[jira] [Commented] (CLOUDSTACK-10126) Separate Subnet for CPVM and SSVM

Thu, 04 Jan 2018 23:51:07 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16312647#comment-16312647
 ] 

ASF subversion and git services commented on CLOUDSTACK-10126:
--------------------------------------------------------------

Commit bf4f1bbb90a7ac05c7d40b1e5667186a646a25f7 in cloudstack's branch 
refs/heads/master from [~nicolas.vazquez]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=bf4f1bb ]

CLOUDSTACK-10126: Separate Subnet for SSVM and CPVM (#2368)

This extends work presented on #2048 on which the ability to extend the 
management range is provided.

Aim
This PR allows separating the management network subnet on which SSVM and CPVM 
are from the virtual routers management subnet.

Detailed use case
PCI compliance requires that network elements are defined as ‘in scope’ or ‘out 
of scope’, for compliance purposes. The SSVM and CPVM are both in scope as they 
allow public HTTP or HTTPS connections. The virtual routers have been defined 
as out of scope as they have been placed entirely in a firewalled network's 
segment. However, all of the system VM types share management network. As SSVM 
and CPVM are both in scope this would bring the virtual routers into scope as 
well, requiring individual audits of every virtual router. As this is not 
practical, the ‘management network’ which the SSVM and CPVM are on, and the 
management network which the virtual routers are on, must be separated by a 
firewall.

Description
By this feature it is possible to dedicate a created range for SSVM and CPVM 
(system vms) and provide a VLAN ID for its range.

A new boolean global configuration is added: 
system.vm.management.ip.reservation.mode.strictness. If enabled, the use of 
System VMs management IP reservation is strict, preferred if not. Default value 
is false (preferred).

Strict reservation: System VMs should try to get a private IP from a range 
marked for system vms. If not available, deployment fails
Preferred reservation: System VMS will try to get a private IP from a range 
marked for system vms. If not available, IP for range not marked for system vms 
is taken.


> Separate Subnet for CPVM and SSVM
> ---------------------------------
>
>                 Key: CLOUDSTACK-10126
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10126
>             Project: CloudStack
>          Issue Type: Improvement
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>    Affects Versions: 4.11.0.0
>            Reporter: Nicolas Vazquez
>            Assignee: Nicolas Vazquez
>
> Separate Management Subnet for CPVM and SSVM



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to