cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrija Panic <andrija.pa...@gmail.com>
Subject Re: Replace VR
Date Tue, 03 Dec 2019 19:12:21 GMT
That's true.

You can experiment with Dedicating a host to the customer. I can't advise
(from top of my head) if also the customer's VR will be created there (but
you can do one-time live migrate if needed to that host) - all customer VMs
will be created on this host while there are free resources there.

Andrija

On Tue, 3 Dec 2019 at 19:32, Alessandro Caviglione <c.alessandro@gmail.com>
wrote:

> Yes, I thought about your idea, but I would not introduce too many hops...
> in addition I cannot manage Public IPs directly from Barracuda VA.
> Is there a kind of parameter I can configure to deploy all costumer's
> instance on tha same VR's host?
>
> On Tue, Dec 3, 2019 at 6:57 PM Andrija Panic <andrija.panic@gmail.com>
> wrote:
>
> > Hi,
> >
> > it's not possible to completely replace (i.e. not without complete ACS
> code
> > base change....), but you might want to see if the following helps:
> > - Assign one or more (as required, one at minimum) additional Public IPs
> on
> > the VR, and then configure Static Nat from that Public IP to the internal
> > IP of the Baracuda appliance (which you would deploy from template - ACS
> > 4.13 supports appliances for VMware, so you should be able to answer all
> > the questions that are input to the appliance, so to speak...)
> > - Then attach this Baracuda to all the networks whose VMs you want to
> > "protect"
> >
> > Effectively trafic goes as follows:  internet ---> VR (Public IP, Static
> > NAt to...) ---> Baracuda/internal appliance - and the VMs would use
> > Baracuda as the default gateway.
> > This does imply not being able to manage IPs via DHCP, since for any
> > DHCPDISCOVER, the dnsmasq inside VR will also offer an IP, beside
> Baracuda
> > doing that...
> > (configure ACLs to forbid ANY outgoing traffic from networks where you
> have
> > your user VMs - Baracuda appliance is on the dedicated private network
> > (which you can consider as "public" or "north-side" to the Baracuda
> > appliance) so here you allow all outgoing traffic from this network to
> > Internet)
> >
> > Then you would be able to use Baracuda as the endpoint for the VPN
> tunnels.
> > Far from perfect, but might work for you, if you can live with the
> > limitations.
> >
> > Best,
> > Andrija
> >
> > On Tue, 3 Dec 2019 at 17:20, Alessandro Caviglione <
> c.alessandro@gmail.com
> > >
> > wrote:
> >
> > > Hi guys,
> > > I'm trying to understand if it's possible to replace a VR for a single
> > > customer.
> > > I've ACS 4.13 with vSphere 6.7 and Advanced Networking, one of my
> client
> > > wants to use Barracuda Virtual Firewall because he wants to connect
> Cloud
> > > network to offices networks using TINA VPN (proprietary protocol)
> instead
> > > IPSec.
> > > So, is it possible to replace VR with the Barracuda Virtual Appliance?
> > >
> > > Thank you
> > >
> >
> >
> > --
> >
> > Andrija Panić
> >
>


-- 

Andrija Panić

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message