Hi Wido, CloudStack allows users to add multiple IP ranges to a shared network. All these IPs share the same vlan. I hope it helps you.
The problem is, a secondary IP can only be assigned to a VM. I think we can add a flag like `floating` to secondary IP . If the flag is true, it can be assigned to multiple VMs (belonging to same owner) as secondary IP. -Wei On Mon, 17 Jan 2022 at 14:37, Wido den Hollander <w...@widodh.nl> wrote: > Hi, > > Use-case: I have a SG enabled shared network where a VM establishes a > BGP session with the upstream router. > > Over this BGP session the VM announces a /32 (IPv4) and/or /128 (IPv6) > address and the router now installs this route. > > I do the same (with the same IPs) on a few different VMs and this way I > can have a Anycast/Floating IP which is being routed to those VMs. > > Problem: Security Group filtering prohibits this as the 'ipset' on the > hypervisor checks all the packets originating from the VM and drops all > packets not matching the ipset. > > Name: i-79-1328-VM > Type: hash:ip > Revision: 4 > Header: family inet hashsize 1024 maxelem 65536 > Size in memory: 248 > References: 5 > Number of entries: 1 > Members: > 62.221.XXX.11 > > I want to add /32 and /128 addresses to this subnet so that the SG does > not filter away this traffic. > > They could be added as a secondary IP to the VM, but this is not allowed > by the API as the secondary IPs you want to add should always come from > the subnet configured for that network. > > I do not want to turn off security grouping as this poses other > potential issues. > > Solutions I see: > > - Add global/account/domain setting which allows arbitrary secondary IPs > - Add per-network setting which allows arbitrary secondary IPs > - Pre-define subnets which Anycast/Floating IPs can be picked from per > network > > Any ideas or suggestions? > > Wido >
