Hi,
Use-case: I have a SG enabled shared network where a VM establishes a
BGP session with the upstream router.
Over this BGP session the VM announces a /32 (IPv4) and/or /128 (IPv6)
address and the router now installs this route.
I do the same (with the same IPs) on a few different VMs and this way I
can have a Anycast/Floating IP which is being routed to those VMs.
Problem: Security Group filtering prohibits this as the 'ipset' on the
hypervisor checks all the packets originating from the VM and drops all
packets not matching the ipset.
Name: i-79-1328-VM
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 248
References: 5
Number of entries: 1
Members:
62.221.XXX.11
I want to add /32 and /128 addresses to this subnet so that the SG does
not filter away this traffic.
They could be added as a secondary IP to the VM, but this is not allowed
by the API as the secondary IPs you want to add should always come from
the subnet configured for that network.
I do not want to turn off security grouping as this poses other
potential issues.
Solutions I see:
- Add global/account/domain setting which allows arbitrary secondary IPs
- Add per-network setting which allows arbitrary secondary IPs
- Pre-define subnets which Anycast/Floating IPs can be picked from per
network
Any ideas or suggestions?
Wido
