Wed, 19 Oct 2022 at 10:02, jordan j <yo...@gmail.com> wrote:
> Thank you Nux,
>
> That is fine as long as I can configure Advanced Zone + Security Groups,
> have one flat network and have a VR providing DNS, DHCP and USERDATA.
> And that is built on top of XCP-NG.
>
> btw is there any example cli code on how to create an advanced zone with
> security groups enabled?
> I created a script that deploys such a zone + mgm and guest network + pod +
> cluster and joins a host but as soon as i go to networks and try to deploy
> one i don't see the network offering for Shared Network with Security
> groups.
>
> When I deploy the same config from the GUI I can see that offering.
> I wonder what enables/disables ACS showing network offerings in the network
> pane.
>
> Regards,
> Jordan
>
>
> On Tue, Oct 18, 2022 at 3:29 PM Nux <nu...@li.nux.ro> wrote:
>
> > Jordan,
> >
> > If you want Security Groups, then what you want is either a Basic zone
> > (better avoided) or an Advanced Zone with Security Groups.
> >
> > Please note, an advanced zone with SG will use flat networks and the VR
> > does not do any routing or other advanced services - like load balanced,
> > firewall etc.
> > ---
> > Nux
> > www.nux.ro
> >
> >
> > On 2022-10-18 13:26, jordan j wrote:
> >
> > Thanks Wei,
> >
> > that has already been increased to 20 . The question is the hypervisor
> > interfaces per vm as each network uses 1.
> >
> > @Nux <nu...@li.nux.ro> in regards to the security groups for XCP-NG is
> this
> > only for Basic Zone or Advanced zoning too?
> > Documentation says KVM only for advanced zoning.
> >
> > regards,
> > Jordan
> >
> > On Tue, Oct 18, 2022 at 3:21 PM Wei ZHOU <us...@gmail.com> wrote:
> >
> > Hi jordan,
> >
> > There is a global configuration `vpc.max.networks` to manage it.
> >
> >
> > Kind regards,
> > Wei
> >
> > On Tue, 18 Oct 2022 at 14:15, jordan j <yo...@gmail.com> wrote:
> >
> > > Thanks Nux,
> > > Great thing i will play with that :)
> > >
> > > I am experimenting with VPC designs and as I was making some test
> > networks
> > > i stumpbed that a VPC cannot have more than 5 networks (VM has 7
> > interfaces
> > > max - 2 for mgm and public, 5 for guest)?
> > > As far as i know KVM Supports the most per vm - 28 where vmware does 10
> > (as
> > > far as i remember) so it seems pretty possible for one to exceed that
> > > amount of networks.
> > >
> > > What if I want to have 20 or 100 networks inside a vpc? Is there a
> > > technical setup that allows that?
> > >
> > > Regards,
> > > Jordan
> > >
> > > On Tue, Oct 18, 2022 at 3:01 PM Nux <nu...@li.nux.ro> wrote:
> > >
> > > > Hello,
> > > >
> > > > AFAIK you can have a security group zone with XCP, though you must
> make
> > > > sure you use bridges for your network, not openvswitch.
> > > >
> > > > ---
> > > > Nux
> > > > www.nux.ro
> > > >
> > > > On 2022-10-17 11:26, jordan j wrote:
> > > > > Hey everyone,
> > > > >
> > > > > Do you have any proposals for securing vms within the same
> > > > > network?
> > > > > I know security groups feature is only available in KVM but
> we
> > > > > are
> > > > > using XCP-NG for our ACS environment.
> > > > >
> > > > > Best regards,
> > > > > Jordan
> > > >
> > >
> >
> >
>
Re: security within same network?
Posted by jordan j <yo...@gmail.com>.
Thank you!
On Wed, Oct 19, 2022 at 12:02 PM Nux <nu...@li.nux.ro> wrote:
> Can't tell you right now off the top of my head, but try to do it from the
> UI to your liking, then see in management-server.log and api.log what calls
> are being done and try to do the same from a cloudmonkey/api script later
> for your automation.
> ---
> Nux
> www.nux.ro
>
>
> On 2022-10-19 09:02, jordan j wrote:
>
> Thank you Nux,
>
> That is fine as long as I can configure Advanced Zone + Security Groups,
> have one flat network and have a VR providing DNS, DHCP and USERDATA.
> And that is built on top of XCP-NG.
>
> btw is there any example cli code on how to create an advanced zone with
> security groups enabled?
