cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fariborz Navidan <mdvlinqu...@gmail.com>
Subject Re: Does traffic touches VR when gateway is is not on the cloud network?
Date Sat, 02 Nov 2019 13:52:35 GMT
Thanks for reply. How should we block a egress CIDR from specific source
CIDR when default egress policy of the network offering is "Allow"? What
will be behavior of Egress rules in a SG on the network?

On Sat, Nov 2, 2019 at 12:09 AM Andrija Panic <andrija.panic@gmail.com>
wrote:

> By the definition, with Shared Networks, VR is providing **ONLY**
> DNS/DHCP/USER-DATA services to VMs in the shared network - i.e. traffic
> NEVER passes through the VR (your VR and all your user VMs have an IP on
> that shared network - they are just "peers" so to speak, VR is not a
> router, it's just a dhcp/dns server).
>
> If you are using Security Groups on that shared network, then you can
> achieve what you want via SG, otherwise, your VMs are using (as you stated)
> external gateway, which you don't control.
>
> If you are NOT using SG, but are brave enough and have awesome automation
> skills - you can try to do traffic limiting on the hypervisor hosts (which
> is exactly what SG do - SG is just a collection of iptables/ebtables rules
> on hypervisors)
> Though I would not advise doing so...^^^
>
> Best,
> Andrija
>
> On Fri, 1 Nov 2019 at 21:21, Fariborz Navidan <mdvlinquest@gmail.com>
> wrote:
>
> > Yes, it is a shared network with external gateway. Indeed hosts are
> > connected to a vRack on OVH network. Gateway address is externally
> > addressed as last usable IP of the IP block. On CloudStack side, we have
> I
> > have configured several IP address ranges on the same shared guest
> network
> > in an advanced zone.
> >
> > What I want to do is, to block some outgoing traffic from specific source
> > IPs rto specific destination IP ranges. I want to know that I should
> place
> > firewall rule on theVR or on the host itself. The cloud is currently
> > running with one host but I should be able to generalize this rules for
> > further scaling when more hosts are added in future.
> >
> > Thanks
> >
> > On Fri, Nov 1, 2019 at 10:30 PM Andrija Panic <andrija.panic@gmail.com>
> > wrote:
> >
> > > Can you explain your setup a bit more - I'm not clear with "gateway
> > address
> > > of my guest network is not inside the cloud and it is
> > > not under my management" - is this a shared network, using some
> external
> > > gateway (which is a normal setup for Shared network)?
> > >
> > > On Fri, 1 Nov 2019 at 16:21, Fariborz Navidan <mdvlinquest@gmail.com>
> > > wrote:
> > >
> > > > Hello,
> > > >
> > > > The gateway address of my guest network is not inside the cloud and
> it
> > is
> > > > not under my management. My question is that does guest traffic still
> > > touch
> > > > the virtual router and can I place custom firewall rules between
> guests
> > > and
> > > > outside network on VR?
> > > >
> > >
> > >
> > > --
> > >
> > > Andrija Panić
> > >
> >
>
>
> --
>
> Andrija Panić
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message