cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chiradeep Vittal <Chiradeep.Vit...@citrix.com>
Subject Re: dedicated public IP ranges for system vms
Date Wed, 20 Jun 2012 14:14:26 GMT
I've heard this request from other users as well with different justifications

--
Chiradeep

On Jun 20, 2012, at 12:36, "Roeland Kuipers" <RKuipers@schubergphilis.com> wrote:

> Hi,
> 
> We have the same desire, for the following reasons. 
> 
> Given the type of customers we host we would like to be able to put the Portal, SSVM,
CPVM, API behind a (2-factor) secured SSL VPN solution and/or also implement IDS/IPS in front
of these services.
> On the same hand we would like being able to selectively whitelist access to the API,
for example for customers to allow hosted services like Rightscale and others.
> This is currently hard to implement given the dynamic IP assignments of the SSVM and
CPVM. A dedicated VLAN for these services would be ideal to add additional security.
> 
> We feel the SSVM and CPVM are currently an Achilles heel since they have a foot on the
private and public network in order to serve images and VNC sessions. If these VMs would get
compromised, this means a potential hacker has r/w access to our secondary storage but also
access to the management network (Xapi SSH etc) and is also able to sniff this network, not
desired. I understand this is a hardened machine, but not sure if this argument will convince
auditors of our customers.
> 
> Basicly we want to be able to implement additional controls in front of all public services
which are part of the cloud infrastructure, SSVM,CPVM,Portal and API.
> 
> Cheers,
> Roeland
> 
> -----Original Message-----
> From: Paul Angus [mailto:paul.angus@shapeblue.com] 
> Sent: 20 June 2012 09:36
> To: cloudstack-users@incubator.apache.org
> Subject: RE: dedicated public IP ranges for system vms
> 
> Thanks Alena,
> 
> They want to make the allocation global so that system vms come from certain public IP
pools and all user public IPs come from different pools.
> 
> -----Original Message-----
> From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
> Sent: 19 June 2012 16:21
> To: cloudstack-users@incubator.apache.org
> Subject: Re: dedicated public IP ranges for system vms
> 
> On 6/19/12 4:13 AM, "Paul Angus" <paulangus@betterbydesign.uk.com> wrote:
> 
>> Is it possible to dedicate public IP address ranges to either system 
>> vms or account virtual routers?
>> 
>> It's a client request.
>> 
>> thanks
>> 
>> 
>> Paul Angus
>> 
>> 
>> 
> 
> 
> 
> You can dedicate pubic ip ranges to user account, but there are some limitations for
this feature. Here is the article on that:
> 
> http://wiki.cloudstack.org/display/RelOps/Adding+public+Vlan+per+account
> 
> 
> -Alena.
> 
> 
> ShapeBlue provides a range of strategic and technical consulting and implementation services
to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s
expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises
to deliver true, utility based, IaaS to the customer or end-user.
> 
> ________________________________
> 
> This email and any attachments to it may be confidential and are intended solely for
the use of the individual to whom it is addressed. Any views or opinions expressed are solely
those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not
the intended recipient of this email, you must neither take any action based upon its contents,
nor copy or show it to anyone. Please contact the sender if you believe you have received
this email in error. Shape Blue Ltd is a company incorporated in England & Wales.

Mime
View raw message