cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Will Stevens <>
Subject Re: [DISCUSS] Palo Alto Integration
Date Thu, 28 Mar 2013 17:29:41 GMT
I am trying to implement the non-overlapping cidrs right now and I have
some questions.  Does the ExternalGuestNetworkGuru create networks with
non-overlapping cidrs by default?  Or do I need to override it's 'design'
and 'implement' methods to implement non overlapping cidrs?

If I have to write my own methods, I think I understand how to
override ExternalGuestNetworkGuru and then get it to run by adding it to
the components.xml (or nonoss-components.xml) as well as the

If I do not have to actually write the logic for the non-overlapping cidrs
(which i am hoping is the case), and the ExternalGuestNetworkGuru actually
implements that logic, how would I get the ExternalGuestNetworkGuru into my
flow without actually overriding the class?  I understand that the
components are loaded through the components.xml stuff, but its not clear
how you specify which NetworkGuru should be used in my specific flow.

I am basically working from this
the code.  Is there any other resources I should be aware of for
extending the CloudStack networking functionality?

I have a good start on a Resource, ExternalFirewallElement and an
ExternalFirewallService.  I can currently set the Palo Alto as the provider
of Firewall, SourceNat, StaticNat and Port Forwarding services.  I can
currently Add, List, Configure and Delete my Palo Alto provider.

I am getting there, but I still feel like there are gaps in my knowledge
when using the CS networking plugin functionality.



On Mon, Mar 18, 2013 at 2:46 AM, Murali Reddy <>wrote:

> On 16/03/13 1:46 AM, "Will Stevens" <> wrote:
> >
> >1. Restrict the available subnets for each account so two accounts can't
> >create overlapping subnets.
> >To me, this breaks the whole concept of cloud, but for enterprise
> >customers
> >this is not a huge limitation because they usually solve this problem this
> >way.
> >
> >2. Run multiple Palo Alto VM firewalls and associate one VM firewall per
> >account.
> >The management overhead of this is crazy, so this type of implementation
> >would be very hard to work with.
> >
> >Since I do not like either of these approaches, I wanted to see if I could
> >get some feedback on this.  Are there other alternatives that would solve
> >the problem more elegantly that I have not mentioned?  What would be the
> >best way to solve this problem in a 'CloudStack way'?
> Unfortunately vendor appliacnces CloudStack support, does not have
> multi-tenancy yet. 'CloudStack way' has been both #1 and #2 to work around
> this.
> Please see [1], so 'external guest network' Guru designs the network such
> that no two guest networks in a zone using external network device has
> overlapping Cidr's. You may use 'external guest network' guru or extend it
> ensure automatically generated non-overlapping CIDR's for guest network.
> Also CloudStack already supports notion of multiple provider instances per
> physical network. Using which for load balancer devices there is generic
> management piece of code to allocate a dedicated (per tenant) or shared
> load balancer from a pool of admin provisioned load balancers [2]. See if
> this helps if you intend to support pool of firewall VM's.
> [1] server/src/com/cloud/network/guru/
> [2] server/src/com/cloud/network/
> -Murali
> >
> >Any feedback on this would be appreciated.
> >
> >Cheers,
> >
> >Will
> >

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message