It's been quite a while since I worked on CloudStack but I think you may be able to achieve your goal with a shared network. You'll loose much of the built-in network flexibility in CloudStack, but that is most likely also the point.
-- Erik On Tue, Dec 3, 2019 at 8:12 PM Andrija Panic <andrija.pa...@gmail.com> wrote: > > That's true. > > You can experiment with Dedicating a host to the customer. I can't advise > (from top of my head) if also the customer's VR will be created there (but > you can do one-time live migrate if needed to that host) - all customer VMs > will be created on this host while there are free resources there. > > Andrija > > On Tue, 3 Dec 2019 at 19:32, Alessandro Caviglione <c.alessan...@gmail.com> > wrote: > > > Yes, I thought about your idea, but I would not introduce too many hops... > > in addition I cannot manage Public IPs directly from Barracuda VA. > > Is there a kind of parameter I can configure to deploy all costumer's > > instance on tha same VR's host? > > > > On Tue, Dec 3, 2019 at 6:57 PM Andrija Panic <andrija.pa...@gmail.com> > > wrote: > > > > > Hi, > > > > > > it's not possible to completely replace (i.e. not without complete ACS > > code > > > base change....), but you might want to see if the following helps: > > > - Assign one or more (as required, one at minimum) additional Public IPs > > on > > > the VR, and then configure Static Nat from that Public IP to the internal > > > IP of the Baracuda appliance (which you would deploy from template - ACS > > > 4.13 supports appliances for VMware, so you should be able to answer all > > > the questions that are input to the appliance, so to speak...) > > > - Then attach this Baracuda to all the networks whose VMs you want to > > > "protect" > > > > > > Effectively trafic goes as follows: internet ---> VR (Public IP, Static > > > NAt to...) ---> Baracuda/internal appliance - and the VMs would use > > > Baracuda as the default gateway. > > > This does imply not being able to manage IPs via DHCP, since for any > > > DHCPDISCOVER, the dnsmasq inside VR will also offer an IP, beside > > Baracuda > > > doing that... > > > (configure ACLs to forbid ANY outgoing traffic from networks where you > > have > > > your user VMs - Baracuda appliance is on the dedicated private network > > > (which you can consider as "public" or "north-side" to the Baracuda > > > appliance) so here you allow all outgoing traffic from this network to > > > Internet) > > > > > > Then you would be able to use Baracuda as the endpoint for the VPN > > tunnels. > > > Far from perfect, but might work for you, if you can live with the > > > limitations. > > > > > > Best, > > > Andrija > > > > > > On Tue, 3 Dec 2019 at 17:20, Alessandro Caviglione < > > c.alessan...@gmail.com > > > > > > > wrote: > > > > > > > Hi guys, > > > > I'm trying to understand if it's possible to replace a VR for a single > > > > customer. > > > > I've ACS 4.13 with vSphere 6.7 and Advanced Networking, one of my > > client > > > > wants to use Barracuda Virtual Firewall because he wants to connect > > Cloud > > > > network to offices networks using TINA VPN (proprietary protocol) > > instead > > > > IPSec. > > > > So, is it possible to replace VR with the Barracuda Virtual Appliance? > > > > > > > > Thank you > > > > > > > > > > > > > -- > > > > > > Andrija Panić > > > > > > > > -- > > Andrija Panić
