GitHub user bradh352 created a discussion: Port forwarding to VIP in guest network
My network setup is such that all Instances are isolated within a VPC with micro-segments (network tiers) per service offering. My setup is pretty basic in the fact that I'm not using any external hardware integration (e.g. firewalls or load balancers), and strictly relying on the services provided by the virtual router. Each segment will have multiple Instances of a given service for high availability, but there are cases where the load balancer provided by cloudstack's virtual router isn't sufficient. Examples include instances where services need to be accessed internally (tier2tier) as well as from public. Or when a service isn't supported by the virtual router load balancer (e.g. DNS via UDP). So the use case is I assign another private ip address as a virtual IP in the same subnet as the instances providing the HA service. This may be something as simple as a floating virtual ip across those machines using something like keepalived, or it could be something more complex like a load balancer doing LVS Direct Routing (DR). My question is, how do I forward ports to an ip address not directly assigned to an instance? As far as I can tell, the UI can't do anything like that. The best I've found is in the API documentation [addIpToNic]( https://cloudstack.apache.org/api/apidocs-4.21/apis/addIpToNic.html) to add a secondary ip address to one of my VMs. Then call [createPortForwardingRule](https://cloudstack.apache.org/api/apidocs-4.21/apis/createPortForwardingRule.html) and specify the secondary ip address as the `vmguestip`. I found where in the UI it says the secondary ip isn't automatically associated with the VM (but interestingly it doesn't say that in the API docs): <img width="501" height="309" alt="image" src="https://github.com/user-attachments/assets/c76a0637-0ba4-4659-a239-d0c01ed1c2e4"; /> So this in theory *could* work for my use case if there aren't restrictions on other Instances also using this IP. But even so, this creates an issue with this secondary ip being associated with just one instance, such as what happens if this instance needs to be rebuilt? Wouldn't that effectively disable the port forward since the secondary ip address is no longer assigned anywhere even though there are other active instances that are providing this? What do other people do here? This doesn't sound like that an unusual of a thing that people would normally do. Maybe I'm just missing something. I'm using the terraform cloudstack provider, but can handle using the API or extending the provider if needed. GitHub link: https://github.com/apache/cloudstack/discussions/11695 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
