cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrija Panic <andrija.pa...@gmail.com>
Subject Re: Does traffic touches VR when gateway is is not on the cloud network?
Date Fri, 01 Nov 2019 20:38:49 GMT
By the definition, with Shared Networks, VR is providing **ONLY**
DNS/DHCP/USER-DATA services to VMs in the shared network - i.e. traffic
NEVER passes through the VR (your VR and all your user VMs have an IP on
that shared network - they are just "peers" so to speak, VR is not a
router, it's just a dhcp/dns server).

If you are using Security Groups on that shared network, then you can
achieve what you want via SG, otherwise, your VMs are using (as you stated)
external gateway, which you don't control.

If you are NOT using SG, but are brave enough and have awesome automation
skills - you can try to do traffic limiting on the hypervisor hosts (which
is exactly what SG do - SG is just a collection of iptables/ebtables rules
on hypervisors)
Though I would not advise doing so...^^^

Best,
Andrija

On Fri, 1 Nov 2019 at 21:21, Fariborz Navidan <mdvlinquest@gmail.com> wrote:

> Yes, it is a shared network with external gateway. Indeed hosts are
> connected to a vRack on OVH network. Gateway address is externally
> addressed as last usable IP of the IP block. On CloudStack side, we have I
> have configured several IP address ranges on the same shared guest network
> in an advanced zone.
>
> What I want to do is, to block some outgoing traffic from specific source
> IPs rto specific destination IP ranges. I want to know that I should place
> firewall rule on theVR or on the host itself. The cloud is currently
> running with one host but I should be able to generalize this rules for
> further scaling when more hosts are added in future.
>
> Thanks
>
> On Fri, Nov 1, 2019 at 10:30 PM Andrija Panic <andrija.panic@gmail.com>
> wrote:
>
> > Can you explain your setup a bit more - I'm not clear with "gateway
> address
> > of my guest network is not inside the cloud and it is
> > not under my management" - is this a shared network, using some external
> > gateway (which is a normal setup for Shared network)?
> >
> > On Fri, 1 Nov 2019 at 16:21, Fariborz Navidan <mdvlinquest@gmail.com>
> > wrote:
> >
> > > Hello,
> > >
> > > The gateway address of my guest network is not inside the cloud and it
> is
> > > not under my management. My question is that does guest traffic still
> > touch
> > > the virtual router and can I place custom firewall rules between guests
> > and
> > > outside network on VR?
> > >
> >
> >
> > --
> >
> > Andrija Panić
> >
>


-- 

Andrija Panić

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message