Network element's access to CS mgmt server....?

[Ram Ganesh <Ra...@citrix.com>]

Hi All,

I would like to know if network elements like load balancers deployed in different tenant networks in a CloudStack deployment will have access to cloudstack management server to make CS API calls or will there be a need to open up ports or setup NAT? 

Thanks,
Ram

RE: Network element's access to CS mgmt server....?

[Ram Ganesh <Ra...@citrix.com>]

Thanks Chiradeep.


> -----Original Message-----
> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> Sent: 12 July 2012 00:12
> To: CloudStack DeveloperList
> Subject: Re: Network element's access to CS mgmt server....?
> 
> It should work as long as the connectivity is there. You can ensure
> that
> the docs specify that this connectivity exists and works, since it is
> beyond the control of CloudStack.
> 
> On 7/11/12 10:50 AM, "Ram Ganesh" <Ra...@citrix.com> wrote:
> 
> >Chiradeep,
> >
> >For autoscale in the current model the monitoring + trigger happens
> from
> >the load balancer device. It then issues CS API calls to
> deploy/destroy
> >vms. How can we make it work?
> >
> >Thanks,
> >Ram
> >
> >> -----Original Message-----
> >> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> Sent: 11 July 2012 23:14
> >> To: CloudStack DeveloperList
> >> Subject: Re: Network element's access to CS mgmt server....?
> >>
> >> Certainly user VMs cannot. But system vms can access the management
> >> server, typically on port 8250.
> >> One option might be to poll the VPX (depending on how many there
> are)
> >> for
> >> autoscaling triggers from the MS.
> >>
> >>
> >> On 7/11/12 6:18 AM, "Ram Ganesh" <Ra...@citrix.com> wrote:
> >>
> >> >Alex,
> >> >
> >> >> You need to start the vpx with a nic in the management network.
> In
> >> >> CloudStack code, SSVM (Secondary Storage Virtual Machine) and
> CPVM
> >> >> (Console Proxy Virtual Machine) both have examples of this.  They
> >> both
> >> >> have agents that connect back to CS Management server over the
> >> >> management network.
> >> >
> >> >Yes we can add a nic(vif) to a vpx in the management network and
> >> ensure
> >> >reach ability to the CS mgmt server. But how about the CS mgmt
> ports
> >> such
> >> >as 8080/443 - they may be blocked by intermediate firewall/VR? Also
> >> >please note unlike SSVM from vpx we may be able to issue a finite (
> >> >restricted) set of CS API calls so we may not be able to issue
> >> firewall
> >> >rule related API calls. Also the load balancer devices can be
> placed
> >> into
> >> >network from outside the context of CloudStack and later the device
> >> can
> >> >be added into CloudStack using addNetscalerLoadbalancer()API.
> >> >
> >> >So to put it another way - Can the VMs spread across various guest
> >> >networks reach out to the CS mgmt server using a same IP ?
> >> >
> >> >
> >> >Thanks,
> >> >Ram
> >> >
> >

Re: Network element's access to CS mgmt server....?

[Chiradeep Vittal <Ch...@citrix.com>]

It should work as long as the connectivity is there. You can ensure that
the docs specify that this connectivity exists and works, since it is
beyond the control of CloudStack.

On 7/11/12 10:50 AM, "Ram Ganesh" <Ra...@citrix.com> wrote:

