cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clayton Weise <>
Subject RE: domr iptables rules
Date Tue, 15 May 2012 16:36:57 GMT
But how would the app servers reach the db servers on a private network?  In your example,
what is limiting the communication between app and db?  Do app and db share the same virtual
router?  Do they have separate ones?  If they share the same virtual router than they're on
the same subnet/vlan internally and have unrestricted access to one-another.  If they have
separate virtual routers how can they connect with their associated private networks?

-----Original Message-----
From: Abhinandan Prateek [] 
Sent: Monday, May 14, 2012 8:24 PM
Subject: RE: domr iptables rules

One way to do is to have iptables do filtering on db-servers, but the easiest is ...
Have a advance zone, create two accounts, put db VMs in one account (guest network) and webserver
VM in another. Now in general you have several options to control the traffic to these accounts
via the VR.
For example you can have unrestricted external access to your web VMs on certain ports. On
the other hand you can have restricted access to certain subnets,ports to the db.

>-----Original Message-----
>From: Clayton Weise []
>Sent: Tuesday, May 15, 2012 1:22 AM
>Subject: RE: domr iptables rules
>Thanks for the response.  So then my next question is how would this be
>achieved?  I can see creating a network for the db servers and set all db
>instances to use it as their default network, and attach the app servers _to_
>the db network but then there would be no filtering occurring.  The app
>servers would have unrestricted access to the db servers.  How can I
>filter/control the traffic between app and db?
>From: Abhinandan Prateek []
>Sent: Thursday, May 10, 2012 7:58 PM
>Subject: RE: domr iptables rules
>The app server VMs will reach the db VM via private address.
>If you want external access to db too but with restrictions to certain
>subnets/ips that too can be achieved using port-forwarding and source cidrs
>I believe that the advanced networking model is very flexible to support
>variations of deployments.
>>-----Original Message-----
>>From: Clayton Weise []
>>Sent: Friday, May 11, 2012 3:58 AM
>>To: ''
>>Subject: RE: domr iptables rules
>>So in this case are your app servers reaching the database servers via
>>their public or private addresses?
>>-----Original Message-----
>>From: Abhinandan Prateek []
>>Sent: Thursday, May 10, 2012 9:05 AM
>>Subject: RE: domr iptables rules
>>Why not a set of VMs running app server load balanced using VR.
>>A VM running db (or probably  a set of VM running db in master-slave
>>conf) with no external access but only via the app server VMs.
>>I guess this is what you want ?
>>>-----Original Message-----
>>>From: Clayton Weise []
>>>Sent: Thursday, May 10, 2012 9:00 PM
>>>To: ''
>>>Subject: RE: domr iptables rules
>>>It's something I have been toying with.  Basically it's a standard
>>>app/db setup where the app servers would reside in a dmz and the db
>>>servers would sit in a trusted network.  We need to limit the traffic
>>>going between the app and the db servers in advanced networking.  So
>>>currently the db and app servers have their own separate networks
>>>(vlans) and their own virtual routers.  I was thinking of different
>>>ways to limit the traffic from app to db to be permitted on specific ports.
>>>-----Original Message-----
>>>From: Anthony Xu []
>>>Sent: Wednesday, May 09, 2012 4:33 PM
>>>Subject: RE: domr iptables rules
>>>It is better to do it through API. CloudStack already provides several
>>>APIs for customer to add ACL for customer network, what kind of rules
>>>do you want to add? Can you do it through current API? Or what kind
>>>API you would like to add?
>>>> -----Original Message-----
>>>> From: Clayton Weise []
>>>> Sent: Wednesday, May 09, 2012 4:26 PM
>>>> To: ''
>>>> Subject: RE: domr iptables rules
>>>> As a dirty hack would it be possible to create an init script which
>>>> added these custom rules when the domr boots?
>>>> -----Original Message-----
>>>> From: Anthony Xu []
>>>> Sent: Wednesday, May 09, 2012 12:21 PM
>>>> To:
>>>> Subject: RE: domr iptables rules
>>>> Iptables rules is not persistent inside domr, CloudStack send
>>>> command to domr to generate rules on demand.
>>>> So if you reboot domr, some rules may not come back. But if you
>>>> reboot domr through Cloudstack UI, all rules should come back,
>>>> Cloudstack will send commands to program rules again.
>>>> Anthony
>>>> > -----Original Message-----
>>>> > From: Clayton Weise []
>>>> > Sent: Wednesday, May 09, 2012 10:09 AM
>>>> > To: ''
>>>> > Subject: domr iptables rules
>>>> >
>>>> > Where are these kept?  After rebooting a virtual router not all of
>>>> the
>>>> > firewall rules came back.  Also, I wanted to manually add a few
>>>> things
>>>> > and I was curious where I could do it and have those rules
>>>> > retained when the domr reboots.
>>>> >
>>>> > Thanks

View raw message