cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roeland Kuipers <>
Subject RE: dedicated public IP ranges for system vms
Date Wed, 20 Jun 2012 10:36:01 GMT

We have the same desire, for the following reasons. 

Given the type of customers we host we would like to be able to put the Portal, SSVM, CPVM,
API behind a (2-factor) secured SSL VPN solution and/or also implement IDS/IPS in front of
these services.
On the same hand we would like being able to selectively whitelist access to the API, for
example for customers to allow hosted services like Rightscale and others.
This is currently hard to implement given the dynamic IP assignments of the SSVM and CPVM.
A dedicated VLAN for these services would be ideal to add additional security.

We feel the SSVM and CPVM are currently an Achilles heel since they have a foot on the private
and public network in order to serve images and VNC sessions. If these VMs would get compromised,
this means a potential hacker has r/w access to our secondary storage but also access to the
management network (Xapi SSH etc) and is also able to sniff this network, not desired. I understand
this is a hardened machine, but not sure if this argument will convince auditors of our customers.

Basicly we want to be able to implement additional controls in front of all public services
which are part of the cloud infrastructure, SSVM,CPVM,Portal and API.


-----Original Message-----
From: Paul Angus [] 
Sent: 20 June 2012 09:36
Subject: RE: dedicated public IP ranges for system vms

Thanks Alena,

They want to make the allocation global so that system vms come from certain public IP pools
and all user public IPs come from different pools.

-----Original Message-----
From: Alena Prokharchyk []
Sent: 19 June 2012 16:21
Subject: Re: dedicated public IP ranges for system vms

On 6/19/12 4:13 AM, "Paul Angus" <> wrote:

>Is it possible to dedicate public IP address ranges to either system 
>vms or account virtual routers?
>It's a client request.
>Paul Angus

You can dedicate pubic ip ranges to user account, but there are some limitations for this
feature. Here is the article on that:


ShapeBlue provides a range of strategic and technical consulting and implementation services
to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s
expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises
to deliver true, utility based, IaaS to the customer or end-user.


This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the
intended recipient of this email, you must neither take any action based upon its contents,
nor copy or show it to anyone. Please contact the sender if you believe you have received
this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
View raw message