cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vadim Kimlaychuk <>
Subject RE: Best practive for public cloud isolation method ?
Date Thu, 30 Oct 2014 10:36:54 GMT

	I would also like to hear more about best practices for network architecture, but so far
have found only VLAN isolation described more or less thoroughly. 
	1. We have recently set up VLANs and didn't fill the limit yet. :)  GRE is one of the options,
but can't say how it works. Haven't even tried yet. Would be interesting indeed.
	2. We use VPC-s only. To enable guest VM  to be on public IP we just do SNAT for those who
need it. If guest is under "soft LB network offer" then you  may need port forwarding, but
not sure for 100%. It is better probably to add another network offer go guest VM to enable


-----Original Message-----
From: Andrija Panic [] 
Sent: Tuesday, October 28, 2014 10:40 AM
Subject: Best practive for public cloud isolation method ?

Hi guys,

I'm asking somewhat dump question and generic one, since I'm designing new public cloud infrastructure:

We are about to go with KVM, Advanced  zone vlan/vxlan/other isolation method, ACS 4.4.1 or
possibly revert back to 4.3. We plan on using VPC extensively and still provide let's call
it "VPS" style VMs if possible.


1.  Per your experience, what is the best isolation method to be used for Guest traffic -
I'm talking here about usability of the solution, productional one:
-- vlans - works fine, limited to theoretical maximum of 4095
-- vxlan - don't really work fine for public cloud, since default MTU of
1500 bytes is lowered on vxlan bridge/interface to be 1450 bytes so the MTU inside VM must
be also lowered...1450 bytes MTU is default/hardcoded into iproute/cloudstack, with no option
to choose larger MTU on vxlan interface/bridge (and ask ADMIN to adjust MTU to a larger one
on physical
network) - also this does not allow us to use jumbo frames, but would be a really good thing
to do.
-- GRE - I'm just evaluating/researching this

2. Another quetion - since we want to go heavily with VPC, but still want to be able to provide
let's call it "VPS" style VMs - what is the best aproach to do so?
We already have Shared/Guest network with access to Internet - so this is the way we acomplished
single VM to be on a public IP network.
Or is it better to really dump the VPS style, and just go with normal VPC with port forwarding
to internal VM - I'm just not so clear if/how much CloudStack was designed to support this
kind of "VPS" style VMs - my understanding is that the focus is really cloud-like/VPC functionality,
and not VPS style, at least not on Advanced zone together with VPCs - so any advice is really

My experience with vlans is that it works like charm, but has it's limitations. Vxlans experience
is fine if you can control MTU inside VMs - not good for public cloud...

Again, generic questions, but I'm looking into some hints if possible and your experience
that you are wiling to share



Andrija Panić
View raw message