> I created a script that deploys such a zone + mgm and guest network +
> pod + cluster and joins a host but as soon as i go to networks and try to
> deploy one i don't see the network offering for Shared Network with
> Security groups.
>
> When I deploy the same config from the GUI I can see that offering.
> I wonder what enables/disables ACS showing network offerings in the
> network pane.
>
> Regards,
> Jordan
>
>
> On Tue, Oct 18, 2022 at 3:29 PM Nux <nu...@li.nux.ro> wrote:
>
> Jordan,
>
> If you want Security Groups, then what you want is either a Basic zone
> (better avoided) or an Advanced Zone with Security Groups.
>
> Please note, an advanced zone with SG will use flat networks and the VR
> does not do any routing or other advanced services - like load balanced,
> firewall etc.
> ---
> Nux
> www.nux.ro
>
>
> On 2022-10-18 13:26, jordan j wrote:
>
> Thanks Wei,
>
> that has already been increased to 20 . The question is the hypervisor
> interfaces per vm as each network uses 1.
>
> @Nux <nu...@li.nux.ro> in regards to the security groups for XCP-NG is this
> only for Basic Zone or Advanced zoning too?
> Documentation says KVM only for advanced zoning.
>
> regards,
> Jordan
>
> On Tue, Oct 18, 2022 at 3:21 PM Wei ZHOU <us...@gmail.com> wrote:
>
> Hi jordan,
>
> There is a global configuration `vpc.max.networks` to manage it.
>
>
> Kind regards,
> Wei
>
> On Tue, 18 Oct 2022 at 14:15, jordan j <yo...@gmail.com> wrote:
>
> > Thanks Nux,
> > Great thing i will play with that :)
> >
> > I am experimenting with VPC designs and as I was making some test
> networks
> > i stumpbed that a VPC cannot have more than 5 networks (VM has 7
> interfaces
> > max - 2 for mgm and public, 5 for guest)?
> > As far as i know KVM Supports the most per vm - 28 where vmware does 10
> (as
> > far as i remember) so it seems pretty possible for one to exceed that
> > amount of networks.
> >
> > What if I want to have 20 or 100 networks inside a vpc? Is there a
> > technical setup that allows that?
> >
> > Regards,
> > Jordan
> >
> > On Tue, Oct 18, 2022 at 3:01 PM Nux <nu...@li.nux.ro> wrote:
> >
> > > Hello,
> > >
> > > AFAIK you can have a security group zone with XCP, though you must make
> > > sure you use bridges for your network, not openvswitch.
> > >
> > > ---
> > > Nux
> > > www.nux.ro
> > >
> > > On 2022-10-17 11:26, jordan j wrote:
> > > > Hey everyone,
> > > >
> > > > Do you have any proposals for securing vms within the same
> > > > network?
> > > > I know security groups feature is only available in KVM but we
> > > > are
> > > > using XCP-NG for our ACS environment.
> > > >
> > > > Best regards,
> > > > Jordan
> > >
> >
>
>
Re: security within same network?
Posted by Nux <nu...@li.nux.ro>.
Can't tell you right now off the top of my head, but try to do it from
the UI to your liking, then see in management-server.log and api.log
what calls are being done and try to do the same from a cloudmonkey/api
script later for your automation.
---
Nux
www.nux.ro [1]
On 2022-10-19 09:02, jordan j wrote:
> Thank you Nux,
>
> That is fine as long as I can configure Advanced Zone + Security
> Groups, have one flat network and have a VR providing DNS, DHCP and
> USERDATA.
> And that is built on top of XCP-NG.
>
> btw is there any example cli code on how to create an advanced zone
> with security groups enabled?
> I created a script that deploys such a zone + mgm and guest network +
> pod + cluster and joins a host but as soon as i go to networks and try
> to deploy one i don't see the network offering for Shared Network with
> Security groups.
>
> When I deploy the same config from the GUI I can see that offering.
> I wonder what enables/disables ACS showing network offerings in the
> network pane.
>
> Regards,
> Jordan
>
> On Tue, Oct 18, 2022 at 3:29 PM Nux <nu...@li.nux.ro> wrote:
>
> Jordan,
>
> If you want Security Groups, then what you want is either a Basic zone
> (better avoided) or an Advanced Zone with Security Groups.
>
> Please note, an advanced zone with SG will use flat networks and the VR
> does not do any routing or other advanced services - like load
> balanced, firewall etc.
