cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Re: dedicated public IP ranges for system vms
Date Wed, 20 Jun 2012 17:13:57 GMT
But we'd welcome patches :)

--David

On Wed, Jun 20, 2012 at 12:33 PM, Kevin Kluge <Kevin.Kluge@citrix.com> wrote:
> FWIW I'm not aware of anyone working on this or planning to.
>
> -kevin
>
>> -----Original Message-----
>> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
>> Sent: Wednesday, June 20, 2012 7:14 AM
>> To: cloudstack-users@incubator.apache.org
>> Cc: cloudstack-users@incubator.apache.org; int-cloud
>> Subject: Re: dedicated public IP ranges for system vms
>>
>> I've heard this request from other users as well with different justifications
>>
>> --
>> Chiradeep
>>
>> On Jun 20, 2012, at 12:36, "Roeland Kuipers" <RKuipers@schubergphilis.com>
>> wrote:
>>
>> > Hi,
>> >
>> > We have the same desire, for the following reasons.
>> >
>> > Given the type of customers we host we would like to be able to put the
>> Portal, SSVM, CPVM, API behind a (2-factor) secured SSL VPN solution
>> and/or also implement IDS/IPS in front of these services.
>> > On the same hand we would like being able to selectively whitelist access
>> to the API, for example for customers to allow hosted services like Rightscale
>> and others.
>> > This is currently hard to implement given the dynamic IP assignments of the
>> SSVM and CPVM. A dedicated VLAN for these services would be ideal to add
>> additional security.
>> >
>> > We feel the SSVM and CPVM are currently an Achilles heel since they have
>> a foot on the private and public network in order to serve images and VNC
>> sessions. If these VMs would get compromised, this means a potential
>> hacker has r/w access to our secondary storage but also access to the
>> management network (Xapi SSH etc) and is also able to sniff this network,
>> not desired. I understand this is a hardened machine, but not sure if this
>> argument will convince auditors of our customers.
>> >
>> > Basicly we want to be able to implement additional controls in front of all
>> public services which are part of the cloud infrastructure, SSVM,CPVM,Portal
>> and API.
>> >
>> > Cheers,
>> > Roeland
>> >
>> > -----Original Message-----
>> > From: Paul Angus [mailto:paul.angus@shapeblue.com]
>> > Sent: 20 June 2012 09:36
>> > To: cloudstack-users@incubator.apache.org
>> > Subject: RE: dedicated public IP ranges for system vms
>> >
>> > Thanks Alena,
>> >
>> > They want to make the allocation global so that system vms come from
>> certain public IP pools and all user public IPs come from different pools.
>> >
>> > -----Original Message-----
>> > From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
>> > Sent: 19 June 2012 16:21
>> > To: cloudstack-users@incubator.apache.org
>> > Subject: Re: dedicated public IP ranges for system vms
>> >
>> > On 6/19/12 4:13 AM, "Paul Angus" <paulangus@betterbydesign.uk.com>
>> wrote:
>> >
>> >> Is it possible to dedicate public IP address ranges to either system
>> >> vms or account virtual routers?
>> >>
>> >> It's a client request.
>> >>
>> >> thanks
>> >>
>> >>
>> >> Paul Angus
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > You can dedicate pubic ip ranges to user account, but there are some
>> limitations for this feature. Here is the article on that:
>> >
>> > http://wiki.cloudstack.org/display/RelOps/Adding+public+Vlan+per+accou
>> > nt
>> >
>> >
>> > -Alena.
>> >
>> >
>> > ShapeBlue provides a range of strategic and technical consulting and
>> implementation services to help IT Service Providers and Enterprises to build
>> a true IaaS compute cloud. ShapeBlue's expertise, combined with CloudStack
>> technology, allows IT Service Providers and Enterprises to deliver true, utility
>> based, IaaS to the customer or end-user.
>> >
>> > ________________________________
>> >
>> > This email and any attachments to it may be confidential and are intended
>> solely for the use of the individual to whom it is addressed. Any views or
>> opinions expressed are solely those of the author and do not necessarily
>> represent those of Shape Blue Ltd. If you are not the intended recipient of
>> this email, you must neither take any action based upon its contents, nor
>> copy or show it to anyone. Please contact the sender if you believe you have
>> received this email in error. Shape Blue Ltd is a company incorporated in
>> England & Wales.

Mime
View raw message