cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sonali Jadhav <>
Subject RE: Networking in Advance zone with security groups enabled
Date Fri, 06 Feb 2015 11:13:55 GMT
Ok I get it.

But again, does that mean there would be no "shared guest" network and "isolated guest" network
offerings in "Advance zone with security groups"? 

Coz, I understood that, in case of "isolated guest" network, VR is responsible for NAT, firewall
and load balancing functions, which doesn’t happen in case of "shared guest" network. So
I want to know if this exist in case of ""Advance zone with security groups" as well.


-----Original Message-----
From: Nux! [] 
Sent: Friday, February 6, 2015 4:10 PM
Subject: Re: Networking in Advance zone with security groups enabled

Hello Sonali,

In an advanced zone with security groups the guest and public network are combined in one.
It's very similar to the Basic zone.
So you will end up with a network and all your VMs will be connected to it. You will want
to use "public" IPs and there will be no NAT involved.

Although you can add more than one network, a VM cannot be connected to more than 1 at a time.

You will have a VR which is there to provide DHCP, user data, passwords; it will not route
You will not be able to use the "firewall" feature though obviously you will be able to use
Security Groups. There is no load balancer or VPN feature available, as well.

The main advantage is that the traffic of your VMs bypasses the VR and goes out through the
host directly, the security groups (iptables rules) are also applied on the host; this gives
it significantly more performance than an Advanced zone.

So look at what your needs are and choose the appropriate type of zone.


Sent from the Delta quadrant using Borg technology!


----- Original Message -----
> From: "Sonali Jadhav" <>
> To:
> Sent: Friday, 6 February, 2015 09:26:15
> Subject: RE: Networking in Advance zone with security groups enabled

> So basically in "Advance zone with security groups" on guest network 
> we'll be creating both logical networks? i.e. Shared network and Isolated networks?
> So, if we use only Advance zone, then there will be guest and public 
> networks, and we can create isolated network on Public traffic 
> interface and shared network on Guest traffic interface.
> Where as in case of Advance zone with Security groups, there will be 
> only Guest interface, and we can create both types of logical networks 
> on same guest traffic interface.
> So I want to understand that, why there is this difference, what 
> advantage we get in it?
> (actually I am planning production ready CloudStack deployment 
> architecture, so want to understand what's better)

View raw message