cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Heneveld <alex.henev...@cloudsoftcorp.com>
Subject Re: mgmt VM access to VPC
Date Thu, 07 Feb 2013 21:53:03 GMT

An update on this.  It seems there are currently 4 viable options for 
solving this VPC mgmt access problem, summarised below. Thanks Chip and 
Alex (minor questions in-line).

 > We're trying to set up a VPC/nTier-App such that a single VM (call it a
 > management node) outside the VPC has ssh access to the VM's inside the
 > VPC.  (And to do this for multiple VPC's, same mgmt node.) What's the
 > best way to implement this?

1) Shared-network solution -- this is what we've done and I'm pleased to 
say it works!  (Alex, although this isn't exposed in the GUI, the API 
call to attach an additional network to VPC nodes works fine -- in 
cloudplatform 3.0.5 at least)

2) "DIY" remote access VPN [Chip's suggestion] -- Chip, if I understand 
your suggestion correctly it's basically that we roll-our-own VPN on a 
VM in the VPC w/ ip-sec gateway to enable remote-access ("road warrior") 
VPN'ing, since this isn't available out of the box for VPC's (as per [1])

3) Port-forwarding on extra VPC public IP -- managing these assignments 
is tedious (as Chip notes) but it is not as bad as it sounds; we've had 
to do this before, in LXC-land where containers are isolated.  it has 
benefit over #2 of not needing a dedicated VPN endpoint VM in the VPC, 
and over #1 not attaching a free-for-all mgmt network; but it isn't 
elegant or fun.

4) s2s VPN [Alex Huang's suggestion] - i think this is a nice option if 
you already have the beefy hardware (Cisco / Juniper) that this 
requires, based on the wiki [2] at least -- is that right?  although it 
would be inefficient if that hardware isn't local (b/c all traffic is 
routed through the remote gateway) and also note there is a question in 
the wiki whether it will work between zones (but I see no reason why it 
wouldn't?)

The mgmt VM can be in the same zone here (re Chip's question).  If the 
mgmt VM is in a different zone then #1 doesn't work (not unless you use 
it to set up a proxy then use one of the other techniques to connect in 
to it).

It will be nice when #754 is implemented [1] as that seems better than 
any of these.  :)

I hope this is useful to anyone else needing to do this.  Any comments 
or corrections welcome.  And happy to share the code if that's of interest.

Alex

[1]  https://issues.apache.org/jira/browse/CLOUDSTACK-754
[2]  https://cwiki.apache.org/CLOUDSTACK/site-to-site-vpn.html


On 06/02/2013 17:23, Alex Huang wrote:
>> -----Original Message-----
>> From: Chip Childers [mailto:chip.childers@sungard.com]
>> Sent: Wednesday, February 06, 2013 7:43 AM
>> To: cloudstack-users@incubator.apache.org
>> Subject: Re: mgmt VM access to VPC
>>
>> On Wed, Feb 06, 2013 at 02:23:08AM +0000, Alex Heneveld wrote:
>>> Hi,
>>>
>>> We're trying to set up a VPC/nTier-App such that a single VM (call it a
>>> management node) outside the VPC has ssh access to the VM's inside the
>>> VPC.  (And to do this for multiple VPC's, same mgmt node.)  What's the
>>> best way to implement this?
>>>
>>> It seems like #754 [1] would be the right way to go about this when
>>> available (is that right?) but already there are a few things we could
>>> do now:
>>>
>>> - set up an extra public IP on each tier with careful port forwarding
>>> and ACL restricted to the mgmt node
>>> - use an s2s vpn where the other "site" is just the mgmt node
>>> - use a shared network, seems supported based on #748 [2] (but this
>>> would break isolation?)
>>>
>>> Any thoughts on these or others?
>>>
>>> TIA,
>>> Alex
>>>
>>>
>>> [1]  https://issues.apache.org/jira/browse/CLOUDSTACK-754
>>> [2]  https://issues.apache.org/jira/browse/CLOUDSTACK-748
>>>
>>>
>> Is this "other VM" going to be in a different zone?
>>
>> This seems like you would have to consider it as being a completely
>> different entity from the VPC that it will be connecting into.  With
>> that being the case, you're best off setting up an IP sec tunnel
>> into the VPC from that VM.  I don't think you'll want to manage a bunch
>> of port forwarding rules for each VM in the VPC.
> +1  I don't think shared network is supported by VPC at this point so s2s vpn should
be the best way to go.
>
> --Alex


Mime
View raw message