>
> ---
> Nux
> www.nux.ro [1]
>
> On 2022-10-18 13:26, jordan j wrote:
>
> Thanks Wei,
>
> that has already been increased to 20 . The question is the hypervisor
> interfaces per vm as each network uses 1.
>
> @Nux in regards to the security groups for XCP-NG is this only for
> Basic Zone or Advanced zoning too?
> Documentation says KVM only for advanced zoning.
>
> regards,
> Jordan
>
> On Tue, Oct 18, 2022 at 3:21 PM Wei ZHOU <us...@gmail.com> wrote:
> Hi jordan,
>
> There is a global configuration `vpc.max.networks` to manage it.
>
> Kind regards,
> Wei
>
> On Tue, 18 Oct 2022 at 14:15, jordan j <yo...@gmail.com> wrote:
>
>> Thanks Nux,
>> Great thing i will play with that :)
>>
>> I am experimenting with VPC designs and as I was making some test
>> networks
>> i stumpbed that a VPC cannot have more than 5 networks (VM has 7
>> interfaces
>> max - 2 for mgm and public, 5 for guest)?
>> As far as i know KVM Supports the most per vm - 28 where vmware does
>> 10 (as
>> far as i remember) so it seems pretty possible for one to exceed that
>> amount of networks.
>>
>> What if I want to have 20 or 100 networks inside a vpc? Is there a
>> technical setup that allows that?
>>
>> Regards,
>> Jordan
>>
>> On Tue, Oct 18, 2022 at 3:01 PM Nux <nu...@li.nux.ro> wrote:
>>
>>> Hello,
>>>
>>> AFAIK you can have a security group zone with XCP, though you must
>>> make
>>> sure you use bridges for your network, not openvswitch.
>>>
>>> ---
>>> Nux
>>> www.nux.ro [1]
>>>
>>> On 2022-10-17 11:26, jordan j wrote:
>>> > Hey everyone,
>>> >
>>> > Do you have any proposals for securing vms within the same
>>> > network?
>>> > I know security groups feature is only available in KVM but we
>>> > are
>>> > using XCP-NG for our ACS environment.
>>> >
>>> > Best regards,
>>> > Jordan
>>>
>>
Links:
------
[1] http://www.nux.ro
Re: security within same network?
Posted by jordan j <yo...@gmail.com>.
Thank you Nux,
That is fine as long as I can configure Advanced Zone + Security Groups,
have one flat network and have a VR providing DNS, DHCP and USERDATA.
And that is built on top of XCP-NG.
btw is there any example cli code on how to create an advanced zone with
security groups enabled?
I created a script that deploys such a zone + mgm and guest network + pod +
cluster and joins a host but as soon as i go to networks and try to deploy
one i don't see the network offering for Shared Network with Security
groups.
When I deploy the same config from the GUI I can see that offering.
I wonder what enables/disables ACS showing network offerings in the network
pane.
Regards,
Jordan
On Tue, Oct 18, 2022 at 3:29 PM Nux <nu...@li.nux.ro> wrote:
> Jordan,
>
> If you want Security Groups, then what you want is either a Basic zone
> (better avoided) or an Advanced Zone with Security Groups.
>
> Please note, an advanced zone with SG will use flat networks and the VR
> does not do any routing or other advanced services - like load balanced,
> firewall etc.
> ---
> Nux
> www.nux.ro
>
>
> On 2022-10-18 13:26, jordan j wrote:
>
> Thanks Wei,
>
> that has already been increased to 20 . The question is the hypervisor
> interfaces per vm as each network uses 1.
>
> @Nux <nu...@li.nux.ro> in regards to the security groups for XCP-NG is this
> only for Basic Zone or Advanced zoning too?
> Documentation says KVM only for advanced zoning.
>
> regards,
> Jordan
>
> On Tue, Oct 18, 2022 at 3:21 PM Wei ZHOU <us...@gmail.com> wrote:
>
> Hi jordan,
>
> There is a global configuration `vpc.max.networks` to manage it.
>
>
> Kind regards,
> Wei
>
> On Tue, 18 Oct 2022 at 14:15, jordan j <yo...@gmail.com> wrote:
>
> > Thanks Nux,
> > Great thing i will play with that :)
> >
> > I am experimenting with VPC designs and as I was making some test
> networks
> > i stumpbed that a VPC cannot have more than 5 networks (VM has 7
> interfaces
> > max - 2 for mgm and public, 5 for guest)?
> > As far as i know KVM Supports the most per vm - 28 where vmware does 10
> (as
> > far as i remember) so it seems pretty possible for one to exceed that
> > amount of networks.
