basic zone for public clouds

[Murali Reddy <Mu...@citrix.com>]

I was working on bug CS-14862 [1] which made me wonder if a basic zone
with/without security group can be used to build a public clouds.
Obviously if basic zone deployment with true public IP's for guest IP
address, then an account gets access to the guest VM's, snapshots etc from
anywhere. It seems to me that one can not build a public cloud with zones
using private IP address range for guest IP's (SSVM and CPVM getting the
private address being the reason). Is it correct argument?

Clearly having EIP/ELB support in CloudStack enables to public cloud's
with basic zones using private address. While EIP does the NATing for
inbound traffic into the cloud instances, as there is source NAT service
what happens to the outbound traffic from cloud instances when there is no
EIP assigned to it?

[1] http://bugs.cloudstack.org/browse/CS-14862 EIP/ELB - SSVM and CPVM
should be given an ip address from the public ip address range.

RE: basic zone for public clouds

[Kelven Yang <ke...@citrix.com>]

> -----Original Message-----
> From: Murali Reddy [mailto:Murali.Reddy@citrix.com]
> Sent: Thursday, May 17, 2012 7:59 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: basic zone for public clouds
> 
> I was working on bug CS-14862 [1] which made me wonder if a basic zone
> with/without security group can be used to build a public clouds.
> Obviously if basic zone deployment with true public IP's for guest IP
> address, then an account gets access to the guest VM's, snapshots etc
> from
> anywhere. It seems to me that one can not build a public cloud with zones
> using private IP address range for guest IP's (SSVM and CPVM getting the
> private address being the reason). Is it correct argument?
> 

It is a correct argument with current basic zone configuration. To solve the problem described in CS-14862, a simple approach would be to give SSVM and CPVM EIPs and let them hand over their EIPs to their client.


> Clearly having EIP/ELB support in CloudStack enables to public cloud's
> with basic zones using private address. While EIP does the NATing for
> inbound traffic into the cloud instances, as there is source NAT service
> what happens to the outbound traffic from cloud instances when there is
> no
> EIP assigned to it?
> 
> [1] http://bugs.cloudstack.org/browse/CS-14862 EIP/ELB - SSVM and CPVM
> should be given an ip address from the public ip address range.

RE: basic zone for public clouds

[Kelven Yang <ke...@citrix.com>]

> -----Original Message-----
> From: Murali Reddy [mailto:Murali.Reddy@citrix.com]
> Sent: Friday, May 18, 2012 10:16 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: basic zone for public clouds
> 
> >
> >
> >
> >> When EIP feature is enabled, all tenant instances automatically get a
> >> public IP that is 1:1 NAT to their RFC1918 IP.
> >
> >Is it true for SSVM and CPVM as well? If so, it will be a minor change
> >for SSVM and CPVM to hand out the public IP backed by EIP to support the
> >feature Murali asks. Otherwise, the public IP/VLAN has to be provided
> >inside SSVM/CPVM, while currently SSVM and CPVM do not do that by
> default.
> >
> 
> I think SSVM, CPVM will have to use public IP backed by EIP model.
> Directly assigning public IP to SSVM, CPVM may result them to be
> non-routable. For e.g NetScaler that provides EIP/ELB service can be the
> only data entry/exit point in a zone and may be setup in two-arm mode[1]
> where only NetScaler is in public network. So SSVM/CPVM on the pod's
> subnet may not be reachable even if they have public IP.
> 

This is what I preferred and suggested. When EIP is enabled, SSVM/CPVM just needs to hand out EIP backed public IPs to their clients, no other changes will be needed within existing infrastructure


> [1]:http://support.citrix.com/proddocs/topic/netscaler-getting-started-
> map-
> 91/ns-nw-twoarm-mul-sbnt-con.html

Re: basic zone for public clouds

[Murali Reddy <Mu...@citrix.com>]

That makes sense. So both assigning a public IP directly to the SSVM/CPVM
and public IP backed by EIP are possible.

I could be wrong, but still think that this will be against the notion of
basic networking zone. Unlike advanced mode where all zone Vlan's need to
be trunked,in this case just for ensuring system VM's have public IP would
need public VLAN to be trunked on to all TOR switches.

>
>
>In Advanced mode, the public VLAN is trunked down to the hypervisors as
>well as to external devices such as SRX and F5. This is exactly the same
>configuration. The public VLAN is trunked down to the hypervisors so that
>the system vms can get public ips.
>
>--
>Chiradeep
>
>

Re: basic zone for public clouds

[Chiradeep Vittal <Ch...@citrix.com>]

On 5/18/12 10:16 AM, "Murali Reddy" <Mu...@citrix.com> wrote:

