On 11/05/12 3:56 AM, "Clayton Weise" <cwe...@iswest.net> wrote:
>It looks like 19 would fit my needs but I have some concerns/questions. >In that slide, the App VMs and DB VMs have a network that they both live >on (10.1.3.0/24). That to me means that there is a trusted relationship, >or no ability to limit what traffic can pass between the App and DB VMs >short of building an ACL on the DB VM itself. Am I mistaken? > >I've looked at doing #21 as well, which would also work but it gets us >back to the same issue of doing something _outside_ of CloudStack's >knowledge which could be clobbered by CS. I guess in the model of #21, one could have 2-tier model, where app server run in one guest VLAN, and DB servers in another guest VLAN and then you can have a VM which is in both vlan's that is tuned to do the inter-vlan routing. Tenant will be in full control of the what traffic enters into the VLAN that has the DB servers running. I think there is nothing that conflicts with CloudStack knowledge in this model. This may be not a very automated/optimal but might work. CloudStack will have tiered app support in future release [1] which will be efficient. [1] http://confluence.cloudstack.org/display/PM/Burbank > >-----Original Message----- >From: Murali Reddy [mailto:murali.re...@citrix.com] >Sent: Thursday, May 10, 2012 9:25 AM >To: cloudstack-dev@incubator.apache.org >Subject: Re: domr iptables rules > >On 10/05/12 9:00 PM, "Clayton Weise" <cwe...@iswest.net> wrote: > >>It's something I have been toying with. Basically it's a standard app/db >>setup where the app servers would reside in a dmz and the db servers >>would sit in a trusted network. We need to limit the traffic going >>between the app and the db servers in advanced networking. So currently >>the db and app servers have their own separate networks (vlans) and their >>own virtual routers. I was thinking of different ways to limit the >>traffic from app to db to be permitted on specific ports. > >Can any of models depicted in slides 19-21 of [1] will work? > >[1] http://www.slideshare.net/cloudstack/cloudstack-networking > >