> >
> > What if I want to have 20 or 100 networks inside a vpc? Is there a
> > technical setup that allows that?
> >
> > Regards,
> > Jordan
> >
> > On Tue, Oct 18, 2022 at 3:01 PM Nux <nu...@li.nux.ro> wrote:
> >
> > > Hello,
> > >
> > > AFAIK you can have a security group zone with XCP, though you must make
> > > sure you use bridges for your network, not openvswitch.
> > >
> > > ---
> > > Nux
> > > www.nux.ro
> > >
> > > On 2022-10-17 11:26, jordan j wrote:
> > > > Hey everyone,
> > > >
> > > > Do you have any proposals for securing vms within the same
> > > > network?
> > > > I know security groups feature is only available in KVM but we
> > > > are
> > > > using XCP-NG for our ACS environment.
> > > >
> > > > Best regards,
> > > > Jordan
> > >
> >
>
>
Re: security within same network?
Posted by Nux <nu...@li.nux.ro>.
Jordan,
If you want Security Groups, then what you want is either a Basic zone
(better avoided) or an Advanced Zone with Security Groups.
Please note, an advanced zone with SG will use flat networks and the VR
does not do any routing or other advanced services - like load balanced,
firewall etc.
---
Nux
www.nux.ro [1]
On 2022-10-18 13:26, jordan j wrote:
> Thanks Wei,
>
> that has already been increased to 20 . The question is the hypervisor
> interfaces per vm as each network uses 1.
>
> @Nux in regards to the security groups for XCP-NG is this only for
> Basic Zone or Advanced zoning too?
> Documentation says KVM only for advanced zoning.
>
> regards,
> Jordan
>
> On Tue, Oct 18, 2022 at 3:21 PM Wei ZHOU <us...@gmail.com> wrote:
>
>> Hi jordan,
>>
>> There is a global configuration `vpc.max.networks` to manage it.
>>
>> Kind regards,
>> Wei
>>
>> On Tue, 18 Oct 2022 at 14:15, jordan j <yo...@gmail.com> wrote:
>>
>>> Thanks Nux,
>>> Great thing i will play with that :)
>>>
>>> I am experimenting with VPC designs and as I was making some test
>>> networks
>>> i stumpbed that a VPC cannot have more than 5 networks (VM has 7
>>> interfaces
>>> max - 2 for mgm and public, 5 for guest)?
>>> As far as i know KVM Supports the most per vm - 28 where vmware does
>>> 10 (as
>>> far as i remember) so it seems pretty possible for one to exceed that
>>> amount of networks.
>>>
>>> What if I want to have 20 or 100 networks inside a vpc? Is there a
>>> technical setup that allows that?
>>>
>>> Regards,
>>> Jordan
>>>
>>> On Tue, Oct 18, 2022 at 3:01 PM Nux <nu...@li.nux.ro> wrote:
>>>
>>>> Hello,
>>>>
>>>> AFAIK you can have a security group zone with XCP, though you must
>>>> make
>>>> sure you use bridges for your network, not openvswitch.
>>>>
>>>> ---
>>>> Nux
>>>> www.nux.ro [1]
>>>>
>>>> On 2022-10-17 11:26, jordan j wrote:
>>>>> Hey everyone,
>>>>>
>>>>> Do you have any proposals for securing vms within the same
>>>>> network?
>>>>> I know security groups feature is only available in KVM but
>>>>> we
>>>>> are
>>>>> using XCP-NG for our ACS environment.
>>>>>
>>>>> Best regards,
>>>>> Jordan
>>>>
>>>
Links:
------
[1] http://www.nux.ro
Re: security within same network?
Posted by jordan j <yo...@gmail.com>.
Thanks Wei,
that has already been increased to 20 . The question is the hypervisor
interfaces per vm as each network uses 1.
@Nux <nu...@li.nux.ro> in regards to the security groups for XCP-NG is this
only for Basic Zone or Advanced zoning too?
Documentation says KVM only for advanced zoning.
regards,
Jordan
On Tue, Oct 18, 2022 at 3:21 PM Wei ZHOU <us...@gmail.com> wrote:
> Hi jordan,
>
> There is a global configuration `vpc.max.networks` to manage it.
>
>
> Kind regards,
> Wei
>
> On Tue, 18 Oct 2022 at 14:15, jordan j <yo...@gmail.com> wrote:
>
> > Thanks Nux,
> > Great thing i will play with that :)
> >
> > I am experimenting with VPC designs and as I was making some test
> networks
> > i stumpbed that a VPC cannot have more than 5 networks (VM has 7
> interfaces
> > max - 2 for mgm and public, 5 for guest)?
