Hi Nick, Being fan of SDN, I gave this proposal a thorough read.
I do have only 1 comment - that you can perhaps can use to reconsider: "Each appliance will have 2 nics, one for management, and one in the guest network. " In general, 2 nics - one going to management and one going to guest - is looked very negatively upon by internal InfoSec team. This implementation will make an LB non-compliant from SOX or PCI perspective. Proposed alternate solution: Deploy a VM with 2 NICs but put them both on the same guest network (I believe the support 2 NICs on the *same* guest network has already been submitted upstream). 1 NIC for MGMT and 1 NIC for GUEST. Using SDNs ability to restrict communication flow (openvswitch or what not), only allow specific connections from CloudStack MS to Inline LB on MGMT NIC. You will need to block all external GUEST communication to MGMT NIC and only make it talk to CloudStack MS on specific ports. This approach should preserve the internal compliance and wont raise any red flags. Perhaps reach out to a client who requested this feature and ask what they think, maybe they have not thought this through. Regards ilya PS: If we were to entertain the idea of InLine LB, we would most likely ask for approach mentioned above. On 3/24/16 1:18 AM, Nick LIVENS wrote: > Hi all, > > I'd like to propose a new plugin called the "VPC Inline LB" plugin. > The design document can be found at : > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61340894 > > Looking forward to hear your reviews / thoughts. > > Thanks! > > Kind regards, > Nick Livens >
