incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Murali Reddy <Murali.Re...@citrix.com>
Subject Re: [DISCUSS] Palo Alto Integration
Date Mon, 18 Mar 2013 06:46:19 GMT
On 16/03/13 1:46 AM, "Will Stevens" <wstevens@cloudops.com> wrote:
>
>1. Restrict the available subnets for each account so two accounts can't
>create overlapping subnets.
>To me, this breaks the whole concept of cloud, but for enterprise
>customers
>this is not a huge limitation because they usually solve this problem this
>way.
>
>2. Run multiple Palo Alto VM firewalls and associate one VM firewall per
>account.
>The management overhead of this is crazy, so this type of implementation
>would be very hard to work with.
>
>Since I do not like either of these approaches, I wanted to see if I could
>get some feedback on this.  Are there other alternatives that would solve
>the problem more elegantly that I have not mentioned?  What would be the
>best way to solve this problem in a 'CloudStack way'?

Unfortunately vendor appliacnces CloudStack support, does not have
multi-tenancy yet. 'CloudStack way' has been both #1 and #2 to work around
this.

Please see [1], so 'external guest network' Guru designs the network such
that no two guest networks in a zone using external network device has
overlapping Cidr's. You may use 'external guest network' guru or extend it
ensure automatically generated non-overlapping CIDR's for guest network.

Also CloudStack already supports notion of multiple provider instances per
physical network. Using which for load balancer devices there is generic
management piece of code to allocate a dedicated (per tenant) or shared
load balancer from a pool of admin provisioned load balancers [2]. See if
this helps if you intend to support pool of firewall VM's.

[1] server/src/com/cloud/network/guru/ExternalGuestNetworkGuru.java
[2] server/src/com/cloud/network/ExternalLoadBalancerDeviceManagerImpl.java

-Murali


>
>Any feedback on this would be appreciated.
>
>Cheers,
>
>Will
>



Mime
View raw message