Thanks for the response. So then my next question is how would this be achieved? I can see creating a network for the db servers and set all db instances to use it as their default network, and attach the app servers _to_ the db network but then there would be no filtering occurring. The app servers would have unrestricted access to the db servers. How can I filter/control the traffic between app and db?
________________________________________ From: Abhinandan Prateek [abhinandan.prat...@citrix.com] Sent: Thursday, May 10, 2012 7:58 PM To: cloudstack-dev@incubator.apache.org Subject: RE: domr iptables rules The app server VMs will reach the db VM via private address. If you want external access to db too but with restrictions to certain subnets/ips that too can be achieved using port-forwarding and source cidrs option. I believe that the advanced networking model is very flexible to support variations of deployments. -Abhi >-----Original Message----- >From: Clayton Weise [mailto:cwe...@iswest.net] >Sent: Friday, May 11, 2012 3:58 AM >To: 'cloudstack-dev@incubator.apache.org' >Subject: RE: domr iptables rules > >So in this case are your app servers reaching the database servers via their >public or private addresses? > >-----Original Message----- >From: Abhinandan Prateek [mailto:abhinandan.prat...@citrix.com] >Sent: Thursday, May 10, 2012 9:05 AM >To: cloudstack-dev@incubator.apache.org >Subject: RE: domr iptables rules > >Why not a set of VMs running app server load balanced using VR. >A VM running db (or probably a set of VM running db in master-slave conf) >with no external access but only via the app server VMs. >I guess this is what you want ? > >-Abhi > >>-----Original Message----- >>From: Clayton Weise [mailto:cwe...@iswest.net] >>Sent: Thursday, May 10, 2012 9:00 PM >>To: 'cloudstack-dev@incubator.apache.org' >>Subject: RE: domr iptables rules >> >>It's something I have been toying with. Basically it's a standard >>app/db setup where the app servers would reside in a dmz and the db >>servers would sit in a trusted network. We need to limit the traffic >>going between the app and the db servers in advanced networking. So >>currently the db and app servers have their own separate networks >>(vlans) and their own virtual routers. I was thinking of different >>ways to limit the traffic from app to db to be permitted on specific ports. >> >>-----Original Message----- >>From: Anthony Xu [mailto:xuefei...@citrix.com] >>Sent: Wednesday, May 09, 2012 4:33 PM >>To: cloudstack-dev@incubator.apache.org >>Subject: RE: domr iptables rules >> >>It is better to do it through API. CloudStack already provides several >>APIs for customer to add ACL for customer network, what kind of rules >>do you want to add? Can you do it through current API? Or what kind API >>you would like to add? >> >>Anthony >> >>> -----Original Message----- >>> From: Clayton Weise [mailto:cwe...@iswest.net] >>> Sent: Wednesday, May 09, 2012 4:26 PM >>> To: 'cloudstack-dev@incubator.apache.org' >>> Subject: RE: domr iptables rules >>> >>> As a dirty hack would it be possible to create an init script which >>> added these custom rules when the domr boots? >>> >>> -----Original Message----- >>> From: Anthony Xu [mailto:xuefei...@citrix.com] >>> Sent: Wednesday, May 09, 2012 12:21 PM >>> To: cloudstack-dev@incubator.apache.org >>> Subject: RE: domr iptables rules >>> >>> Iptables rules is not persistent inside domr, CloudStack send command >>> to domr to generate rules on demand. >>> So if you reboot domr, some rules may not come back. But if you >>> reboot domr through Cloudstack UI, all rules should come back, >>> Cloudstack will send commands to program rules again. >>> >>> >>> Anthony >>> >>> >>> > -----Original Message----- >>> > From: Clayton Weise [mailto:cwe...@iswest.net] >>> > Sent: Wednesday, May 09, 2012 10:09 AM >>> > To: 'cloudstack-dev@incubator.apache.org' >>> > Subject: domr iptables rules >>> > >>> > Where are these kept? After rebooting a virtual router not all of >>> the >>> > firewall rules came back. Also, I wanted to manually add a few >>> things >>> > and I was curious where I could do it and have those rules retained >>> > when the domr reboots. >>> > >>> > Thanks
