Cloudstack advanced network Modes

Cloudstack advanced network Modes

If you are studying and using cloudstack, you may have some experience. It is difficult to understand and implement its Advanced network mode. Many users' testing work is usually stuck here, after a long period of exploration, you cannot find the essentials. At present, the Chinese technical documents of cloudstack are not very rich, and the official documents are both in English and not clearly written in some places, it is inconvenient for users in China to learn and research. Here, I will focus on the advanced network mode of cloudstack, hoping to help those who study, learn, and use Cloudstack.

The Network-as-a-service (NaaS) features of Cloudstack include two modes: Basic and Advanced. The main difference is that they are isolated from the user Network (Guest Network). In Basic mode, security Group is used for isolation (L3 isolation). In Advanced mode, VLAN isolation (L2 isolation) is used ). For Advanced network mode, there are four types of network traffic:
Public Network: Public Network, which generally refers to Internet;
Guest Network-private virtual Network, which belongs to each tenant's own private Network;
Management Network: a Management Network that manages the communication between servers and physical hosts and System Virtual Machine Management addresses;
Storage Network: a Storage Network. It refers to the Network in which SSVM of a level-2 Storage VM communicates with level-2 Storage.

In addition, the Virtual Router of the system Virtual machine is also very important in the advanced network mode. It will become an interface between the tenant's private network and the public network, and does not provide various network services for the tenant's private network, including: NAT, static NAT, DHCP, DNS, Load Balancing, Port Forwording, firewils, Site-to-Site VPN, etc.

When creating an advanced Network Zone, the system creates a Virtual Router and its private Virtual Network Guest Network for each tenant (account) by default, the IP address of the Guest Network is generally the CIDR address (10.1.1.0/24) specified when the Zone is created ), a vlan id is assigned to the Guest Network (the available range of the vlan id is also specified when the zone is created ). Of course, tenants can create more private Virtual networks based on their own needs. Each new private Virtual network will also be configured with its own Virtual Router. So how does the advanced network mode and Virtual Router work? Let's look at the following advanced network mode:



After the advanced network is created, the Virtual Router becomes the gateway of the tenant's private network, and the IP address 10.1.1.1 is configured for the internal Virtual network interface, configure one or more public IP addresses (65.37.141. *). Different tenants obtain their own private Network Guest Network, which is isolated from each other and cannot access each other. Virtual machines in a tenant's private network automatically obtain the IP address (10.1.1.0/24) and host name when creating Virtual Router through DHCP and DNS. When you need to access the public network, the Virtual machine uses the NAT Function of Virtual Router to obtain the ing between private addresses and public addresses.

We know that NAT address ing can only provide internal access to the outside. When external requests enter, they cannot access virtual machines in the private network. So what should I do when an external request is needed? In addition to providing NAT, Virtual Router also provides static NAT, Load Balancing, Port Forwarding, and firewall functions.

Static NAT: You can bind a public IP address to a virtual machine. All network requests and access requests of this virtual machine go through the bound public IP address.

Load Balancing: network Load Balancing, specifying the IP address and corresponding port of the Virtual Router public network, as well as the Virtual Machine and port for Load distribution, as well as the polling mode, incoming network requests are distributed to different virtual machines.

Port Forwarding: Port Forwarding, specifying the public IP address and corresponding Port of the Virtual Router, as well as the Virtual Machine and corresponding Port to be forwarded, the incoming network requests are forwarded to the corresponding virtual machine port.

Firewils: firewall. for network security considerations, Virtual Router shields all internal access requests by default. You need to configure a firewall policy to enable the Protocol and port to be accessed. For specific implementation methods, refer:




Multilayer network:

The following is an example of a multi-layer Cloudstack network. A tenant needs to deploy its own network applications, including four Web servers, two APP servers, and one DB server. He created three virtual networks: VLAN100 10.1.1.0/24, VLAN101 10.1.2.0/24, and VLAN141 10.1.3.0/24. The Web server is configured with a dual-virtual network card to connect VLAN100 and 101 respectively. VLAN100 provides network services through the hardware Juniper firewall and NetScaler Load balancer, and communicates with the APP server through VLAN101; the APP server configures dual virtual NICs to connect VLAN101 to VLAN141, And the DB server to connect VLAN141 to communicate with the APP server. As shown in: