Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4B02D10AF0 for ; Wed, 22 Jan 2014 19:56:14 +0000 (UTC) Received: (qmail 50907 invoked by uid 500); 22 Jan 2014 19:56:13 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 50829 invoked by uid 500); 22 Jan 2014 19:56:13 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 50820 invoked by uid 99); 22 Jan 2014 19:56:13 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Jan 2014 19:56:13 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [209.85.128.171] (HELO mail-ve0-f171.google.com) (209.85.128.171) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Jan 2014 19:56:05 +0000 Received: by mail-ve0-f171.google.com with SMTP id pa12so540523veb.30 for ; Wed, 22 Jan 2014 11:55:44 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=I59ctLaMUmCozsSSpO/aAbJSeD+8kOC2gZvxC23Vvvs=; b=ffrsKWf/xjEpnQ/jXgv17gqq4byga9ESV8A72L20ztFOjZ/KVRIDkTsIfSY/3WcK6k oWqyarL2mItKX+FhbkxsJwu33f8s3UCEcR8xyvZmBHTWujZruoW0p6c3UJuYMwvAY3cM pup0h4hiDAYhs8nh18h6fgX55a8r+x24tue8cyMN2lnVnZS/r5EtRrn069bCiDHPudAf 86MPGJ8BIAZEZkLaw/0gJ/EM4H7d3DkrFSMYAwYCJSZGOwrwHMkRwU0YSgWughJ7dh5b 9NgxFLfY24+JCKjxsjLzceeVQhJtLnLB901JAENvvwe4zJ9QyOY37ylZ6qRLQp9prisc B9DQ== X-Gm-Message-State: ALoCoQlASq9UCJNQx6c+J2W5hzkc261YHSjgOM50fvU31pl3d1MvYB1ubiCC3c+ow/luj14bO1V6 MIME-Version: 1.0 X-Received: by 10.58.186.132 with SMTP id fk4mr657905vec.9.1390420544652; Wed, 22 Jan 2014 11:55:44 -0800 (PST) Received: by 10.58.188.44 with HTTP; Wed, 22 Jan 2014 11:55:44 -0800 (PST) X-Originating-IP: [207.47.50.254] In-Reply-To: References: Date: Wed, 22 Jan 2014 11:55:44 -0800 Message-ID: Subject: Re: Adding Redundant Routers to VPCs From: Sheng Yang To: "" Content-Type: multipart/alternative; boundary=047d7b6dc250a74e8104f09482df X-Virus-Checked: Checked by ClamAV on apache.org --047d7b6dc250a74e8104f09482df Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Again, Karl, please keep the relevant things in ONE mail thread. Please don't start one thread every time you posted in the community. You can simply reply the thread you posted before, address people's comment, and also would keep the people involved know what's going on. On Wed, Jan 22, 2014 at 10:02 AM, Karl Harris wrot= e: > Comments/Critiques/Additions to this list as well as implementation > suggestions are requested. > > > After looking at the differences between Public cloud routing and Virtual > Private Cloud Routing it appears the main differences are: > > > Public Cloud VPC > > One private network connection Multiple (1=85n) private > networks (tiers?) > > Single router/1 NIC public/1 NIC private Single router/ 1 NIC public/ > (1=85.n) NIC private (tiers?) > > > > Additional/Needed functionality for redundant VPC routers: > > > Router pairs must be initialized (master/backup) with the same > functionality (NAT,DNS,etc). > Yes. And the backup's service would be disabled temporarily. > > Router pairs must be initialized with the same number of NIC both public > and private on each router. > Yes. > > Unique IP's must be available for each NIC on both master and backup > routers using CIDR(s) configured in VPC private network. > You meant, same IP? Except the control(link local) ip. > > It appears most of the changes functional will be inside the Java class: > VpcVirtualNetworkApplianceManagerImpl > Lots of work would be in the VR script as well, since eth2 is no longer assumed public nic. --Sheng > > Have I missed any critical differences? > > > > > > Karl Harris > > Cloud Software Engineer > > Sungard Availability Systems > > > > > Listed below, lifted from the CloudStack Documentation, are the > characteristics of a VPC as a reference: > > *Major Components of a VPC:* > > A VPC is comprised of the following network components: > > - *VPC*: A VPC acts as a container for multiple isolated networks that > can communicate with each other via its virtual router. > - *Network Tiers*: Each tier acts as an isolated network with its own > VLANs and CIDR list, where you can place groups of resources, such as > VMs. > The tiers are segmented by means of VLANs. The NIC of each tier acts a= s > its > gateway. > - *Virtual Router*: A virtual router is automatically created and > started when you create a VPC. The virtual router connect the tiers an= d > direct traffic among the public gateway, the VPN gateways, and the NAT > instances. For each tier, a corresponding NIC and IP exist in the > virtual > router. The virtual router provides DNS and DHCP services through its > IP. > - *Public Gateway*: The traffic to and from the Internet routed to the > VPC through the public gateway. In a VPC, the public gateway is not > exposed > to the end user; therefore, static routes are not support for the publ= ic > gateway. > - *Private Gateway*: All the traffic to and from a private network > routed to the VPC through the private gateway. For more > information, see Section 11.19.5, > =93Adding a Private Gateway to a > VPC=94< > http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.2/html/Inst= allation_Guide/configure-vpc.html#add-gateway-vpc > > > . > - *VPN Gateway*: The VPC side of a VPN connection. > - *Site-to-Site VPN Connection*: A hardware-based VPN connection betwe= en > your VPC and your datacenter, home network, or co-location facility. F= or > more information, see Section 11.17.4, =93Setting Up a Site-to-Site VP= N > Connection=94< > http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.2/html/Inst= allation_Guide/vpn.html#site-to-site-vpn > > > . > - *Customer Gateway*: The customer side of a VPN Connection. For more > information, seeSection 11.17.4.1, =93Creating and Updating a VPN Cust= omer > Gateway=94< > http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.2/html/Inst= allation_Guide/vpn.html#create-vpn-customer-gateway > > > . > - *NAT Instance*: An instance that provides Port Address Translation f= or > instances to access the Internet via the public gateway. For more > information, see Section 11.19.9, =93Enabling or Disabling Static NAT = on a > VPC=94< > http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.2/html/Inst= allation_Guide/configure-vpc.html#enable-disable-static-nat-vpc > > > . > > *Network Architecture in a VPC* > > In a VPC, the following four basic options of network architectures are > present: > > - VPC with a public gateway only > - VPC with public and private gateways > - VPC with public and private gateways and site-to-site VPN access > - VPC with a private gateway only and site-to-site VPN access > > *Connectivity Options for a VPC* > > You can connect your VPC to: > > - The Internet through the public gateway. > - The corporate datacenter by using a site-to-site VPN connection > through the VPN gateway. > - Both the Internet and your corporate datacenter by using both the > public gateway and a VPN gateway. > > *VPC Network Considerations* > > Consider the following before you create a VPC: > > - A VPC, by default, is created in the enabled state. > - A VPC can be created in Advance zone only, and can't belong to more > than one zone at a time. > - The default number of VPCs an account can create is 20. However, you > can change it by using the max.account.vpcs global parameter, which > controls the maximum number of VPCs an account is allowed to create. > - The default number of tiers an account can create within a VPC is 3. > You can configure this number by using the vpc.max.networks parameter. > - Each tier should have an unique CIDR in the VPC. Ensure that the > tier's CIDR should be within the VPC CIDR range. > - A tier belongs to only one VPC. > - All network tiers inside the VPC should belong to the same account. > - When a VPC is created, by default, a SourceNAT IP is allocated to it= . > The Source NAT IP is released only when the VPC is removed. > - A public IP can be used for only one purpose at a time. If the IP is= a > sourceNAT, it cannot be used for StaticNAT or port forwarding. > - The instances only have a private IP address that you provision. To > communicate with the Internet, enable NAT to an instance that you > launch in > your VPC. > - Only new networks can be added to a VPC. The maximum number of > networks per VPC is limited by the value you specify in the > vpc.max.networks parameter. The default value is three. > - The load balancing service can be supported by only one tier inside > the VPC. > - If an IP address is assigned to a tier: > - That IP can't be used by more than one tier at a time in the VPC. > For example, if you have tiers A and B, and a public IP1, you > can create a > port forwarding rule by using the IP either for A or B, but not for > both. > - That IP can't be used for StaticNAT, load balancing, or port > forwarding rules for another guest network inside the VPC. > - Remote access VPN is not supported in VPC networks. > > > -- > Karl O. Harris > Cloud Software Engineer > Sungard Availability Services > --047d7b6dc250a74e8104f09482df--