On 16/03/13 1:46 AM, "Will Stevens" <wstev...@cloudops.com> wrote: > >1. Restrict the available subnets for each account so two accounts can't >create overlapping subnets. >To me, this breaks the whole concept of cloud, but for enterprise >customers >this is not a huge limitation because they usually solve this problem this >way. > >2. Run multiple Palo Alto VM firewalls and associate one VM firewall per >account. >The management overhead of this is crazy, so this type of implementation >would be very hard to work with. > >Since I do not like either of these approaches, I wanted to see if I could >get some feedback on this. Are there other alternatives that would solve >the problem more elegantly that I have not mentioned? What would be the >best way to solve this problem in a 'CloudStack way'?
Unfortunately vendor appliacnces CloudStack support, does not have multi-tenancy yet. 'CloudStack way' has been both #1 and #2 to work around this. Please see [1], so 'external guest network' Guru designs the network such that no two guest networks in a zone using external network device has overlapping Cidr's. You may use 'external guest network' guru or extend it ensure automatically generated non-overlapping CIDR's for guest network. Also CloudStack already supports notion of multiple provider instances per physical network. Using which for load balancer devices there is generic management piece of code to allocate a dedicated (per tenant) or shared load balancer from a pool of admin provisioned load balancers [2]. See if this helps if you intend to support pool of firewall VM's. [1] server/src/com/cloud/network/guru/ExternalGuestNetworkGuru.java [2] server/src/com/cloud/network/ExternalLoadBalancerDeviceManagerImpl.java -Murali > >Any feedback on this would be appreciated. > >Cheers, > >Will >
