Thanks for comments, It is nice to have security group in NIC level checked AWS, which is implemented with Elastic Network Interfaces (ENI), but when deploy VM , all NICs of the VM are associated with same security groups, which is the same as what we did in the FS.
Maybe we can implement NIC-level security group after we have VM NIC hot plug feature( something like ENI) in 4.2. Anthony > -----Original Message----- > From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] > Sent: Thursday, January 17, 2013 5:29 PM > To: CloudStack DeveloperList > Subject: Re: [DISCUSS] Security Groups Isolation in Advanced Zone > > I don't think that's what Anthony is saying. > I think he is saying that if a VM is in security groups X,Y,Z, then ALL > nics of the VM are in security groups X,Y,Z. > > The AWS-compatible way is that nics are associated with the security > group. > So, VM's eth0 can be in security group Z and eth1 can be in security > group > X > I think we should do it this way. > > On 1/16/13 5:35 PM, "kdam...@apache.org" <kdam...@apache.org> wrote: > > >So the VM will determine it's own participation level. A VM can have > >networks with SG and without at the same time. If that's the case this > >feature proposal just got more awesome! > > > >-kd > > > > > >>-----Original Message----- > >>From: Anthony Xu [mailto:xuefei...@citrix.com] > >>Sent: Wednesday, January 16, 2013 5:21 PM > >>To: cloudstack-dev@incubator.apache.org > >>Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone > >> > >>Correct, > >>there are several types of guest shared network, Zone-wide guest > shared > >>network Domain-wide guest shared network Account-specific guest share > >>network > >> > >>One VM can be on multiple networks, > >>SG is on VM level, means SG will be applied to all NICs of this VM. > >> > >> > >>Cheers, > >>Anthony > >> > >>> -----Original Message----- > >>> From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] On > >>> Behalf Of kdam...@apache.org > >>> Sent: Wednesday, January 16, 2013 5:17 PM > >>> To: cloudstack-dev@incubator.apache.org > >>> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone > >>> > >>> Got it, > >>> > >>> So we are still only talking about SG on advanced shared networks. > >>> > >>> Thanks. > >>> > >>> > >>> -kd > >>> > >>> > >>> >-----Original Message----- > >>> >From: Anthony Xu [mailto:xuefei...@citrix.com] > >>> >Sent: Wednesday, January 16, 2013 5:11 PM > >>> >To: cloudstack-dev@incubator.apache.org > >>> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone > >>> > > >>> >In this spec, security group is only supported in shared guest > >>> >network, > >>> we > >>> >might add isolated guest network support later. I have a concern > >>> >about > >>> this, > >>> >normally there is firewall for isolated network, if security group > is > >>> added > >>> to > >>> >isolated network, that means if user wants to allow some kind > ingress > >>> traffic , > >>> >he might need to program both security group and firewall, it > might > >>> >be inconvenient for user. > >>> > > >>> >As for ACL, are you referring to ACL in VPC? in this spec, VPC is > not > >>> supported > >>> >due to the similar reason of isolated guest network, user might > need > >>> to > >>> >handle ACL and security group at the same time. > >>> > > >>> > > >>> >Anthony > >>> > > >>> > > >>> >> -----Original Message----- > >>> >> From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] > >>> >> Sent: Wednesday, January 16, 2013 4:55 PM > >>> >> To: cloudstack-dev@incubator.apache.org > >>> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced > Zone > >>> >> > >>> >> So to catch myself up, this will allow functional security group > >>> >> isolation/ACLs on both 'shared' and 'isolated' networks? > >>> >> > >>> >> -kd > >>> >> > >>> >> > >>> >> >-----Original Message----- > >>> >> >From: Animesh Chaturvedi [mailto:animesh.chaturv...@citrix.com] > >>> >> >Sent: Wednesday, January 16, 2013 1:36 PM > >>> >> >To: cloudstack-dev@incubator.apache.org > >>> >> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced > Zone > >>> >> > > >>> >> >Folks please pass on comments if any, otherwise it is assumed > that > >>> >> >the > >>> >> spec > >>> >> is > >>> >> >approved by the community > >>> >> > > >>> >> >> -----Original Message----- > >>> >> >> From: Anthony Xu [mailto:xuefei...