>Chiradeep,
>
>For autoscale in the current model the monitoring + trigger happens from
>the load balancer device. It then issues CS API calls to deploy/destroy
>vms. How can we make it work?
>
>Thanks,
>Ram
>
>> -----Original Message-----
>> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> Sent: 11 July 2012 23:14
>> To: CloudStack DeveloperList
>> Subject: Re: Network element's access to CS mgmt server....?
>> 
>> Certainly user VMs cannot. But system vms can access the management
>> server, typically on port 8250.
>> One option might be to poll the VPX (depending on how many there are)
>> for
>> autoscaling triggers from the MS.
>> 
>> 
>> On 7/11/12 6:18 AM, "Ram Ganesh" <Ra...@citrix.com> wrote:
>> 
>> >Alex,
>> >
>> >> You need to start the vpx with a nic in the management network.  In
>> >> CloudStack code, SSVM (Secondary Storage Virtual Machine) and CPVM
>> >> (Console Proxy Virtual Machine) both have examples of this.  They
>> both
>> >> have agents that connect back to CS Management server over the
>> >> management network.
>> >
>> >Yes we can add a nic(vif) to a vpx in the management network and
>> ensure
>> >reach ability to the CS mgmt server. But how about the CS mgmt ports
>> such
>> >as 8080/443 - they may be blocked by intermediate firewall/VR? Also
>> >please note unlike SSVM from vpx we may be able to issue a finite (
>> >restricted) set of CS API calls so we may not be able to issue
>> firewall
>> >rule related API calls. Also the load balancer devices can be placed
>> into
>> >network from outside the context of CloudStack and later the device
>> can
>> >be added into CloudStack using addNetscalerLoadbalancer()API.
>> >
>> >So to put it another way - Can the VMs spread across various guest
>> >networks reach out to the CS mgmt server using a same IP ?
>> >
>> >
>> >Thanks,
>> >Ram
>> >
>

RE: Network element's access to CS mgmt server....?

[Ram Ganesh <Ra...@citrix.com>]

Chiradeep,

For autoscale in the current model the monitoring + trigger happens from the load balancer device. It then issues CS API calls to deploy/destroy vms. How can we make it work?

Thanks,
Ram

> -----Original Message-----
> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> Sent: 11 July 2012 23:14
> To: CloudStack DeveloperList
> Subject: Re: Network element's access to CS mgmt server....?
> 
> Certainly user VMs cannot. But system vms can access the management
> server, typically on port 8250.
> One option might be to poll the VPX (depending on how many there are)
> for
> autoscaling triggers from the MS.
> 
> 
> On 7/11/12 6:18 AM, "Ram Ganesh" <Ra...@citrix.com> wrote:
> 
> >Alex,
> >
> >> You need to start the vpx with a nic in the management network.  In
> >> CloudStack code, SSVM (Secondary Storage Virtual Machine) and CPVM
> >> (Console Proxy Virtual Machine) both have examples of this.  They
> both
> >> have agents that connect back to CS Management server over the
> >> management network.
> >
> >Yes we can add a nic(vif) to a vpx in the management network and
> ensure
> >reach ability to the CS mgmt server. But how about the CS mgmt ports
> such
> >as 8080/443 - they may be blocked by intermediate firewall/VR? Also
> >please note unlike SSVM from vpx we may be able to issue a finite (
> >restricted) set of CS API calls so we may not be able to issue
> firewall
> >rule related API calls. Also the load balancer devices can be placed
> into
> >network from outside the context of CloudStack and later the device
> can
> >be added into CloudStack using addNetscalerLoadbalancer()API.
> >
> >So to put it another way - Can the VMs spread across various guest
> >networks reach out to the CS mgmt server using a same IP ?
> >
> >
> >Thanks,
> >Ram
> >

Re: Network element's access to CS mgmt server....?

[Chiradeep Vittal <Ch...@citrix.com>]

Certainly user VMs cannot. But system vms can access the management
server, typically on port 8250.
One option might be to poll the VPX (depending on how many there are) for
autoscaling triggers from the MS.


