cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Will Stevens <wstev...@cloudops.com>
Subject Re: [DISCUSS] Palo Alto Integration
Date Thu, 28 Mar 2013 17:29:41 GMT
I am trying to implement the non-overlapping cidrs right now and I have
some questions.  Does the ExternalGuestNetworkGuru create networks with
non-overlapping cidrs by default?  Or do I need to override it's 'design'
and 'implement' methods to implement non overlapping cidrs?

If I have to write my own methods, I think I understand how to
override ExternalGuestNetworkGuru and then get it to run by adding it to
the components.xml (or nonoss-components.xml) as well as the
componentContext.xml.in.

If I do not have to actually write the logic for the non-overlapping cidrs
(which i am hoping is the case), and the ExternalGuestNetworkGuru actually
implements that logic, how would I get the ExternalGuestNetworkGuru into my
flow without actually overriding the class?  I understand that the
components are loaded through the components.xml stuff, but its not clear
how you specify which NetworkGuru should be used in my specific flow.

I am basically working from this
document<https://cwiki.apache.org/CLOUDSTACK/extending-cloudstack-networking.html>and
the code.  Is there any other resources I should be aware of for
extending the CloudStack networking functionality?

I have a good start on a Resource, ExternalFirewallElement and an
ExternalFirewallService.  I can currently set the Palo Alto as the provider
of Firewall, SourceNat, StaticNat and Port Forwarding services.  I can
currently Add, List, Configure and Delete my Palo Alto provider.

I am getting there, but I still feel like there are gaps in my knowledge
when using the CS networking plugin functionality.

Thanks,

Will


On Mon, Mar 18, 2013 at 2:46 AM, Murali Reddy <Murali.Reddy@citrix.com>wrote:

> On 16/03/13 1:46 AM, "Will Stevens" <wstevens@cloudops.com> wrote:
> >
> >1. Restrict the available subnets for each account so two accounts can't
> >create overlapping subnets.
> >To me, this breaks the whole concept of cloud, but for enterprise
> >customers
> >this is not a huge limitation because they usually solve this problem this
> >way.
> >
> >2. Run multiple Palo Alto VM firewalls and associate one VM firewall per
> >account.
> >The management overhead of this is crazy, so this type of implementation
> >would be very hard to work with.
> >
> >Since I do not like either of these approaches, I wanted to see if I could
> >get some feedback on this.  Are there other alternatives that would solve
> >the problem more elegantly that I have not mentioned?  What would be the
> >best way to solve this problem in a 'CloudStack way'?
>
> Unfortunately vendor appliacnces CloudStack support, does not have
> multi-tenancy yet. 'CloudStack way' has been both #1 and #2 to work around
> this.
>
> Please see [1], so 'external guest network' Guru designs the network such
> that no two guest networks in a zone using external network device has
> overlapping Cidr's. You may use 'external guest network' guru or extend it
> ensure automatically generated non-overlapping CIDR's for guest network.
>
> Also CloudStack already supports notion of multiple provider instances per
> physical network. Using which for load balancer devices there is generic
> management piece of code to allocate a dedicated (per tenant) or shared
> load balancer from a pool of admin provisioned load balancers [2]. See if
> this helps if you intend to support pool of firewall VM's.
>
> [1] server/src/com/cloud/network/guru/ExternalGuestNetworkGuru.java
> [2] server/src/com/cloud/network/ExternalLoadBalancerDeviceManagerImpl.java
>
> -Murali
>
>
> >
> >Any feedback on this would be appreciated.
> >
> >Cheers,
> >
> >Will
> >
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message