Shameless bump from the user list. Does anyone know if this functionality has been requested before (maybe already exists?), if somebody is working on this and/or if there are plans for such functionality. Otherwise we might be interested to make this happen.
Thanks & Cheers, Roeland -----Original Message----- From: Roeland Kuipers Sent: 20 June 2012 12:36 To: cloudstack-us...@incubator.apache.org Cc: int-cloud Subject: RE: dedicated public IP ranges for system vms Hi, We have the same desire, for the following reasons. Given the type of customers we host we would like to be able to put the Portal, SSVM, CPVM, API behind a (2-factor) secured SSL VPN solution and/or also implement IDS/IPS in front of these services. On the same hand we would like being able to selectively whitelist access to the API, for example for customers to allow hosted services like Rightscale and others. This is currently hard to implement given the dynamic IP assignments of the SSVM and CPVM. A dedicated VLAN for these services would be ideal to add additional security. We feel the SSVM and CPVM are currently an Achilles heel since they have a foot on the private and public network in order to serve images and VNC sessions. If these VMs would get compromised, this means a potential hacker has r/w access to our secondary storage but also access to the management network (Xapi SSH etc) and is also able to sniff this network, not desired. I understand this is a hardened machine, but not sure if this argument will convince auditors of our customers. Basicly we want to be able to implement additional controls in front of all public services which are part of the cloud infrastructure, SSVM,CPVM,Portal and API. Cheers, Roeland -----Original Message----- From: Paul Angus [mailto:paul.an...@shapeblue.com] Sent: 20 June 2012 09:36 To: cloudstack-us...@incubator.apache.org Subject: RE: dedicated public IP ranges for system vms Thanks Alena, They want to make the allocation global so that system vms come from certain public IP pools and all user public IPs come from different pools. -----Original Message----- From: Alena Prokharchyk [mailto:alena.prokharc...@citrix.com] Sent: 19 June 2012 16:21 To: cloudstack-us...@incubator.apache.org Subject: Re: dedicated public IP ranges for system vms On 6/19/12 4:13 AM, "Paul Angus" <paulan...@betterbydesign.uk.com> wrote: >Is it possible to dedicate public IP address ranges to either system >vms or account virtual routers? > >It's a client request. > >thanks > > >Paul Angus > > > You can dedicate pubic ip ranges to user account, but there are some limitations for this feature. Here is the article on that: http://wiki.cloudstack.org/display/RelOps/Adding+public+Vlan+per+account -Alena.
