From users-return-18403-apmail-cloudstack-users-archive=cloudstack.apache.org@cloudstack.apache.org Thu Oct 30 10:50:53 2014 Return-Path: X-Original-To: apmail-cloudstack-users-archive@www.apache.org Delivered-To: apmail-cloudstack-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 46FA317A8F for ; Thu, 30 Oct 2014 10:50:53 +0000 (UTC) Received: (qmail 72950 invoked by uid 500); 30 Oct 2014 10:50:52 -0000 Delivered-To: apmail-cloudstack-users-archive@cloudstack.apache.org Received: (qmail 72899 invoked by uid 500); 30 Oct 2014 10:50:52 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 72884 invoked by uid 99); 30 Oct 2014 10:50:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Oct 2014 10:50:52 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of andrija.panic@gmail.com designates 209.85.223.182 as permitted sender) Received: from [209.85.223.182] (HELO mail-ie0-f182.google.com) (209.85.223.182) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Oct 2014 10:50:47 +0000 Received: by mail-ie0-f182.google.com with SMTP id rd18so5006777iec.13 for ; Thu, 30 Oct 2014 03:49:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=fZNsS4ite2iHmUCl1vIbmMjUMxctfVnEjwrcIVSeIaA=; b=LWGTEC/kibHjJXyBJPflmzNxzFe5gLPr7ExQVpwQNK9qTAWtUbdKTStnlDoihPAmz7 QODMk1H+X4I/fN6DKD/kkv12bO+Mbw1oqq48QQDGj8oXSJ5nU7lOHZcdd10to/OLsvRp 9AD96vr5FPRQo5pBFTZzoN+VglE9h41JkTmBd5DhYEOWD5svrfxgAHN5fbfhkxxSHgMR A477u7cYPU+8RcdPA80JdbwXrVoxoGRCRBsNSfT49ua1NP+WtOfNBwvDUx5/0UbHiwLs S86RunoUgWipL4sDCDdVQVNFyDOmaq5jtIsNdTPByNusNTknTQCXKM2262oq31+PS1E7 0TpA== MIME-Version: 1.0 X-Received: by 10.107.25.129 with SMTP id 123mr1078037ioz.90.1414666182164; Thu, 30 Oct 2014 03:49:42 -0700 (PDT) Received: by 10.42.33.136 with HTTP; Thu, 30 Oct 2014 03:49:42 -0700 (PDT) In-Reply-To: <1B7CBA4567FE1144BDB5E05E2498C0ACB3A1E903@ex2010mb1> References: <1B7CBA4567FE1144BDB5E05E2498C0ACB3A1E903@ex2010mb1> Date: Thu, 30 Oct 2014 11:49:42 +0100 Message-ID: Subject: Re: Best practive for public cloud isolation method ? From: Andrija Panic To: users@cloudstack.apache.org Content-Type: multipart/alternative; boundary=001a113fe4ca4387550506a1a3a0 X-Virus-Checked: Checked by ClamAV on apache.org --001a113fe4ca4387550506a1a3a0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Vadim, how do you do SNAT - on hardware firewall I guess ? Manually for each VM that want's to be on public IP? On 30 October 2014 11:36, Vadim Kimlaychuk wrote: > Hi, > > I would also like to hear more about best practices for network > architecture, but so far have found only VLAN isolation described more or > less thoroughly. > 1. We have recently set up VLANs and didn't fill the limit yet. > :) GRE is one of the options, but can't say how it works. Haven't even > tried yet. Would be interesting indeed. > 2. We use VPC-s only. To enable guest VM to be on public IP we > just do SNAT for those who need it. If guest is under "soft LB network > offer" then you may need port forwarding, but not sure for 100%. It is > better probably to add another network offer go guest VM to enable SNAT. > > Vadim. > > -----Original Message----- > From: Andrija Panic [mailto:andrija.panic@gmail.com] > Sent: Tuesday, October 28, 2014 10:40 AM > To: users@cloudstack.apache.org > Subject: Best practive for public cloud isolation method ? > > Hi guys, > > I'm asking somewhat dump question and generic one, since I'm designing ne= w > public cloud infrastructure: > > We are about to go with KVM, Advanced zone vlan/vxlan/other isolation > method, ACS 4.4.1 or possibly revert back to 4.3. We plan on using VPC > extensively and still provide let's call it "VPS" style VMs if possible. > > So: > > 1. Per your experience, what is the best isolation method to be used for > Guest traffic - I'm talking here about usability of the solution, > productional one: > -- vlans - works fine, limited to theoretical maximum of 4095 > -- vxlan - don't really work fine for public cloud, since default MTU of > 1500 bytes is lowered on vxlan bridge/interface to be 1450 bytes so the > MTU inside VM must be also lowered...1450 bytes MTU is default/hardcoded > into iproute/cloudstack, with no option to choose larger MTU on vxlan > interface/bridge (and ask ADMIN to adjust MTU to a larger one on physical > network) - also this does not allow us to use jumbo frames, but would be = a > really good thing to do. > -- GRE - I'm just evaluating/researching this > > > 2. Another quetion - since we want to go heavily with VPC, but still want > to be able to provide let's call it "VPS" style VMs - what is the best > aproach to do so? > We already have Shared/Guest network with access to Internet - so this is > the way we acomplished single VM to be on a public IP network. > Or is it better to really dump the VPS style, and just go with normal VPC > with port forwarding to internal VM - I'm just not so clear if/how much > CloudStack was designed to support this kind of "VPS" style VMs - my > understanding is that the focus is really cloud-like/VPC functionality, a= nd > not VPS style, at least not on Advanced zone together with VPCs - so any > advice is really welcomed. > > > My experience with vlans is that it works like charm, but has it's > limitations. Vxlans experience is fine if you can control MTU inside VMs = - > not good for public cloud... > > > Again, generic questions, but I'm looking into some hints if possible and > your experience that you are wiling to share > > Thanks, > > -- > > Andrija Pani=C4=87 > --=20 Andrija Pani=C4=87 -------------------------------------- http://admintweets.com -------------------------------------- --001a113fe4ca4387550506a1a3a0--