cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alessandro Caviglione <c.alessan...@gmail.com>
Subject Re: Replace VR
Date Tue, 03 Dec 2019 18:32:05 GMT
Yes, I thought about your idea, but I would not introduce too many hops...
in addition I cannot manage Public IPs directly from Barracuda VA.
Is there a kind of parameter I can configure to deploy all costumer's
instance on tha same VR's host?

On Tue, Dec 3, 2019 at 6:57 PM Andrija Panic <andrija.panic@gmail.com>
wrote:

> Hi,
>
> it's not possible to completely replace (i.e. not without complete ACS code
> base change....), but you might want to see if the following helps:
> - Assign one or more (as required, one at minimum) additional Public IPs on
> the VR, and then configure Static Nat from that Public IP to the internal
> IP of the Baracuda appliance (which you would deploy from template - ACS
> 4.13 supports appliances for VMware, so you should be able to answer all
> the questions that are input to the appliance, so to speak...)
> - Then attach this Baracuda to all the networks whose VMs you want to
> "protect"
>
> Effectively trafic goes as follows:  internet ---> VR (Public IP, Static
> NAt to...) ---> Baracuda/internal appliance - and the VMs would use
> Baracuda as the default gateway.
> This does imply not being able to manage IPs via DHCP, since for any
> DHCPDISCOVER, the dnsmasq inside VR will also offer an IP, beside Baracuda
> doing that...
> (configure ACLs to forbid ANY outgoing traffic from networks where you have
> your user VMs - Baracuda appliance is on the dedicated private network
> (which you can consider as "public" or "north-side" to the Baracuda
> appliance) so here you allow all outgoing traffic from this network to
> Internet)
>
> Then you would be able to use Baracuda as the endpoint for the VPN tunnels.
> Far from perfect, but might work for you, if you can live with the
> limitations.
>
> Best,
> Andrija
>
> On Tue, 3 Dec 2019 at 17:20, Alessandro Caviglione <c.alessandro@gmail.com
> >
> wrote:
>
> > Hi guys,
> > I'm trying to understand if it's possible to replace a VR for a single
> > customer.
> > I've ACS 4.13 with vSphere 6.7 and Advanced Networking, one of my client
> > wants to use Barracuda Virtual Firewall because he wants to connect Cloud
> > network to offices networks using TINA VPN (proprietary protocol) instead
> > IPSec.
> > So, is it possible to replace VR with the Barracuda Virtual Appliance?
> >
> > Thank you
> >
>
>
> --
>
> Andrija Panić
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message