Hi Nick,

Being fan of SDN, I gave this proposal a thorough read.

I do have only 1 comment - that you can perhaps can use to reconsider:

"Each appliance will have 2 nics, one for management, and one in the
guest network. "

In general, 2 nics - one going to management and one going to guest - is
looked very negatively upon by internal InfoSec team. This
implementation will make an LB non-compliant from SOX or PCI perspective.

Proposed alternate solution:
Deploy a VM with 2 NICs but put them both on the same guest network (I
believe the support 2 NICs on the *same* guest network has already been
submitted upstream). 1 NIC for MGMT and 1 NIC for GUEST.

Using SDNs ability to restrict communication flow (openvswitch or what
not), only allow specific connections from CloudStack MS to Inline LB on
MGMT NIC. You will need to block all external GUEST communication to
MGMT NIC and only make it talk to CloudStack MS on specific ports.

This approach should preserve the internal compliance and wont raise any
red flags.

Perhaps reach out to a client who requested this feature and ask what
they think, maybe they have not thought this through.

Regards
ilya

PS: If we were to entertain the idea of InLine LB, we would most likely
ask for approach mentioned above.




On 3/24/16 1:18 AM, Nick LIVENS wrote:
> Hi all,
> 
> I'd like to propose a new plugin called the "VPC Inline LB" plugin.
> The design document can be found at :
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61340894
> 
> Looking forward to hear your reviews / thoughts.
> 
> Thanks!
> 
> Kind regards,
> Nick Livens
> 

Reply via email to