Correct, there are several types of guest shared network, Zone-wide guest shared network Domain-wide guest shared network Account-specific guest share network
One VM can be on multiple networks, SG is on VM level, means SG will be applied to all NICs of this VM. Cheers, Anthony > -----Original Message----- > From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] On > Behalf Of kdam...@apache.org > Sent: Wednesday, January 16, 2013 5:17 PM > To: cloudstack-dev@incubator.apache.org > Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone > > Got it, > > So we are still only talking about SG on advanced shared networks. > > Thanks. > > > -kd > > > >-----Original Message----- > >From: Anthony Xu [mailto:xuefei...@citrix.com] > >Sent: Wednesday, January 16, 2013 5:11 PM > >To: cloudstack-dev@incubator.apache.org > >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone > > > >In this spec, security group is only supported in shared guest network, > we > >might add isolated guest network support later. I have a concern about > this, > >normally there is firewall for isolated network, if security group is > added > to > >isolated network, that means if user wants to allow some kind ingress > traffic , > >he might need to program both security group and firewall, it might be > >inconvenient for user. > > > >As for ACL, are you referring to ACL in VPC? in this spec, VPC is not > supported > >due to the similar reason of isolated guest network, user might need > to > >handle ACL and security group at the same time. > > > > > >Anthony > > > > > >> -----Original Message----- > >> From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] > >> Sent: Wednesday, January 16, 2013 4:55 PM > >> To: cloudstack-dev@incubator.apache.org > >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone > >> > >> So to catch myself up, this will allow functional security group > >> isolation/ACLs on both 'shared' and 'isolated' networks? > >> > >> -kd > >> > >> > >> >-----Original Message----- > >> >From: Animesh Chaturvedi [mailto:animesh.chaturv...@citrix.com] > >> >Sent: Wednesday, January 16, 2013 1:36 PM > >> >To: cloudstack-dev@incubator.apache.org > >> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone > >> > > >> >Folks please pass on comments if any, otherwise it is assumed that > >> >the > >> spec > >> is > >> >approved by the community > >> > > >> >> -----Original Message----- > >> >> From: Anthony Xu [mailto:xuefei...@citrix.com] > >> >> Sent: Friday, January 11, 2013 3:53 PM > >> >> To: cloudstack-dev@incubator.apache.org > >> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone > >> >> > >> >> > >> > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based > >> >> +on+ > >> >> Security+Groups+in+Advance+zone > >> >> > >> >> > >> >> This is upgraded spec , > >> >> Compared to original one, following are major changes > >> >> > >> >> 1. SG enabled is zone wide parameter, if this zone is SG enabled, > >> all > >> >> guest networks in this zone must be SG enabled. > >> >> 2. support all shared network types, includes zone-wide shared > >> >> network, domain-wide shared networks and account-specific share > >> >> networks 3. support multiple SG enabled networks in one SG > enabled > >> zone. > >> >> 4. VM can be on multiple SG enabled networks 5. SG rules apply > to > >> >> all NICs for a VM 6. support both KVM and XenServer. > >> >> > >> >> Comments, question, suggestion and flame are welcome! > >> >> > >> >> > >> >> Thanks, > >> >> Anthony > >> >> > >> >> > >> >> > -----Original Message----- > >> >> > From: Dave Cahill [mailto:dcah...@midokura.jp] > >> >> > Sent: Thursday, January 10, 2013 5:29 PM > >> >> > To: cloudstack-dev@incubator.apache.org > >> >> > Subject: Re: [DISCUSS] Security Groups Isolation in Advanced > Zone > >> >> > > >> >> > Hi Anthony, > >> >> > > >> >> > Understood - thanks for the update. > >> >> > > >> >> > Dave. > >> >> > > >> >> > > >> >> > On Fri, Jan 11, 2013 at 2:54 AM, Anthony Xu > >> >> > <xuefei...@citrix.com> > >> >> > wrote: > >> >> > > >> >> > > Hi Dave, > >> >> > > > >> >> > > For 4.1 , this feature is only for shared network on advanced > >> >> > > zone, > >> >> > both > >> >> > > XenServer and KVM are supported. > >> >> > > Will upgrade FS soon. > >> >> > > > >> >> > > > >> >> > > Anthony > >> >> > > > >> >> > > > -----Original Message----- > >> >> > > > From: Dave Cahill [mailto:dcah...@midokura.jp] > >> >> > > > Sent: Thursday, January 10, 2013 12:33 AM > >> >> > > > To: cloudstack-dev@incubator.apache.org > >> >> > > > Subject: Re: [DISCUSS] Security Groups Isolation in > Advanced > >> >> > > > Zone > >> >> > > > > >> >> > > > Hi Manan, > >> >> > > > > >> >> > > > I'm interested in this feature - when (roughly) are you > >> planning > >> >> > > > to commit this to master? > >> >> > > > > >> >> > > > Are you planning the full list of features from your > >> >> > > > requirements > >> >> > doc > >> >> > > > (including support for Adavnced, Isolated networks) in 4.1? > >> >> > > > > >> >> > > > Thanks in advance, > >> >> > > > Dave. > >> >> > > > > >> >> > > > > >> >> > > > On Sat, Jan 5, 2013 at 7:01 AM, Manan Shah > >> >> > > > <manan.s...@citrix.com> > >> >> > > > wrote: > >> >> > > > > >> >> > > > > Yes, FS definitely needs updating. Please also look at > the > >> >> > "Future" > >> >> > > > > section of Alena's FS. > >> >> > > > > > >> >> > > > > Regards, > >> >> > > > > Manan Shah > >> >> > > > > > >> >> > > > > > >> >> > > > > > >> >> > > > > > >> >> > > > > On 1/4/13 1:57 PM, "Prasanna Santhanam" > >> >> > > > <prasanna.santha...@citrix.com> > >> >> > > > > wrote: > >> >> > > > > > >> >> > > > > >On Sat, Jan 05, 2013 at 12:16:44AM +0530, Manan Shah > wrote: > >> >> > > > > >> Hi Chip, > >> >> > > > > >> > >> >> > > > > >> As Alena had mentioned in her FS, her focus was to > >> >> > > > > >> initially > >> >> > > > support > >> >> > > > > >>only > >> >> > > > > >> the functionality that was enabled in CS 2.2. She had > >> >> > > > > >>created > >> >> > a > >> >> > > > section > >> >> > > > > >>in > >> >> > > > > >> her FS that talked about Future release plans. > >> >> > > > > >> > >> >> > > > > >> My requirements page covers requirements for both, the > >> >> > > > > >> CS > >> >> > > > > >> 2.2 > >> >> > use > >> >> > > > case > >> >> > > > > >>as > >> >> > > > > >> well as the broader use case. > >> >> > > > > >> > >> >> > > > > >> Let me know if you have additional questions. > >> >> > > > > >> > >> >> > > > > >Thanks - Alena's FS lists only support for KVM while you > >> have > >> >> > listed > >> >> > > > > >support for XenServer and KVM. Guess the FS needs > updating? > >> >> > > > > > > >> >> > > > > >-- > >> >> > > > > >Prasanna., > >> >> > > > > > >> >> > > > > > >> >> > > > > >> >> > > > > >> >> > > > -- > >> >> > > > Thanks, > >> >> > > > Dave. > >> >> > > > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > Thanks, > >> >> > Dave. >