> > As far as i know KVM Supports the most per vm - 28 where vmware does 10
> (as
> > far as i remember) so it seems pretty possible for one to exceed that
> > amount of networks.
> >
> > What if I want to have 20 or 100 networks inside a vpc? Is there a
> > technical setup that allows that?
> >
> > Regards,
> > Jordan
> >
> > On Tue, Oct 18, 2022 at 3:01 PM Nux <nu...@li.nux.ro> wrote:
> >
> > > Hello,
> > >
> > > AFAIK you can have a security group zone with XCP, though you must make
> > > sure you use bridges for your network, not openvswitch.
> > >
> > > ---
> > > Nux
> > > www.nux.ro
> > >
> > > On 2022-10-17 11:26, jordan j wrote:
> > > > Hey everyone,
> > > >
> > > > Do you have any proposals for securing vms within the same
> > > > network?
> > > > I know security groups feature is only available in KVM but we
> > > > are
> > > > using XCP-NG for our ACS environment.
> > > >
> > > > Best regards,
> > > > Jordan
> > >
> >
>
Re: security within same network?
Posted by Wei ZHOU <us...@gmail.com>.
Hi jordan,
There is a global configuration `vpc.max.networks` to manage it.
Kind regards,
Wei
On Tue, 18 Oct 2022 at 14:15, jordan j <yo...@gmail.com> wrote:
> Thanks Nux,
> Great thing i will play with that :)
>
> I am experimenting with VPC designs and as I was making some test networks
> i stumpbed that a VPC cannot have more than 5 networks (VM has 7 interfaces
> max - 2 for mgm and public, 5 for guest)?
> As far as i know KVM Supports the most per vm - 28 where vmware does 10 (as
> far as i remember) so it seems pretty possible for one to exceed that
> amount of networks.
>
> What if I want to have 20 or 100 networks inside a vpc? Is there a
> technical setup that allows that?
>
> Regards,
> Jordan
>
> On Tue, Oct 18, 2022 at 3:01 PM Nux <nu...@li.nux.ro> wrote:
>
> > Hello,
> >
> > AFAIK you can have a security group zone with XCP, though you must make
> > sure you use bridges for your network, not openvswitch.
> >
> > ---
> > Nux
> > www.nux.ro
> >
> > On 2022-10-17 11:26, jordan j wrote:
> > > Hey everyone,
> > >
> > > Do you have any proposals for securing vms within the same
> > > network?
> > > I know security groups feature is only available in KVM but we
> > > are
> > > using XCP-NG for our ACS environment.
> > >
> > > Best regards,
> > > Jordan
> >
>
Re: security within same network?
Posted by jordan j <yo...@gmail.com>.
Thanks Nux,
Great thing i will play with that :)
I am experimenting with VPC designs and as I was making some test networks
i stumpbed that a VPC cannot have more than 5 networks (VM has 7 interfaces
max - 2 for mgm and public, 5 for guest)?
As far as i know KVM Supports the most per vm - 28 where vmware does 10 (as
far as i remember) so it seems pretty possible for one to exceed that
amount of networks.
What if I want to have 20 or 100 networks inside a vpc? Is there a
technical setup that allows that?
Regards,
Jordan
On Tue, Oct 18, 2022 at 3:01 PM Nux <nu...@li.nux.ro> wrote:
> Hello,
>
> AFAIK you can have a security group zone with XCP, though you must make
> sure you use bridges for your network, not openvswitch.
>
> ---
> Nux
> www.nux.ro
>
> On 2022-10-17 11:26, jordan j wrote:
> > Hey everyone,
> >
> > Do you have any proposals for securing vms within the same
> > network?
> > I know security groups feature is only available in KVM but we
> > are
> > using XCP-NG for our ACS environment.
> >
> > Best regards,
> > Jordan
>
Re: security within same network?
Posted by Nux <nu...@li.nux.ro>.
Hello,
AFAIK you can have a security group zone with XCP, though you must make
sure you use bridges for your network, not openvswitch.
---
Nux
www.nux.ro
On 2022-10-17 11:26, jordan j wrote:
> Hey everyone,
>
> Do you have any proposals for securing vms within the same
> network?
> I know security groups feature is only available in KVM but we
> are
> using XCP-NG for our ACS environment.
>
> Best regards,
> Jordan