That's why VPC support is not in this FS for 4.1 After introduce NIC based SG, instance-based SG will be removed, each NIC of the VM will associate with the same instance-based SG through upgrade,
Anthony > -----Original Message----- > From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] > Sent: Friday, January 18, 2013 5:52 PM > To: CloudStack DeveloperList > Subject: Re: [DISCUSS] Security Groups Isolation in Advanced Zone > > That is just so confusing. So if we do ENI-style in 4.2, the rules for > accessing a VM within a VPC will be the union of > * ACL accept > * ACL deny > * instance-based SG > * nic based SG > > On 1/18/13 9:50 AM, "Anthony Xu" <xuefei...@citrix.com> wrote: > > >Thanks for comments, > >It is nice to have security group in NIC level > >checked AWS, which is implemented with Elastic Network Interfaces > (ENI), > >but when deploy VM , all NICs of the VM are associated with same > security > >groups, which is the same as what we did in the FS. > > > >Maybe we can implement NIC-level security group after we have VM NIC > hot > >plug feature( something like ENI) in 4.2. > > > >Anthony > > > > > >> -----Original Message----- > >> From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] > >> Sent: Thursday, January 17, 2013 5:29 PM > >> To: CloudStack DeveloperList > >> Subject: Re: [DISCUSS] Security Groups Isolation in Advanced Zone > >> > >> I don't think that's what Anthony is saying. > >> I think he is saying that if a VM is in security groups X,Y,Z, then > ALL > >> nics of the VM are in security groups X,Y,Z. > >> > >> The AWS-compatible way is that nics are associated with the security > >> group. > >> So, VM's eth0 can be in security group Z and eth1 can be in security > >> group > >> X > >> I think we should do it this way. > >> > >> On 1/16/13 5:35 PM, "kdam...@apache.org" <kdam...@apache.org> wrote: > >> > >> >So the VM will determine it's own participation level. A VM can > have > >> >networks with SG and without at the same time. If that's the case > this > >> >feature proposal just got more awesome! > >> > > >> >-kd > >> > > >> > > >> >>-----Original Message----- > >> >>From: Anthony Xu [mailto:xuefei...@citrix.com] > >> >>Sent: Wednesday, January 16, 2013 5:21 PM > >> >>To: cloudstack-dev@incubator.apache.org > >> >>Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone > >> >> > >> >>Correct, > >> >>there are several types of guest shared network, Zone-wide guest > >> shared > >> >>network Domain-wide guest shared network Account-specific guest > share > >> >>network > >> >> > >> >>One VM can be on multiple networks, > >> >>SG is on VM level, means SG will be applied to all NICs of this VM. > >> >> > >> >> > >> >>Cheers, > >> >>Anthony > >> >> > >> >>> -----Original Message----- > >> >>> From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] > On > >> >>> Behalf Of kdam...@apache.org > >> >>> Sent: Wednesday, January 16, 2013 5:17 PM > >> >>> To: cloudstack-dev@incubator.apache.org > >> >>> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced > Zone > >> >>> > >> >>> Got it, > >> >>> > >> >>> So we are still only talking about SG on advanced shared > networks. > >> >>> > >> >>> Thanks. > >> >>> > >> >>> > >> >>> -kd > >> >>> > >> >>> > >> >>> >-----Original Message----- > >> >>> >From: Anthony Xu [mailto:xuefei...