On 7/11/12 6:18 AM, "Ram Ganesh" <Ra...@citrix.com> wrote:

>Alex,
>
>> You need to start the vpx with a nic in the management network.  In
>> CloudStack code, SSVM (Secondary Storage Virtual Machine) and CPVM
>> (Console Proxy Virtual Machine) both have examples of this.  They both
>> have agents that connect back to CS Management server over the
>> management network.
>
>Yes we can add a nic(vif) to a vpx in the management network and ensure
>reach ability to the CS mgmt server. But how about the CS mgmt ports such
>as 8080/443 - they may be blocked by intermediate firewall/VR? Also
>please note unlike SSVM from vpx we may be able to issue a finite (
>restricted) set of CS API calls so we may not be able to issue firewall
>rule related API calls. Also the load balancer devices can be placed into
>network from outside the context of CloudStack and later the device can
>be added into CloudStack using addNetscalerLoadbalancer()API.
>
>So to put it another way - Can the VMs spread across various guest
>networks reach out to the CS mgmt server using a same IP ?
>
>
>Thanks,
>Ram
>

RE: Network element's access to CS mgmt server....?

[Ram Ganesh <Ra...@citrix.com>]

Alex,

> You need to start the vpx with a nic in the management network.  In
> CloudStack code, SSVM (Secondary Storage Virtual Machine) and CPVM
> (Console Proxy Virtual Machine) both have examples of this.  They both
> have agents that connect back to CS Management server over the
> management network.

Yes we can add a nic(vif) to a vpx in the management network and ensure reach ability to the CS mgmt server. But how about the CS mgmt ports such as 8080/443 - they may be blocked by intermediate firewall/VR? Also please note unlike SSVM from vpx we may be able to issue a finite ( restricted) set of CS API calls so we may not be able to issue firewall rule related API calls. Also the load balancer devices can be placed into network from outside the context of CloudStack and later the device can be added into CloudStack using addNetscalerLoadbalancer()API.

So to put it another way - Can the VMs spread across various guest networks reach out to the CS mgmt server using a same IP ?


Thanks,
Ram

RE: Network element's access to CS mgmt server....?

[Alex Huang <Al...@citrix.com>]

> 	Network Element could be a NetScaler virtual appliance, which is a
> VM. The question is will this element always be able to make CS API calls
> without opening up ports/setting up NAT?
> 

I see.  I was thinking out-dated (hardware) and you're thinking cloud (vpx).  :)

You need to start the vpx with a nic in the management network.  In CloudStack code, SSVM (Secondary Storage Virtual Machine) and CPVM (Console Proxy Virtual Machine) both have examples of this.  They both have agents that connect back to CS Management server over the management network.

That code is in SecondaryStorageManagerImpl.java and ConsoleProxyManagerImpl.java.

--Alex

RE: Network element's access to CS mgmt server....?

[Ram Ganesh <Ra...@citrix.com>]

Alex,


> -----Original Message-----
> From: Alex Huang [mailto:Alex.Huang@citrix.com]
> Sent: 09 July 2012 21:48
> To: cloudstack-dev@incubator.apache.org
> Subject: RE: Network element's access to CS mgmt server....?
> 
> > I would like to know if network elements like load balancers deployed
> in
> > different tenant networks in a CloudStack deployment will have access
> to
> > cloudstack management server to make CS API calls or will there be a
> need to
> > open up ports or setup NAT?
> >
> 
> Ram,
> 
> You're asking if the physical network element have access to the
> management server, correct?  If so, that's really up to the network
> element provider and the cloud operator.  CS does not place any
> requirements on this.

	Network Element could be a NetScaler virtual appliance, which is a VM. The question is will this element always be able to make CS API calls without opening up ports/setting up NAT? 

Thanks,
Ram


> 
> --Alex

RE: Network element's access to CS mgmt server....?

[Alex Huang <Al...@citrix.com>]

> I would like to know if network elements like load balancers deployed in
> different tenant networks in a CloudStack deployment will have access to
> cloudstack management server to make CS API calls or will there be a need to
> open up ports or setup NAT?
> 

Ram,

You're asking if the physical network element have access to the management server, correct?  If so, that's really up to the network element provider and the cloud operator.  CS does not place any requirements on this.

--Alex