[jira] [Commented] (CLOUDSTACK-5535) Do not allow addNetwork to create NIC across VPC tiers and Isolated Networks

Thu, 09 Jan 2014 13:16:51 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-5535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13867063#comment-13867063
 ] 

Alena Prokharchyk commented on CLOUDSTACK-5535:
-----------------------------------------------

Marcus,

We do allow adding nic from Shared network to the VPC. Here are the scenarios 
we support:

1) Vm is part of VPC network
2) Vm is part of VPC network + (1-n) number of Shared networks

All other scenarios are not supported, and deployVm call always made this 
check. Only addNic was error prone call. So your core feature was written based 
on the buggy CS behavior.

Now why don't we allow it. The entire purpose of vpc is to control traffic from 
one tier to another (by NetworkACL rules on the VPCVR). If vm is a part of 2 
vpc tiers, this control gets broken. Think about like that:

1) VPC has tier1 and tier2
2) Vm1 belongs to tier1, VM2 belongs to tier2.
3) Network ACL restricts ingress traffic from tier1 to tier2, so vm1 can't 
access vm2.
4) introduce vm1 to tier2 by plugging nic of that tier. Now vm1 can access vm2 
as they are the part of another network now, and networkACL is not respected. 
The entire VPC concept gets broken right here.

Let me know if what I said needs more clarification. 

> Do not allow addNetwork to create NIC across VPC tiers and Isolated Networks 
> -----------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-5535
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5535
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: API, Management Server
>    Affects Versions: 4.3.0
>            Reporter: Saksham Srivastava
>            Assignee: Saksham Srivastava
>            Priority: Critical
>             Fix For: 4.3.0
>
>
> addNetworkToVM allows adding any network to VM.
> Ideally a VM running in isolated Guest Network should not be able to add a 
> VPC tier.
> A VM running in VPC tier should not be allowed to add another tier
> A VM running in VPC tier should not be allowed to add another isolated guest 
> network.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to