With security groups enabled, I need to set ingress rules to allow external traffic to my virtual hosts.
With security groups disabled, I can't allow any external traffic to my virtual hosts. Before creating the zone, I performed this: UPDATE `cloud`.`network_offerings` SET `egress_default_policy`=1 Even though the default policy is changed, from reject to allow, I'm still only able to get external traffic to my virtual hosts with adding ingress rules. Seems like I have no other option then using security groups, and adding ingress rules to every user. Doesn't seem like there's any global ingress rules which I could apply to all users. Maybe this is the way it was designed? I'm looking for an alternative, as I don't want to specify the ingress rules for each account. Hopefully this makes my issue a bit easier to understand. /Magnus 2013/11/29 Magnus Janson <[email protected]> > Hi Geoff, > > Thank you for your reply. > > I am using a guest gateway, and the gateway IP maps to a physical > router/firewall. > > Initially I was using DefaultSharedNetworkOfferingWithSGService. But that > required me to set egress rules for each user to allow all traffic for that > users vm instances. However, after setting the egress rules the traffic to > the vm instances worked great. > > As I have plenty of users, I would want to skip this step. So I recreated > the zone, with DefaultSharedNetworkOffering instead. > > My understanding was that if I disabled security groups, they wouldn't > block the incoming traffic to my virtual hosts anymore. However, it seems > that I'm now stuck with a default policy to block all incoming connections > and I don't have any possibility to allow incoming connections as I > disabled (removed) the security groups feature. > > The issue here seems to be that cloudstack by default rejects all incoming > traffic, and I can't figure out how to change that behaviours. > > /Magnus > > > 2013/11/28 Geoff Higginbottom <[email protected]> > >> Magnus, >> >> A Shared Network does not provide Source NAT, so therefore does not act >> as the Gateway. When you created the network, you would have specified a >> 'Guest Gateway' IP, this IP needs to map to a Physical Router/Firewall >> which will provide the Routing/Firewall functionality. >> >> As the 'Default Shared Network' offering only provides DHCP, DNS & User >> Data, none of the Firewall, Egress Rules VPN, LB features etc will be >> available to you. >> >> Regards >> >> Geoff Higginbottom >> >> D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581 >> >> [email protected] >> >> -----Original Message----- >> From: Magnus Janson [mailto:[email protected]] >> Sent: 28 November 2013 16:57 >> To: [email protected] >> Subject: Re: Allow all external traffic (any tcp/udp/icmp) to virtual >> hosts >> >> I'm not using a firewall provider, so my initial question remains. >> >> /Magnus >> >> >> 2013/11/28 Magnus Janson <[email protected]> >> >> > Oh, seems like the answer is found here: >> > https://support.getcloudservices.com/entries/21993512-CloudStack-Enabl >> > e-External-Access >> > >> > I'll try this and get back here in case I run into any trouble I can't >> > solve. >> > >> > /Magnus >> > >> > >> > 2013/11/28 Magnus Janson <[email protected]> >> > >> >> Hi, >> >> >> >> How do i allow all external traffic (any tcp/udp/icmp) to my virtual >> >> hosts? >> >> >> >> I'm using DefaultSharedNetworkOffering in a BASIC network. >> >> >> >> Security group and provider is not being used. >> >> >> >> So far, I've tried to change the egress_default_policy. I couldn't >> >> find any way to perform this through the UI so I did it manually in >> >> the database and restarted the network: >> >> UPDATE `cloud`.`network_offerings` SET `egress_default_policy`=1 >> >> WHERE `name`='DefaultSharedNetworkOffering'; >> >> >> >> Still, it seems that all incoming traffic is rejected. >> >> >> >> Any pointers on how to achieve this would be highly appreciated. >> >> >> >> Sincerely, >> >> Magnus >> >> >> > >> > >> This email and any attachments to it may be confidential and are intended >> solely for the use of the individual to whom it is addressed. Any views or >> opinions expressed are solely those of the author and do not necessarily >> represent those of Shape Blue Ltd or related companies. If you are not the >> intended recipient of this email, you must neither take any action based >> upon its contents, nor copy or show it to anyone. Please contact the sender >> if you believe you have received this email in error. Shape Blue Ltd is a >> company incorporated in England & Wales. ShapeBlue Services India LLP is a >> company incorporated in India and is operated under license from Shape Blue >> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil >> and is operated under license from Shape Blue Ltd. ShapeBlue is a >> registered trademark. >> > >
