Hi Murali, Please see the answers inline.
-Alena. On 11/14/12 10:54 PM, "Murali Reddy" <murali.re...@citrix.com> wrote: >Alena, > >I have couple of queries on the requirements listed in the spec. > >- "Shared Zone Wide SG Enabled Guest network is required in Advance SG >enabled zone as CPVM/SSVM are using it." > >I am not clear why CPVM/SSVM will use the shared guest network with SG. Because this is the only one Shared network with the Public ip addresses in the zone. As the SSVM/CPVM will need access to the internet (Public interface), and there is no public traffic type in the zone, they'll get the Ips from the Guest Shared network. It's very similar to the Basic zone scenario where system vms also get public ips from the Shared zone wide Guest netowrk. > >- "No Isolated networks can be added to the Advance SG enabled zone. No >Shared Domain wide networks are allowed either." > > >Does this mean, there will be only one shared network in the entire SG >enabled zone? Only one Shared SG enabled Zone wide network + any number of Shared account specific networks. No Isolated, no Domain level Shared networks and no additional zone wide Shared networks. >You mentioned relaxing some of these restriction as future >release plans, but was wondering why such stringent restriction. Because the initial goal for this release - re-enable 2.2.x feature so existing 2.2.x customers can upgrade. So the feature will work just the way it used to work in 2.2.x, including all the restrictions. As we already have a regression test plan for it, it would be easier for QA to test it. Introducing new functionality/re-writing the logic can cause regressions and would definitely require more time for QA >Does >overlapping CIDR's of multiple isolated network will conflict with the >security groups functionality at hypervisor level? Not sure about that, Anthony would be the right person to answer this question. > >Thanks, >Murali > >On 14/11/12 12:17 AM, "Alena Prokharchyk" <alena.prokharc...@citrix.com> >wrote: > >>In 2.2.x version of the cloudStack we provided support for Security >>Groups >>in Advance zone. The feature was temporary disabled in released versions >>of 3.0.x branch due to lack of dev and test resources needed to >>accommodate the feature to the new NaaS framework. >> >> >>Disabling the feature made an upgrade for existing 2.2.x customers using >>this network model, impossible. We are going to re-enable the feature in >>the next CS release with all the limitations accompanying it in 2.2.x >>branch. >> >>Here is the functional specification: >> >>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+on >>+ >>S >>ecurity+Groups+in+Advance+zone >> >> >> >>It reflects: >> >>* current behavior model >>* feature limitations >>* upgrade path >>* feature enhancements plan >> >> >>Please review and point out if there are any inconsistencies/unclearness >>in the spec. >> >>Anthony Xu will be the key developer for Java + Scripting part; UI >>developers haven't been assigned to the feature yet. >> >>-Alena. >> >> >> > > >
