Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4E5409549 for ; Mon, 18 Mar 2013 13:30:08 +0000 (UTC) Received: (qmail 57402 invoked by uid 500); 18 Mar 2013 13:30:07 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 57361 invoked by uid 500); 18 Mar 2013 13:30:07 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 57352 invoked by uid 99); 18 Mar 2013 13:30:07 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Mar 2013 13:30:07 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of williamstevens@gmail.com designates 209.85.219.46 as permitted sender) Received: from [209.85.219.46] (HELO mail-oa0-f46.google.com) (209.85.219.46) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Mar 2013 13:30:02 +0000 Received: by mail-oa0-f46.google.com with SMTP id k1so5550977oag.19 for ; Mon, 18 Mar 2013 06:29:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=OUlQcYFcQdiBw/p6PYfMvtsYP0I/30a6h8BOvAuLASg=; b=olmvawE8U8yMwC7eX+PvjSzdAN3N5gVP3t56V57T6VrD/lwyM9jElSonKWM/Rs4R5Y IoNjipVw4xpBKsK6cIyaWo8E05v+HdcV/GYT6bODp9Q30LRl1rdf3qOuJUMY2PU/FDym KxCDHvHRBFWbfMM9KZnYwsxNhw/OTeXnElEOMsVWiHKtM9lRD8acEQO6F6ZMKtTUxFdR WI8lJMKSaKKZ2dajYOOcOmZ51fkgUBMNrQQzMko5R5BecBPzZbqH/k4eP9wfSuL81fdh 0RRCdo2IIJ09uQvWrEepOAZ/jIl/P50Oiiy4yQjgTIr6zT+WUOMA2x0Gmvh4fEJ6TsY2 ZxHA== MIME-Version: 1.0 X-Received: by 10.60.170.20 with SMTP id ai20mr6980275oec.33.1363613381186; Mon, 18 Mar 2013 06:29:41 -0700 (PDT) Sender: williamstevens@gmail.com Received: by 10.60.164.38 with HTTP; Mon, 18 Mar 2013 06:29:41 -0700 (PDT) In-Reply-To: References: Date: Mon, 18 Mar 2013 09:29:41 -0400 X-Google-Sender-Auth: PcPf75nrlX_Lm3bxr75Dm6ZoGHk Message-ID: Subject: Re: [DISCUSS] Palo Alto Integration From: Will Stevens To: "cloudstack-dev@incubator.apache.org" Content-Type: multipart/alternative; boundary=bcaec554098032a97204d832fb0d X-Virus-Checked: Checked by ClamAV on apache.org --bcaec554098032a97204d832fb0d Content-Type: text/plain; charset=ISO-8859-1 Thank you both very much for your answers. I think the ExternalGuestNetworkGuru will be best received on my side, so I will do some more research on that. Thanks... On Mon, Mar 18, 2013 at 2:46 AM, Murali Reddy wrote: > On 16/03/13 1:46 AM, "Will Stevens" wrote: > > > >1. Restrict the available subnets for each account so two accounts can't > >create overlapping subnets. > >To me, this breaks the whole concept of cloud, but for enterprise > >customers > >this is not a huge limitation because they usually solve this problem this > >way. > > > >2. Run multiple Palo Alto VM firewalls and associate one VM firewall per > >account. > >The management overhead of this is crazy, so this type of implementation > >would be very hard to work with. > > > >Since I do not like either of these approaches, I wanted to see if I could > >get some feedback on this. Are there other alternatives that would solve > >the problem more elegantly that I have not mentioned? What would be the > >best way to solve this problem in a 'CloudStack way'? > > Unfortunately vendor appliacnces CloudStack support, does not have > multi-tenancy yet. 'CloudStack way' has been both #1 and #2 to work around > this. > > Please see [1], so 'external guest network' Guru designs the network such > that no two guest networks in a zone using external network device has > overlapping Cidr's. You may use 'external guest network' guru or extend it > ensure automatically generated non-overlapping CIDR's for guest network. > > Also CloudStack already supports notion of multiple provider instances per > physical network. Using which for load balancer devices there is generic > management piece of code to allocate a dedicated (per tenant) or shared > load balancer from a pool of admin provisioned load balancers [2]. See if > this helps if you intend to support pool of firewall VM's. > > [1] server/src/com/cloud/network/guru/ExternalGuestNetworkGuru.java > [2] server/src/com/cloud/network/ExternalLoadBalancerDeviceManagerImpl.java > > -Murali > > > > > >Any feedback on this would be appreciated. > > > >Cheers, > > > >Will > > > > > --bcaec554098032a97204d832fb0d--