It looks like 19 would fit my needs but I have some concerns/questions. In that slide, the App VMs and DB VMs have a network that they both live on (10.1.3.0/24). That to me means that there is a trusted relationship, or no ability to limit what traffic can pass between the App and DB VMs short of building an ACL on the DB VM itself. Am I mistaken?
I've looked at doing #21 as well, which would also work but it gets us back to the same issue of doing something _outside_ of CloudStack's knowledge which could be clobbered by CS. -----Original Message----- From: Murali Reddy [mailto:murali.re...@citrix.com] Sent: Thursday, May 10, 2012 9:25 AM To: cloudstack-dev@incubator.apache.org Subject: Re: domr iptables rules On 10/05/12 9:00 PM, "Clayton Weise" <cwe...@iswest.net> wrote: >It's something I have been toying with. Basically it's a standard app/db >setup where the app servers would reside in a dmz and the db servers >would sit in a trusted network. We need to limit the traffic going >between the app and the db servers in advanced networking. So currently >the db and app servers have their own separate networks (vlans) and their >own virtual routers. I was thinking of different ways to limit the >traffic from app to db to be permitted on specific ports. Can any of models depicted in slides 19-21 of [1] will work? [1] http://www.slideshare.net/cloudstack/cloudstack-networking
