incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhinandan Prateek <Abhinandan.Prat...@citrix.com>
Subject RE: domr iptables rules
Date Wed, 16 May 2012 05:14:23 GMT
Separate account each will have a dedicated VR. 
If they are to be on the same guest VLAN then traffic to db VMs can be controlled by iptables
on those VMS.

>-----Original Message-----
>From: Clayton Weise [mailto:cweise@iswest.net]
>Sent: Tuesday, May 15, 2012 10:07 PM
>To: 'cloudstack-dev@incubator.apache.org'
>Subject: RE: domr iptables rules
>
>But how would the app servers reach the db servers on a private network?  In
>your example, what is limiting the communication between app and db?  Do
>app and db share the same virtual router?  Do they have separate ones?  If
>they share the same virtual router than they're on the same subnet/vlan
>internally and have unrestricted access to one-another.  If they have separate
>virtual routers how can they connect with their associated private networks?
>
>-----Original Message-----
>From: Abhinandan Prateek [mailto:Abhinandan.Prateek@citrix.com]
>Sent: Monday, May 14, 2012 8:24 PM
>To: cloudstack-dev@incubator.apache.org
>Subject: RE: domr iptables rules
>
>One way to do is to have iptables do filtering on db-servers, but the easiest is
>...
>Have a advance zone, create two accounts, put db VMs in one account (guest
>network) and webserver VM in another. Now in general you have several
>options to control the traffic to these accounts via the VR.
>For example you can have unrestricted external access to your web VMs on
>certain ports. On the other hand you can have restricted access to certain
>subnets,ports to the db.
>
>>-----Original Message-----
>>From: Clayton Weise [mailto:cweise@iswest.net]
>>Sent: Tuesday, May 15, 2012 1:22 AM
>>To: cloudstack-dev@incubator.apache.org
>>Subject: RE: domr iptables rules
>>
>>Thanks for the response.  So then my next question is how would this be
>>achieved?  I can see creating a network for the db servers and set all
>>db instances to use it as their default network, and attach the app
>>servers _to_ the db network but then there would be no filtering
>>occurring.  The app servers would have unrestricted access to the db
>>servers.  How can I filter/control the traffic between app and db?
>>
>>________________________________________
>>From: Abhinandan Prateek [Abhinandan.Prateek@citrix.com]
>>Sent: Thursday, May 10, 2012 7:58 PM
>>To: cloudstack-dev@incubator.apache.org
>>Subject: RE: domr iptables rules
>>
>>The app server VMs will reach the db VM via private address.
>>
>>If you want external access to db too but with restrictions to certain
>>subnets/ips that too can be achieved using port-forwarding and source
>>cidrs option.
>>
>>I believe that the advanced networking model is very flexible to
>>support variations of deployments.
>>
>>-Abhi
>>
>>
>>>-----Original Message-----
>>>From: Clayton Weise [mailto:cweise@iswest.net]
>>>Sent: Friday, May 11, 2012 3:58 AM
>>>To: 'cloudstack-dev@incubator.apache.org'
>>>Subject: RE: domr iptables rules
>>>
>>>So in this case are your app servers reaching the database servers via
>>>their public or private addresses?
>>>
>>>-----Original Message-----
>>>From: Abhinandan Prateek [mailto:Abhinandan.Prateek@citrix.com]
>>>Sent: Thursday, May 10, 2012 9:05 AM
>>>To: cloudstack-dev@incubator.apache.org
>>>Subject: RE: domr iptables rules
>>>
>>>Why not a set of VMs running app server load balanced using VR.
>>>A VM running db (or probably  a set of VM running db in master-slave
>>>conf) with no external access but only via the app server VMs.
>>>I guess this is what you want ?
>>>
>>>-Abhi
>>>
>>>>-----Original Message-----
>>>>From: Clayton Weise [mailto:cweise@iswest.net]
>>>>Sent: Thursday, May 10, 2012 9:00 PM
>>>>To: 'cloudstack-dev@incubator.apache.org'
>>>>Subject: RE: domr iptables rules
>>>>
>>>>It's something I have been toying with.  Basically it's a standard
>>>>app/db setup where the app servers would reside in a dmz and the db
>>>>servers would sit in a trusted network.  We need to limit the traffic
>>>>going between the app and the db servers in advanced networking.  So
>>>>currently the db and app servers have their own separate networks
>>>>(vlans) and their own virtual routers.  I was thinking of different
>>>>ways to limit the traffic from app to db to be permitted on specific ports.
>>>>
>>>>-----Original Message-----
>>>>From: Anthony Xu [mailto:Xuefei.Xu@citrix.com]
>>>>Sent: Wednesday, May 09, 2012 4:33 PM
>>>>To: cloudstack-dev@incubator.apache.org
>>>>Subject: RE: domr iptables rules
>>>>
>>>>It is better to do it through API. CloudStack already provides
>>>>several APIs for customer to add ACL for customer network, what kind
>>>>of rules do you want to add? Can you do it through current API? Or
>>>>what kind API you would like to add?
>>>>
>>>>Anthony
>>>>
>>>>> -----Original Message-----
>>>>> From: Clayton Weise [mailto:cweise@iswest.net]
>>>>> Sent: Wednesday, May 09, 2012 4:26 PM
>>>>> To: 'cloudstack-dev@incubator.apache.org'
>>>>> Subject: RE: domr iptables rules
>>>>>
>>>>> As a dirty hack would it be possible to create an init script which
>>>>> added these custom rules when the domr boots?
>>>>>
>>>>> -----Original Message-----
>>>>> From: Anthony Xu [mailto:Xuefei.Xu@citrix.com]
>>>>> Sent: Wednesday, May 09, 2012 12:21 PM
>>>>> To: cloudstack-dev@incubator.apache.org
>>>>> Subject: RE: domr iptables rules
>>>>>
>>>>> Iptables rules is not persistent inside domr, CloudStack send
>>>>> command to domr to generate rules on demand.
>>>>> So if you reboot domr, some rules may not come back. But if you
>>>>> reboot domr through Cloudstack UI, all rules should come back,
>>>>> Cloudstack will send commands to program rules again.
>>>>>
>>>>>
>>>>> Anthony
>>>>>
>>>>>
>>>>> > -----Original Message-----
>>>>> > From: Clayton Weise [mailto:cweise@iswest.net]
>>>>> > Sent: Wednesday, May 09, 2012 10:09 AM
>>>>> > To: 'cloudstack-dev@incubator.apache.org'
>>>>> > Subject: domr iptables rules
>>>>> >
>>>>> > Where are these kept?  After rebooting a virtual router not all
>>>>> > of
>>>>> the
>>>>> > firewall rules came back.  Also, I wanted to manually add a few
>>>>> things
>>>>> > and I was curious where I could do it and have those rules
>>>>> > retained when the domr reboots.
>>>>> >
>>>>> > Thanks

Mime
View raw message