cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Weber <terbol...@gmail.com>
Subject Re: Replace VR
Date Wed, 04 Dec 2019 08:37:47 GMT
It's been quite a while since I worked on CloudStack but I think you
may be able to achieve your goal with a shared network.
You'll loose much of the built-in network flexibility in CloudStack,
but that is most likely also the point.

-- 
Erik

On Tue, Dec 3, 2019 at 8:12 PM Andrija Panic <andrija.panic@gmail.com> wrote:
>
> That's true.
>
> You can experiment with Dedicating a host to the customer. I can't advise
> (from top of my head) if also the customer's VR will be created there (but
> you can do one-time live migrate if needed to that host) - all customer VMs
> will be created on this host while there are free resources there.
>
> Andrija
>
> On Tue, 3 Dec 2019 at 19:32, Alessandro Caviglione <c.alessandro@gmail.com>
> wrote:
>
> > Yes, I thought about your idea, but I would not introduce too many hops...
> > in addition I cannot manage Public IPs directly from Barracuda VA.
> > Is there a kind of parameter I can configure to deploy all costumer's
> > instance on tha same VR's host?
> >
> > On Tue, Dec 3, 2019 at 6:57 PM Andrija Panic <andrija.panic@gmail.com>
> > wrote:
> >
> > > Hi,
> > >
> > > it's not possible to completely replace (i.e. not without complete ACS
> > code
> > > base change....), but you might want to see if the following helps:
> > > - Assign one or more (as required, one at minimum) additional Public IPs
> > on
> > > the VR, and then configure Static Nat from that Public IP to the internal
> > > IP of the Baracuda appliance (which you would deploy from template - ACS
> > > 4.13 supports appliances for VMware, so you should be able to answer all
> > > the questions that are input to the appliance, so to speak...)
> > > - Then attach this Baracuda to all the networks whose VMs you want to
> > > "protect"
> > >
> > > Effectively trafic goes as follows:  internet ---> VR (Public IP, Static
> > > NAt to...) ---> Baracuda/internal appliance - and the VMs would use
> > > Baracuda as the default gateway.
> > > This does imply not being able to manage IPs via DHCP, since for any
> > > DHCPDISCOVER, the dnsmasq inside VR will also offer an IP, beside
> > Baracuda
> > > doing that...
> > > (configure ACLs to forbid ANY outgoing traffic from networks where you
> > have
> > > your user VMs - Baracuda appliance is on the dedicated private network
> > > (which you can consider as "public" or "north-side" to the Baracuda
> > > appliance) so here you allow all outgoing traffic from this network to
> > > Internet)
> > >
> > > Then you would be able to use Baracuda as the endpoint for the VPN
> > tunnels.
> > > Far from perfect, but might work for you, if you can live with the
> > > limitations.
> > >
> > > Best,
> > > Andrija
> > >
> > > On Tue, 3 Dec 2019 at 17:20, Alessandro Caviglione <
> > c.alessandro@gmail.com
> > > >
> > > wrote:
> > >
> > > > Hi guys,
> > > > I'm trying to understand if it's possible to replace a VR for a single
> > > > customer.
> > > > I've ACS 4.13 with vSphere 6.7 and Advanced Networking, one of my
> > client
> > > > wants to use Barracuda Virtual Firewall because he wants to connect
> > Cloud
> > > > network to offices networks using TINA VPN (proprietary protocol)
> > instead
> > > > IPSec.
> > > > So, is it possible to replace VR with the Barracuda Virtual Appliance?
> > > >
> > > > Thank you
> > > >
> > >
> > >
> > > --
> > >
> > > Andrija Panić
> > >
> >
>
>
> --
>
> Andrija Panić

Mime
View raw message