@citrix.com] > >> >>> >Sent: Wednesday, January 16, 2013 5:11 PM > >> >>> >To: cloudstack-dev@incubator.apache.org > >> >>> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced > Zone > >> >>> > > >> >>> >In this spec, security group is only supported in shared guest > >> >>> >network, > >> >>> we > >> >>> >might add isolated guest network support later. I have a > concern > >> >>> >about > >> >>> this, > >> >>> >normally there is firewall for isolated network, if security > group > >> is > >> >>> added > >> >>> to > >> >>> >isolated network, that means if user wants to allow some kind > >> ingress > >> >>> traffic , > >> >>> >he might need to program both security group and firewall, it > >> might > >> >>> >be inconvenient for user. > >> >>> > > >> >>> >As for ACL, are you referring to ACL in VPC? in this spec, VPC > is > >> not > >> >>> supported > >> >>> >due to the similar reason of isolated guest network, user might > >> need > >> >>> to > >> >>> >handle ACL and security group at the same time. > >> >>> > > >> >>> > > >> >>> >Anthony > >> >>> > > >> >>> > > >> >>> >> -----Original Message----- > >> >>> >> From: Kelcey Damage (BT) > [mailto:kel...@backbonetechnology.com] > >> >>> >> Sent: Wednesday, January 16, 2013 4:55 PM > >> >>> >> To: cloudstack-dev@incubator.apache.org > >> >>> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced > >> Zone > >> >>> >> > >> >>> >> So to catch myself up, this will allow functional security > group > >> >>> >> isolation/ACLs on both 'shared' and 'isolated' networks? > >> >>> >> > >> >>> >> -kd > >> >>> >> > >> >>> >> > >> >>> >> >-----Original Message----- > >> >>> >> >From: Animesh Chaturvedi > [mailto:animesh.chaturv...@citrix.com] > >> >>> >> >Sent: Wednesday, January 16, 2013 1:36 PM > >> >>> >> >To: cloudstack-dev@incubator.apache.org > >> >>> >> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced > >> Zone > >> >>> >> > > >> >>> >> >Folks please pass on comments if any, otherwise it is > assumed > >> that > >> >>> >> >the > >> >>> >> spec > >> >>> >> is > >> >>> >> >approved by the community > >> >>> >> > > >> >>> >> >> -----Original Message----- > >> >>> >> >> From: Anthony Xu [mailto:xuefei...@citrix.com] > >> >>> >> >> Sent: Friday, January 11, 2013 3:53 PM > >> >>> >> >> To: cloudstack-dev@incubator.apache.org > >> >>> >> >> Subject: RE: [DISCUSS] Security Groups Isolation in > Advanced > >> >>> >> >> Zone > >> >>> >> >> > >> >>> >> >> > >> >>> >> > >> >>> > >> > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based > >> >>> >> >> +on+ > >> >>> >> >> Security+Groups+in+Advance+zone > >> >>> >> >> > >> >>> >> >> > >> >>> >> >> This is upgraded spec , > >> >>> >> >> Compared to original one, following are major changes > >> >>> >> >> > >> >>> >> >> 1. SG enabled is zone wide parameter, if this zone is SG > >> >>> >> >> enabled, > >> >>> >> all > >> >>> >> >> guest networks in this zone must be SG enabled. > >> >>> >> >> 2. support all shared network types, includes zone-wide > >> shared > >> >>> >> >> network, domain-wide shared networks and account-specific > >> share > >> >>> >> >> networks 3. support multiple SG enabled networks in one > SG > >> >>> enabled > >> >>> >> zone. > >> >>> >> >> 4. VM can be on multiple SG enabled networks 5. SG rules > >> apply > >> >>> to > >> >>> >> >> all NICs for a VM 6. support both KVM and XenServer. > >> >>> >> >> > >> >>> >> >> Comments, question, suggestion and flame are welcome! > >> >>> >> >> > >> >>> >> >> > >> >>> >> >> Thanks, > >> >>> >> >> Anthony > >> >>> >> >> > >> >>> >> >> > >> >>> >> >> > -----Original Message----- > >> >>> >> >> > From: Dave Cahill [mailto:dcah...@midokura.jp] > >> >>> >> >> > Sent: Thursday, January 10, 2013 5:29 PM > >> >>> >> >> > To: cloudstack-dev@incubator.apache.org > >> >>> >> >> > Subject: Re: [DISCUSS] Security Groups Isolation in > >> Advanced > >> >>> Zone > >> >>> >> >> > > >> >>> >> >> > Hi Anthony, > >> >>> >> >> > > >> >>> >> >> > Understood - thanks for the update. > >> >>> >> >> > > >> >>> >> >> > Dave. > >> >>> >> >> > > >> >>> >> >> > > >> >>> >> >> > On Fri, Jan 11, 2013 at 2:54 AM, Anthony Xu > >> >>> >> >> > <xuefei...