cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fariborz Navidan <mdvlinqu...@gmail.com>
Subject Re: Does traffic touches VR when gateway is is not on the cloud network?
Date Mon, 04 Nov 2019 13:53:38 GMT
Any idea?

On Sat, Nov 2, 2019 at 5:22 PM Fariborz Navidan <mdvlinquest@gmail.com>
wrote:

> Thanks for reply. How should we block a egress CIDR from specific source
> CIDR when default egress policy of the network offering is "Allow"? What
> will be behavior of Egress rules in a SG on the network?
>
> On Sat, Nov 2, 2019 at 12:09 AM Andrija Panic <andrija.panic@gmail.com>
> wrote:
>
>> By the definition, with Shared Networks, VR is providing **ONLY**
>> DNS/DHCP/USER-DATA services to VMs in the shared network - i.e. traffic
>> NEVER passes through the VR (your VR and all your user VMs have an IP on
>> that shared network - they are just "peers" so to speak, VR is not a
>> router, it's just a dhcp/dns server).
>>
>> If you are using Security Groups on that shared network, then you can
>> achieve what you want via SG, otherwise, your VMs are using (as you
>> stated)
>> external gateway, which you don't control.
>>
>> If you are NOT using SG, but are brave enough and have awesome automation
>> skills - you can try to do traffic limiting on the hypervisor hosts (which
>> is exactly what SG do - SG is just a collection of iptables/ebtables rules
>> on hypervisors)
>> Though I would not advise doing so...^^^
>>
>> Best,
>> Andrija
>>
>> On Fri, 1 Nov 2019 at 21:21, Fariborz Navidan <mdvlinquest@gmail.com>
>> wrote:
>>
>> > Yes, it is a shared network with external gateway. Indeed hosts are
>> > connected to a vRack on OVH network. Gateway address is externally
>> > addressed as last usable IP of the IP block. On CloudStack side, we
>> have I
>> > have configured several IP address ranges on the same shared guest
>> network
>> > in an advanced zone.
>> >
>> > What I want to do is, to block some outgoing traffic from specific
>> source
>> > IPs rto specific destination IP ranges. I want to know that I should
>> place
>> > firewall rule on theVR or on the host itself. The cloud is currently
>> > running with one host but I should be able to generalize this rules for
>> > further scaling when more hosts are added in future.
>> >
>> > Thanks
>> >
>> > On Fri, Nov 1, 2019 at 10:30 PM Andrija Panic <andrija.panic@gmail.com>
>> > wrote:
>> >
>> > > Can you explain your setup a bit more - I'm not clear with "gateway
>> > address
>> > > of my guest network is not inside the cloud and it is
>> > > not under my management" - is this a shared network, using some
>> external
>> > > gateway (which is a normal setup for Shared network)?
>> > >
>> > > On Fri, 1 Nov 2019 at 16:21, Fariborz Navidan <mdvlinquest@gmail.com>
>> > > wrote:
>> > >
>> > > > Hello,
>> > > >
>> > > > The gateway address of my guest network is not inside the cloud and
>> it
>> > is
>> > > > not under my management. My question is that does guest traffic
>> still
>> > > touch
>> > > > the virtual router and can I place custom firewall rules between
>> guests
>> > > and
>> > > > outside network on VR?
>> > > >
>> > >
>> > >
>> > > --
>> > >
>> > > Andrija Panić
>> > >
>> >
>>
>>
>> --
>>
>> Andrija Panić
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message