incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kelven Yang <kelven.y...@citrix.com>
Subject RE: dedicated public IP ranges for system vms
Date Wed, 20 Jun 2012 21:21:26 GMT
> -----Original Message-----
> From: Roeland Kuipers [mailto:RKuipers@schubergphilis.com]
> Sent: Wednesday, June 20, 2012 5:58 AM
> To: 'cloudstack-dev@incubator.apache.org'
> Subject: FW: dedicated public IP ranges for system vms
> 
> Shameless bump from the user list.
> 
> Does anyone know if this functionality has been requested before (maybe
> already exists?), if somebody is working on this and/or if there are
> plans for such functionality.
> Otherwise we might be interested to make this happen.
> 
> Thanks & Cheers,
> Roeland
> 
> -----Original Message-----
> From: Roeland Kuipers
> Sent: 20 June 2012 12:36
> To: cloudstack-users@incubator.apache.org
> Cc: int-cloud
> Subject: RE: dedicated public IP ranges for system vms
> 
> Hi,
> 
> We have the same desire, for the following reasons.
> 
> Given the type of customers we host we would like to be able to put the
> Portal, SSVM, CPVM, API behind a (2-factor) secured SSL VPN solution
> and/or also implement IDS/IPS in front of these services.
> On the same hand we would like being able to selectively whitelist access
> to the API, for example for customers to allow hosted services like
> Rightscale and others.
> This is currently hard to implement given the dynamic IP assignments of
> the SSVM and CPVM. A dedicated VLAN for these services would be ideal to
> add additional security.
> 
> We feel the SSVM and CPVM are currently an Achilles heel since they have
> a foot on the private and public network in order to serve images and VNC
> sessions. If these VMs would get compromised, this means a potential
> hacker has r/w access to our secondary storage but also access to the
> management network (Xapi SSH etc) and is also able to sniff this network,
> not desired. I understand this is a hardened machine, but not sure if
> this argument will convince auditors of our customers.
> 
> Basicly we want to be able to implement additional controls in front of
> all public services which are part of the cloud infrastructure,
> SSVM,CPVM,Portal and API.


I think it is a very reasonable requirement. To reduce the complexity of CloudStack to orchestrate
too many security related layers towards public internet, the most applicable approach would
be to create a mapping table, CloudStack operating administrators need to populate this table
to associate the outmost addresses with the addresses that are managed by CloudStack, CloudStack
will only give out these outmost addresses for SSVM, CPVM etc, it will be up to the CloudStack
operating administrators to make sure these addresses can be tunneled through to addresses
that are managed by CloudStack.


> 
> Cheers,
> Roeland
> 
> -----Original Message-----
> From: Paul Angus [mailto:paul.angus@shapeblue.com]
> Sent: 20 June 2012 09:36
> To: cloudstack-users@incubator.apache.org
> Subject: RE: dedicated public IP ranges for system vms
> 
> Thanks Alena,
> 
> They want to make the allocation global so that system vms come from
> certain public IP pools and all user public IPs come from different pools.
> 
> -----Original Message-----
> From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]
> Sent: 19 June 2012 16:21
> To: cloudstack-users@incubator.apache.org
> Subject: Re: dedicated public IP ranges for system vms
> 
> On 6/19/12 4:13 AM, "Paul Angus" <paulangus@betterbydesign.uk.com> wrote:
> 
> >Is it possible to dedicate public IP address ranges to either system
> >vms or account virtual routers?
> >
> >It's a client request.
> >
> >thanks
> >
> >
> >Paul Angus
> >
> >
> >
> 
> 
> 
> You can dedicate pubic ip ranges to user account, but there are some
> limitations for this feature. Here is the article on that:
> 
> http://wiki.cloudstack.org/display/RelOps/Adding+public+Vlan+per+account
> 
> 
> -Alena.
> 

Kelven

Mime
View raw message