@citrix.com] > >>> >> >> Sent: Friday, January 11, 2013 3:53 PM > >>> >> >> To: cloudstack-dev@incubator.apache.org > >>> >> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced > >>> >> >> Zone > >>> >> >> > >>> >> >> > >>> >> > >>> > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based > >>> >> >> +on+ > >>> >> >> Security+Groups+in+Advance+zone > >>> >> >> > >>> >> >> > >>> >> >> This is upgraded spec , > >>> >> >> Compared to original one, following are major changes > >>> >> >> > >>> >> >> 1. SG enabled is zone wide parameter, if this zone is SG > >>> >> >> enabled, > >>> >> all > >>> >> >> guest networks in this zone must be SG enabled. > >>> >> >> 2. support all shared network types, includes zone-wide > shared > >>> >> >> network, domain-wide shared networks and account-specific > share > >>> >> >> networks 3. support multiple SG enabled networks in one SG > >>> enabled > >>> >> zone. > >>> >> >> 4. VM can be on multiple SG enabled networks 5. SG rules > apply > >>> to > >>> >> >> all NICs for a VM 6. support both KVM and XenServer. > >>> >> >> > >>> >> >> Comments, question, suggestion and flame are welcome! > >>> >> >> > >>> >> >> > >>> >> >> Thanks, > >>> >> >> Anthony > >>> >> >> > >>> >> >> > >>> >> >> > -----Original Message----- > >>> >> >> > From: Dave Cahill [mailto:dcah...@midokura.jp] > >>> >> >> > Sent: Thursday, January 10, 2013 5:29 PM > >>> >> >> > To: cloudstack-dev@incubator.apache.org > >>> >> >> > Subject: Re: [DISCUSS] Security Groups Isolation in > Advanced > >>> Zone > >>> >> >> > > >>> >> >> > Hi Anthony, > >>> >> >> > > >>> >> >> > Understood - thanks for the update. > >>> >> >> > > >>> >> >> > Dave. > >>> >> >> > > >>> >> >> > > >>> >> >> > On Fri, Jan 11, 2013 at 2:54 AM, Anthony Xu > >>> >> >> > <xuefei...@citrix.com> > >>> >> >> > wrote: > >>> >> >> > > >>> >> >> > > Hi Dave, > >>> >> >> > > > >>> >> >> > > For 4.1 , this feature is only for shared network on > >>> >> >> > > advanced zone, > >>> >> >> > both > >>> >> >> > > XenServer and KVM are supported. > >>> >> >> > > Will upgrade FS soon. > >>> >> >> > > > >>> >> >> > > > >>> >> >> > > Anthony > >>> >> >> > > > >>> >> >> > > > -----Original Message----- > >>> >> >> > > > From: Dave Cahill [mailto:dcah...@midokura.jp] > >>> >> >> > > > Sent: Thursday, January 10, 2013 12:33 AM > >>> >> >> > > > To: cloudstack-dev@incubator.apache.org > >>> >> >> > > > Subject: Re: [DISCUSS] Security Groups Isolation in > >>> Advanced > >>> >> >> > > > Zone > >>> >> >> > > > > >>> >> >> > > > Hi Manan, > >>> >> >> > > > > >>> >> >> > > > I'm interested in this feature - when (roughly) are you > >>> >> planning > >>> >> >> > > > to commit this to master? > >>> >> >> > > > > >>> >> >> > > > Are you planning the full list of features from your > >>> >> >> > > > requirements > >>> >> >> > doc > >>> >> >> > > > (including support for Adavnced, Isolated networks) in > 4.1? > >>> >> >> > > > > >>> >> >> > > > Thanks in advance, > >>> >> >> > > > Dave. > >>> >> >> > > > > >>> >> >> > > > > >>> >> >> > > > On Sat, Jan 5, 2013 at 7:01 AM, Manan Shah > >>> >> >> > > > <manan.s...@citrix.com> > >>> >> >> > > > wrote: > >>> >> >> > > > > >>> >> >> > > > > Yes, FS definitely needs updating. Please also look > at > >>> the > >>> >> >> > "Future" > >>> >> >> > > > > section of Alena's FS. > >>> >> >> > > > > > >>> >> >> > > > > Regards, > >>> >> >> > > > > Manan Shah > >>> >> >> > > > > > >>> >> >> > > > > > >>> >> >> > > > > > >>> >> >> > > > > > >>> >> >> > > > > On 1/4/13 1:57 PM, "Prasanna Santhanam" > >>> >> >> > > > <prasanna.santha...@citrix.com> > >>> >> >> > > > > wrote: > >>> >> >> > > > > > >>> >> >> > > > > >On Sat, Jan 05, 2013 at 12:16:44AM +0530, Manan Shah > >>> wrote: > >>> >> >> > > > > >> Hi Chip, > >>> >> >> > > > > >> > >>> >> >> > > > > >> As Alena had mentioned in her FS, her focus was to > >>> >> >> > > > > >> initially > >>> >> >> > > > support > >>> >> >> > > > > >>only > >>> >> >> > > > > >> the functionality that was enabled in CS 2.2. She > had > >>> >> >> > > > > >>created > >>> >> >> > a > >>> >> >> > > > section > >>> >> >> > > > > >>in > >>> >> >> > > > > >> her FS that talked about Future release plans. > >>> >> >> > > > > >> > >>> >> >> > > > > >> My requirements page covers requirements for both, > >>> >> >> > > > > >> the CS > >>> >> >> > > > > >> 2.2 > >>> >> >> > use > >>> >> >> > > > case > >>> >> >> > > > > >>as > >>> >> >> > > > > >> well as the broader use case. > >>> >> >> > > > > >> > >>> >> >> > > > > >> Let me know if you have additional questions. > >>> >> >> > > > > >> > >>> >> >> > > > > >Thanks - Alena's FS lists only support for KVM while > >>> >> >> > > > > >you > >>> >> have > >>> >> >> > listed > >>> >> >> > > > > >support for XenServer and KVM. Guess the FS needs > >>> updating? > >>> >> >> > > > > > > >>> >> >> > > > > >-- > >>> >> >> > > > > >Prasanna., > >>> >> >> > > > > > >>> >> >> > > > > > >>> >> >> > > > > >>> >> >> > > > > >>> >> >> > > > -- > >>> >> >> > > > Thanks, > >>> >> >> > > > Dave. > >>> >> >> > > > >>> >> >> > > >>> >> >> > > >>> >> >> > > >>> >> >> > -- > >>> >> >> > Thanks, > >>> >> >> > Dave. > >>> > > > >