Hi Yiping, I agree that Advanced Networking with Security Groups is a great option based on your requirements, but if you really want to avoid using security groups you have a few other options.
1. Create two zones using 'Basic without security groups' using one for Production and one for Non-Production, this will be the simplest possible configuration. 2. Create one Zone using standard Advanced networking, create a Domain for Production and a Domain for Non-Production and dedicate a set of Hosts to each Domain. Create a shared network for each Domain. You can then create multiple Accounts in each Domain which use the shared network for that domain. Networks created using the default shared network offering do not require a public IP address and rely on their being an external router / firewall on the network. 3. Similar to 2 but with a unique zone for production and non-production etc For 2&3, even though you will only be using shared networks, you will still need a public IP range for the system VMs, however if you don't need external access to tees for things like console proxy etc, you can allocate a private IP range as long as it has outbound internet access, which can be via a proxy if required. You are correct in your assumption that when using multiple zones within the same DC you can easily use the same VLANs for storage and management etc Regards Geoff Higginbottom CTO / Cloud Architect D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540> | M: +447968161581<tel:+447968161581> [email protected]<mailto:[email protected]> | www.shapeblue.com<htp://www.shapeblue.com/> | Twitter:@cloudstackguru<https://twitter.com/#!/cloudstackguru> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS<x-apple-data-detectors://5> On 2 Aug 2014, at 01:34, "Yiping Zhang" <[email protected]<mailto:[email protected]>> wrote: Hi, Soeren: Thanks a lot for detailed explanations, really appreciated. I now have enough initial info to ask for extra VLANs from our networking group. Hopeful I’ll have a setup to get my hands on for some real test. Have a good weekend. Yiping On 8/1/14, 4:14 PM, "Soeren Malchow" <[email protected]<mailto:[email protected]>> wrote: Hi Security groups can be iptables or ebtables respectively, but you can also basically open everything in an out, the thing is, as soon as you use security groups, the guest network becomes the public network, which makes things much easier for an internal deployment, and I would not worry about the iptables, (you will see if you have a setup) Regarding the separation of production and non-production machine, you can use "Affinity Groups" to avoid having machines on the same hypervisor. Alternatively, how about putting 2 Clusters in one Pod We do not use tags at all I would strongly suggest that you do test setup (prepare them in a way where you can wipe and start over) once you have seen and tested the frontend it gets a bit clearer. Also you setup really sounds as if you would want to use "Advanced Networking" with security groups, since you avoid the extra "Public" network, but you should put some work into preparing and planning of the network, a clean network setup really helps We have - one complete separate management network(vlan) with redundant management servers - one network(vlan) for the pod - one network (vlan) for storage - several networks(vlan) for guests The hypervisors hosts have - 8 bonded (802.3ad) 1Gbit interfaces in the storage network with a bridge on top of the bond (untagged) - the bridge has an IP - 2 bonded (802.3ad) interfaces with a bridge on top in the POD network (untagged) - the bridge has an IP - 4 bonded (802.3ad) interfaces with a bridge (actually there will be several bridges) on top for the guest network, but create one brigde (e.g. guestbr0) without IP before you configure cloudstack on top of the bond and use it during the configuration to assign to the "Guest" - The guest networks gateway is a high performance firewall to guarantee sufficient throughput - the other networks have their gateways on a separate firewall - the secondary storage is inside the storage network Hope that helps Regards Soeren -----Original Message----- From: Yiping Zhang [mailto:[email protected]] Sent: Freitag, 1. August 2014 21:59 To: [email protected]<mailto:[email protected]> Subject: Re: questions on configuring advanced networking Hi, Soeren: Thanks for quick reply. I have not tried any setup of advanced networking yet in my lab, due to lack of available vlan setup in this environment. So I have lots of questions on the actual steps and choices to be made during various steps. First, using ³security group² implies using iptables to manage accessing to VM¹s, correct ? I was trying to make things simpler by not using ³security groups² and avoiding dealing with iptables rules, because this is an internal deployment. Also, I plan to dedicate zones to production and non-production domains, so that hypervisors for production zones will only host VM¹s for production and hypervisors for non-production zones will only host non-production VM¹s. Is this a reasonable approach ? Coming back to your answer, using advanced networking with security group. In this setup, I only need one zone to support all guest vlans. Then how do I best make sure that certain hypervisor dedicated for production will only host VM for production, and visa versa for non production hypervisors ? I assumed that one can use tags on various components for this purpose? Again, without actual hands-on experiences with tags, I find concept and use of ³tags² in CS are very confusing and poorly documented. I sort of understand that there are tags for host, network, and storage, but they all simply referred as tags in documents and which type of tags are consumed where are not very clear at all by simply reading docs. Thanks again, Yiping On 8/1/14, 12:21 PM, "Soeren Malchow" <[email protected]<mailto:[email protected]>> wrote: Dear Yiping, If you choose "Advanced" with security groups, then you have only the "guestnetwork", we do this geustnetwork on a bond and then on a bridge and the uplinks to the bond are tagged (do not forget to assign a vlan tag during setup), then you are able to create more tagged networks. This guest network can use an Cloudstack external Router or Firewall as gateway and the network can be any IP range. During setup you only create one guest vlan, but you can create additional vlan later on. I hope that answers you question Cheers soeren -----Original Message----- From: Yiping Zhang [mailto:[email protected]] Sent: Freitag, 1. August 2014 21:16 To: [email protected]<mailto:[email protected]> Subject: questions on configuring advanced networking Hi, all: I am doing planning of a CloudStack deployment using advanced networking. I have a few questions about configurations: 1. Since this is an internal deployment, most of zones won't really need public IP, so how can I tell CS that I don't need VLAN for public traffic ? Do I still need to give it something, say 192.168.1.0/24, without actually configure such network ? 2. I have multiple guest vlans to support, I assume I have to create one zone for each of supported guest vlans, IOW, I assumed that there can be only one guest CIDR for each zone. I have not found a definitive answer to this question from docs, is this assumption correct ? 3. I also assumed that different zones can use the same management and storage VLANs, just reserve different ip ranges for systemVM's on different zones. Is this correct ? Appreciate all helps. Best regards, Yiping Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
