cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Huang <Alex.Hu...@citrix.com>
Subject RE: mgmt VM access to VPC
Date Wed, 06 Feb 2013 17:23:35 GMT


> -----Original Message-----
> From: Chip Childers [mailto:chip.childers@sungard.com]
> Sent: Wednesday, February 06, 2013 7:43 AM
> To: cloudstack-users@incubator.apache.org
> Subject: Re: mgmt VM access to VPC
> 
> On Wed, Feb 06, 2013 at 02:23:08AM +0000, Alex Heneveld wrote:
> > Hi,
> >
> > We're trying to set up a VPC/nTier-App such that a single VM (call it a
> > management node) outside the VPC has ssh access to the VM's inside the
> > VPC.  (And to do this for multiple VPC's, same mgmt node.)  What's the
> > best way to implement this?
> >
> > It seems like #754 [1] would be the right way to go about this when
> > available (is that right?) but already there are a few things we could
> > do now:
> >
> > - set up an extra public IP on each tier with careful port forwarding
> > and ACL restricted to the mgmt node
> > - use an s2s vpn where the other "site" is just the mgmt node
> > - use a shared network, seems supported based on #748 [2] (but this
> > would break isolation?)
> >
> > Any thoughts on these or others?
> >
> > TIA,
> > Alex
> >
> >
> > [1]  https://issues.apache.org/jira/browse/CLOUDSTACK-754
> > [2]  https://issues.apache.org/jira/browse/CLOUDSTACK-748
> >
> >
> 
> Is this "other VM" going to be in a different zone?
> 
> This seems like you would have to consider it as being a completely
> different entity from the VPC that it will be connecting into.  With
> that being the case, you're best off setting up an IP sec tunnel
> into the VPC from that VM.  I don't think you'll want to manage a bunch
> of port forwarding rules for each VM in the VPC.

+1  I don't think shared network is supported by VPC at this point so s2s vpn should be the
best way to go.

--Alex

Mime
View raw message