>>
>>
>>
>>> When EIP feature is enabled, all tenant instances automatically get a
>>> public IP that is 1:1 NAT to their RFC1918 IP.
>>
>>Is it true for SSVM and CPVM as well? If so, it will be a minor change
>>for SSVM and CPVM to hand out the public IP backed by EIP to support the
>>feature Murali asks. Otherwise, the public IP/VLAN has to be provided
>>inside SSVM/CPVM, while currently SSVM and CPVM do not do that by
>>default.
>>
>
>I think SSVM, CPVM will have to use public IP backed by EIP model.
>Directly assigning public IP to SSVM, CPVM may result them to be
>non-routable. For e.g NetScaler that provides EIP/ELB service can be the
>only data entry/exit point in a zone and may be setup in two-arm mode[1]
>where only NetScaler is in public network. So SSVM/CPVM on the pod's
>subnet may not be reachable even if they have public IP.
>
>[1]:http://support.citrix.com/proddocs/topic/netscaler-getting-started-map
>-
>91/ns-nw-twoarm-mul-sbnt-con.html


In Advanced mode, the public VLAN is trunked down to the hypervisors as
well as to external devices such as SRX and F5. This is exactly the same
configuration. The public VLAN is trunked down to the hypervisors so that
the system vms can get public ips.

--
Chiradeep

Re: basic zone for public clouds

[Murali Reddy <Mu...@citrix.com>]

>
>
>
>> When EIP feature is enabled, all tenant instances automatically get a
>> public IP that is 1:1 NAT to their RFC1918 IP.
>
>Is it true for SSVM and CPVM as well? If so, it will be a minor change
>for SSVM and CPVM to hand out the public IP backed by EIP to support the
>feature Murali asks. Otherwise, the public IP/VLAN has to be provided
>inside SSVM/CPVM, while currently SSVM and CPVM do not do that by default.
>

I think SSVM, CPVM will have to use public IP backed by EIP model.
Directly assigning public IP to SSVM, CPVM may result them to be
non-routable. For e.g NetScaler that provides EIP/ELB service can be the
only data entry/exit point in a zone and may be setup in two-arm mode[1]
where only NetScaler is in public network. So SSVM/CPVM on the pod's
subnet may not be reachable even if they have public IP.

[1]:http://support.citrix.com/proddocs/topic/netscaler-getting-started-map-
91/ns-nw-twoarm-mul-sbnt-con.html

RE: basic zone for public clouds

[Kelven Yang <ke...@citrix.com>]

> -----Original Message-----
> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> Sent: Thursday, May 17, 2012 10:02 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: basic zone for public clouds
> 
> 
> 
> On 5/17/12 7:58 AM, "Murali Reddy" <Mu...@citrix.com> wrote:
> 
> >I was working on bug CS-14862 [1] which made me wonder if a basic zone
> >with/without security group can be used to build a public clouds.
> [snip]
> "Basic zone" or L3 isolation is the most scalable way to build public
> clouds.
> 
> >
> >Clearly having EIP/ELB support in CloudStack enables to public cloud's
> >with basic zones using private address. While EIP does the NATing for
> >inbound traffic into the cloud instances, as there is source NAT service
> >what happens to the outbound traffic from cloud instances when there is
> no
> >EIP assigned to it?
> >
> >[1] http://bugs.cloudstack.org/browse/CS-14862 EIP/ELB - SSVM and CPVM
> >should be given an ip address from the public ip address range.
> 



> When EIP feature is enabled, all tenant instances automatically get a
> public IP that is 1:1 NAT to their RFC1918 IP.

Is it true for SSVM and CPVM as well? If so, it will be a minor change for SSVM and CPVM to hand out the public IP backed by EIP to support the feature Murali asks. Otherwise, the public IP/VLAN has to be provided inside SSVM/CPVM, while currently SSVM and CPVM do not do that by default.



> For the service VMs that provide edge services (CPVM and SSVM), we have
> to
> choose a couple of ips from the public IP pool when starting these VMs.
> The tricky part is if the public IP range is added after the first
> hypervisor is added to the zone. The latter triggers auto-creation of
> system vms. At that point the public VLAN may not be provisioned.
> 
> 
> --
> Chiradeep

Re: basic zone for public clouds

[Chiradeep Vittal <Ch...@citrix.com>]

On 5/17/12 7:58 AM, "Murali Reddy" <Mu...@citrix.com> wrote:

>I was working on bug CS-14862 [1] which made me wonder if a basic zone
>with/without security group can be used to build a public clouds.
[snip]
"Basic zone" or L3 isolation is the most scalable way to build public
clouds.

>
>Clearly having EIP/ELB support in CloudStack enables to public cloud's
>with basic zones using private address. While EIP does the NATing for
>inbound traffic into the cloud instances, as there is source NAT service
>what happens to the outbound traffic from cloud instances when there is no
>EIP assigned to it?
>
>[1] http://bugs.cloudstack.org/browse/CS-14862 EIP/ELB - SSVM and CPVM
>should be given an ip address from the public ip address range.

When EIP feature is enabled, all tenant instances automatically get a
public IP that is 1:1 NAT to their RFC1918 IP.
For the service VMs that provide edge services (CPVM and SSVM), we have to
choose a couple of ips from the public IP pool when starting these VMs.
The tricky part is if the public IP range is added after the first
hypervisor is added to the zone. The latter triggers auto-creation of
system vms. At that point the public VLAN may not be provisioned.


--
Chiradeep