Re: KVM: Out of subnet 'secondary' IPs for Virtual Machines (Anycast/floating IPs)

Mon, 17 Jan 2022 08:11:36 -0800 



Op 17-01-2022 om 15:07 schreef Daan Hoogland:

Wido,
As an operator, would I sell a floating ip with a number of instances it
can be applied to?



For example you would sell a /32 and /128 address (or a larger subnet) 
which a client can announce from their VMs.



It does require that the upstream routers (outside CloudStack) have BGP 
peers configured on their side which allows the VM to announce that they 
have a route for that address.



Regardless of how many CloudStack environments you have each one of them 
could announce that /32 or /128 which would then route traffic to the 
closest VM in the network.



Let's say you would announce 8.8.8.8/32 or 2001:4860:4860::8888/128 from 
multiple VPS to create a highly available DNS server as an example.


Wido


just checking on your envisioned business case, not implying an answer
here/yet.

On Mon, Jan 17, 2022 at 2:37 PM Wido den Hollander <w...@widodh.nl> wrote:


Hi,

Use-case: I have a SG enabled shared network where a VM establishes a
BGP session with the upstream router.

Over this BGP session the VM announces a /32 (IPv4) and/or /128 (IPv6)
address and the router now installs this route.

I do the same (with the same IPs) on a few different VMs and this way I
can have a Anycast/Floating IP which is being routed to those VMs.

Problem: Security Group filtering prohibits this as the 'ipset' on the
hypervisor checks all the packets originating from the VM and drops all
packets not matching the ipset.

Name: i-79-1328-VM
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 248
References: 5
Number of entries: 1
Members:
62.221.XXX.11

I want to add /32 and /128 addresses to this subnet so that the SG does
not filter away this traffic.

They could be added as a secondary IP to the VM, but this is not allowed
by the API as the secondary IPs you want to add should always come from
the subnet configured for that network.

I do not want to turn off security grouping as this poses other
potential issues.

Solutions I see:

- Add global/account/domain setting which allows arbitrary secondary IPs
- Add per-network setting which allows arbitrary secondary IPs
- Pre-define subnets which Anycast/Floating IPs can be picked from per
network

Any ideas or suggestions?

Wido


























					Reply via email to