Imvedansh commented on issue #10445:
URL: https://github.com/apache/cloudstack/issues/10445#issuecomment-2770056502
Hey @btzq ,
Yes, I agree — the best approach would be to deploy Suricata as a dedicated
VM, rather than embedding it in the VR, especially since IPS/IDS workloads are
resource-intensive and could negatively impact VR performance.
Here’s how I envision the high-level setup:
1)Provision a VM within CloudStack with sufficient CPU and memory resources.
2)Install a Linux OS on the VM and set up Suricata.
3)Update Suricata rules to match the tenant's security requirements.
4)Deploy Suricata in inline (transparent bridge) mode — effectively bridging
traffic between the VR and the instance network.
5)Configure two NICs on the Suricata VM:
->One connected to the upstream (northbound) side (VR/public/internet).
->One connected to the downstream (southbound) side (tenant VM subnet).
6)Enable IP forwarding and bridging on the Suricata VM to allow seamless
traffic flow.
For logging and alerting, tenants can integrate Suricata with their own SIEM
solutions using Suricata's EVE JSON output or socket API.
..
However, as far as I understand, CloudStack does not currently support
native, persistent, tenant-defined static routes inside VPCs. This presents a
key challenge:
->If the VR is rebooted or re-deployed (due to scaling, upgrade, or failure
recovery), any manually configured static routes
(used to steer traffic through the Suricata VM) will be lost.
->This means that while Suricata as a middlebox VM works in principle, the
setup is fragile and depends on:
-Manually re-adding static routes after every VR recreation, or
-Automating the process using cloud-init, userdata, or an external
automation script.
Now,
To make this more robust, we could explore a solution to implement
persistent, user-defined static routing inside a VPC, possibly by extending the
VR’s functionality.
This could either:
- Be scoped as a separate feature (or project) to enable route persistence
per tenant, or
- Be considered as an extension of this project, making
Suricata-as-a-Service inside CloudStack VPCs more reliable and easier
to adopt.
- That said, designing and implementing a persistent static routing
mechanism inside CloudStack would likely involve
significant development effort and may need deeper discussion with the
community regarding scope, feasibility, and design.
Please let me know your thoughts and any question about this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
