Yeah, so that means it needs to be controlled by the VMs individually. I was trying to do it where it's governed by another device in the middle with a universal set of rules.
-----Original Message----- From: Abhinandan Prateek [mailto:abhinandan.prat...@citrix.com] Sent: Tuesday, May 15, 2012 10:14 PM To: cloudstack-dev@incubator.apache.org Subject: RE: domr iptables rules Separate account each will have a dedicated VR. If they are to be on the same guest VLAN then traffic to db VMs can be controlled by iptables on those VMS. >-----Original Message----- >From: Clayton Weise [mailto:cwe...@iswest.net] >Sent: Tuesday, May 15, 2012 10:07 PM >To: 'cloudstack-dev@incubator.apache.org' >Subject: RE: domr iptables rules > >But how would the app servers reach the db servers on a private network? In >your example, what is limiting the communication between app and db? Do >app and db share the same virtual router? Do they have separate ones? If >they share the same virtual router than they're on the same subnet/vlan >internally and have unrestricted access to one-another. If they have separate >virtual routers how can they connect with their associated private networks? > >-----Original Message----- >From: Abhinandan Prateek [mailto:abhinandan.prat...@citrix.com] >Sent: Monday, May 14, 2012 8:24 PM >To: cloudstack-dev@incubator.apache.org >Subject: RE: domr iptables rules > >One way to do is to have iptables do filtering on db-servers, but the easiest >is >... >Have a advance zone, create two accounts, put db VMs in one account (guest >network) and webserver VM in another. Now in general you have several >options to control the traffic to these accounts via the VR. >For example you can have unrestricted external access to your web VMs on >certain ports. On the other hand you can have restricted access to certain >subnets,ports to the db. > >>-----Original Message----- >>From: Clayton Weise [mailto:cwe...@iswest.net] >>Sent: Tuesday, May 15, 2012 1:22 AM >>To: cloudstack-dev@incubator.apache.org >>Subject: RE: domr iptables rules >> >>Thanks for the response. So then my next question is how would this be >>achieved? I can see creating a network for the db servers and set all >>db instances to use it as their default network, and attach the app >>servers _to_ the db network but then there would be no filtering >>occurring. The app servers would have unrestricted access to the db >>servers. How can I filter/control the traffic between app and db? >> >>________________________________________ >>From: Abhinandan Prateek [abhinandan.prat...@citrix.com] >>Sent: Thursday, May 10, 2012 7:58 PM >>To: cloudstack-dev@incubator.apache.org >>Subject: RE: domr iptables rules >> >>The app server VMs will reach the db VM via private address. >> >>If you want external access to db too but with restrictions to certain >>subnets/ips that too can be achieved using port-forwarding and source >>cidrs option. >> >>I believe that the advanced networking model is very flexible to >>support variations of deployments. >> >>-Abhi >> >> >>>-----Original Message----- >>>From: Clayton Weise [mailto:cwe...@iswest.net] >>>Sent: Friday, May 11, 2012 3:58 AM >>>To: 'cloudstack-dev@incubator.apache.org' >>>Subject: RE: domr iptables rules >>> >>>So in this case are your app servers reaching the database servers via >>>their public or private addresses? >>> >>>-----Original Message----- >>>From: Abhinandan Prateek [mailto:abhinandan.prat...@citrix.com] >>>Sent: Thursday, May 10, 2012 9:05 AM >>>To: cloudstack-dev@incubator.apache.org >>>Subject: RE: domr iptables rules >>> >>>Why not a set of VMs running app server load balanced using VR. >>>A VM running db (or probably a set of VM running db in master-slave >>>conf) with no external access but only via the app server VMs. >>>I guess this is what you want ? >>> >>>-Abhi >>> >>>>-----Original Message----- >>>>From: Clayton Weise [mailto:cwe...@iswest.net] >>>>Sent: Thursday, May 10, 2012 9:00 PM >>>>To: 'cloudstack-dev@incubator.apache.org' >>>>Subject: RE: domr iptables rules >>>> >>>>It's something I have been toying with. Basically it's a standard >>>>app/db setup where the app servers would reside in a dmz and the db >>>>servers would sit in a trusted network. We need to limit the traffic >>>>going between the app and the db servers in advanced networking. So >>>>currently the db and app servers have their own separate networks >>>>(vlans) and their own virtual routers. I was thinking of different >>>>ways to limit the traffic from app to db to be permitted on specific ports. >>>> >>>>-----Original Message----- >>>>From: Anthony Xu [mailto:xuefei...@citrix.com] >>>>Sent: Wednesday, May 09, 2012 4:33 PM >>>>To: cloudstack-dev@incubator.apache.org >>>>Subject: RE: domr iptables rules >>>> >>>>It is better to do it through API. CloudStack already provides >>>>several APIs for customer to add ACL for customer network, what kind >>>>of rules do you want to add? Can you do it through current API? Or >>>>what kind API you would like to add? >>>> >>>>Anthony >>>> >>>>> -----Original Message----- >>>>> From: Clayton Weise [mailto:cwe...@iswest.net] >>>>> Sent: Wednesday, May 09, 2012 4:26 PM >>>>> To: 'cloudstack-dev@incubator.apache.org' >>>>> Subject: RE: domr iptables rules >>>>> >>>>> As a dirty hack would it be possible to create an init script which >>>>> added these custom rules when the domr boots? >>>>> >>>>> -----Original Message----- >>>>> From: Anthony Xu [mailto:xuefei...@citrix.com] >>>>> Sent: Wednesday, May 09, 2012 12:21 PM >>>>> To: cloudstack-dev@incubator.apache.org >>>>> Subject: RE: domr iptables rules >>>>> >>>>> Iptables rules is not persistent inside domr, CloudStack send >>>>> command to domr to generate rules on demand. >>>>> So if you reboot domr, some rules may not come back. But if you >>>>> reboot domr through Cloudstack UI, all rules should come back, >>>>> Cloudstack will send commands to program rules again. >>>>> >>>>> >>>>> Anthony >>>>> >>>>> >>>>> > -----Original Message----- >>>>> > From: Clayton Weise [mailto:cwe...@iswest.net] >>>>> > Sent: Wednesday, May 09, 2012 10:09 AM >>>>> > To: 'cloudstack-dev@incubator.apache.org' >>>>> > Subject: domr iptables rules >>>>> > >>>>> > Where are these kept? After rebooting a virtual router not all >>>>> > of >>>>> the >>>>> > firewall rules came back. Also, I wanted to manually add a few >>>>> things >>>>> > and I was curious where I could do it and have those rules >>>>> > retained when the domr reboots. >>>>> > >>>>> > Thanks
