cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <>
Subject Re: Networking in Advance zone with security groups enabled
Date Fri, 06 Feb 2015 10:39:34 GMT
Hello Sonali,

In an advanced zone with security groups the guest and public network are combined in one.
It's very similar to the Basic zone.
So you will end up with a network and all your VMs will be connected to it. You will want
to use "public" IPs and there will be no NAT involved.

Although you can add more than one network, a VM cannot be connected to more than 1 at a time.

You will have a VR which is there to provide DHCP, user data, passwords; it will not route
You will not be able to use the "firewall" feature though obviously you will be able to use
Security Groups. There is no load balancer or VPN feature available, as well.

The main advantage is that the traffic of your VMs bypasses the VR and goes out through the
host directly, the security groups (iptables rules) are also applied on the host; this gives
it significantly more performance than an Advanced zone.

So look at what your needs are and choose the appropriate type of zone.


Sent from the Delta quadrant using Borg technology!


----- Original Message -----
> From: "Sonali Jadhav" <>
> To:
> Sent: Friday, 6 February, 2015 09:26:15
> Subject: RE: Networking in Advance zone with security groups enabled

> So basically in "Advance zone with security groups" on guest network we'll be
> creating both logical networks? i.e. Shared network and Isolated networks?
> So, if we use only Advance zone, then there will be guest and public networks,
> and we can create isolated network on Public traffic interface and shared
> network on Guest traffic interface.
> Where as in case of Advance zone with Security groups, there will be only Guest
> interface, and we can create both types of logical networks on same guest
> traffic interface.
> So I want to understand that, why there is this difference, what advantage we
> get in it?
> (actually I am planning production ready CloudStack deployment architecture, so
> want to understand what's better)

View raw message