@citrix.com> > >> >>> >> >> > wrote: > >> >>> >> >> > > >> >>> >> >> > > Hi Dave, > >> >>> >> >> > > > >> >>> >> >> > > For 4.1 , this feature is only for shared network on > >> >>> >> >> > > advanced zone, > >> >>> >> >> > both > >> >>> >> >> > > XenServer and KVM are supported. > >> >>> >> >> > > Will upgrade FS soon. > >> >>> >> >> > > > >> >>> >> >> > > > >> >>> >> >> > > Anthony > >> >>> >> >> > > > >> >>> >> >> > > > -----Original Message----- > >> >>> >> >> > > > From: Dave Cahill [mailto:dcah...@midokura.jp] > >> >>> >> >> > > > Sent: Thursday, January 10, 2013 12:33 AM > >> >>> >> >> > > > To: cloudstack-dev@incubator.apache.org > >> >>> >> >> > > > Subject: Re: [DISCUSS] Security Groups Isolation in > >> >>> Advanced > >> >>> >> >> > > > Zone > >> >>> >> >> > > > > >> >>> >> >> > > > Hi Manan, > >> >>> >> >> > > > > >> >>> >> >> > > > I'm interested in this feature - when (roughly) are > you > >> >>> >> planning > >> >>> >> >> > > > to commit this to master? > >> >>> >> >> > > > > >> >>> >> >> > > > Are you planning the full list of features from your > >> >>> >> >> > > > requirements > >> >>> >> >> > doc > >> >>> >> >> > > > (including support for Adavnced, Isolated networks) > in > >> 4.1? > >> >>> >> >> > > > > >> >>> >> >> > > > Thanks in advance, > >> >>> >> >> > > > Dave. > >> >>> >> >> > > > > >> >>> >> >> > > > > >> >>> >> >> > > > On Sat, Jan 5, 2013 at 7:01 AM, Manan Shah > >> >>> >> >> > > > <manan.s...@citrix.com> > >> >>> >> >> > > > wrote: > >> >>> >> >> > > > > >> >>> >> >> > > > > Yes, FS definitely needs updating. Please also > look > >> at > >> >>> the > >> >>> >> >> > "Future" > >> >>> >> >> > > > > section of Alena's FS. > >> >>> >> >> > > > > > >> >>> >> >> > > > > Regards, > >> >>> >> >> > > > > Manan Shah > >> >>> >> >> > > > > > >> >>> >> >> > > > > > >> >>> >> >> > > > > > >> >>> >> >> > > > > > >> >>> >> >> > > > > On 1/4/13 1:57 PM, "Prasanna Santhanam" > >> >>> >> >> > > > <prasanna.santha...@citrix.com> > >> >>> >> >> > > > > wrote: > >> >>> >> >> > > > > > >> >>> >> >> > > > > >On Sat, Jan 05, 2013 at 12:16:44AM +0530, Manan > Shah > >> >>> wrote: > >> >>> >> >> > > > > >> Hi Chip, > >> >>> >> >> > > > > >> > >> >>> >> >> > > > > >> As Alena had mentioned in her FS, her focus was > to > >> >>> >> >> > > > > >> initially > >> >>> >> >> > > > support > >> >>> >> >> > > > > >>only > >> >>> >> >> > > > > >> the functionality that was enabled in CS 2.2. > She > >> had > >> >>> >> >> > > > > >>created > >> >>> >> >> > a > >> >>> >> >> > > > section > >> >>> >> >> > > > > >>in > >> >>> >> >> > > > > >> her FS that talked about Future release plans. > >> >>> >> >> > > > > >> > >> >>> >> >> > > > > >> My requirements page covers requirements for > both, > >> >>> >> >> > > > > >> the CS > >> >>> >> >> > > > > >> 2.2 > >> >>> >> >> > use > >> >>> >> >> > > > case > >> >>> >> >> > > > > >>as > >> >>> >> >> > > > > >> well as the broader use case. > >> >>> >> >> > > > > >> > >> >>> >> >> > > > > >> Let me know if you have additional questions. > >> >>> >> >> > > > > >> > >> >>> >> >> > > > > >Thanks - Alena's FS lists only support for KVM > while > >> >>> >> >> > > > > >you > >> >>> >> have > >> >>> >> >> > listed > >> >>> >> >> > > > > >support for XenServer and KVM. Guess the FS needs > >> >>> updating? > >> >>> >> >> > > > > > > >> >>> >> >> > > > > >-- > >> >>> >> >> > > > > >Prasanna., > >> >>> >> >> > > > > > >> >>> >> >> > > > > > >> >>> >> >> > > > > >> >>> >> >> > > > > >> >>> >> >> > > > -- > >> >>> >> >> > > > Thanks, > >> >>> >> >> > > > Dave. > >> >>> >> >> > > > >> >>> >> >> > > >> >>> >> >> > > >> >>> >> >> > > >> >>> >> >> > -- > >> >>> >> >> > Thanks, > >> >>> >> >> > Dave. > >> >>> > >> > > >> > > >
