Re: How to create one network per project using as few public addresses as possible?
Unfortunately vpc source NAT IP cannot be used by any vpc tiers for any purposes (load balance or port FORWARDING, Static NAT). You need to acquire a new public IP. -Wei On Monday, February 26, 2024, Jorge Luiz Correa wrote: > Returning to this topic with the 4.19 release, I can create a domain VPC > and tiers in each project connected to this domain VPC. Each tier has its > ACL rules. This is ok to filter Egress traffic, for example. But, I > couldn't find a way to configure port forward in VPC (Ingress). Is there in > GUI? > > For example, in Networks > Public IP addresses -> choose any isolated > network. I can see options like "Details, Firewall, Port forwarding, Load > balancing, VPN, Events, Comments". > > When a tier is created its public IP is also listed in Networks > Public IP > addresses. But, when I click on the public IP address from the VPC the > options are only "Details, VPN". > > How can I configure ingress options, as port forwarding? For example, I > need to forward ports 80 and 443 to a specific VM in some tier. > > Thank you! > > > Em qua., 29 de nov. de 2023 às 14:50, Jorge Luiz Correa < > jorge.l.cor...@embrapa.br> escreveu: > > > Hi Gabriel! This is exactly what I was looking for. I couldn't find this > > request in github when looking for something. Thank you for sharing. > > > > No problem in creating through the API. So, I'll wait for the test > > results. If you could share with us, I would appreciate. And thank you so > > much for these tests! > > > > :) > > > > Em qua., 29 de nov. de 2023 às 10:01, Gabriel Ortiga Fernandes < > > gabriel.ort...@hotmail.com> escreveu: > > > >> Hello Jorge, > >> > >> A soon as release 4.19 is launched, the feature of Domain VPCs( > >> https://github.com/apache/cloudstack/pull/7153) will be available, > which > >> will allow users and operators to create tiers to VPCs for any account > (or > >> in your case project) to which the VPC owner has access, regardless of > >> domain, thus, allowing all the projects to share a single VR. > >> > >> For now, this feature is not available in the GUI; however, you can > >> create a tier through the API 'createNetwork', informing both the > projectId > >> and vpcId. > >> > >> This feature has been tested using accounts, but not projects, so I will > >> run some tests in the next few days and give you an answer regarding its > >> viability. > >> > >> Kind regards, > >> > >> GaOrtiga > >> > >> PS: This email will probably be a duplicate since I tried sending it > >> through a different provider, but it took too long, so I am sending this > >> again to save time. > >> > > > > -- > __ > Aviso de confidencialidade > > Esta mensagem da > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica > federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro > de 1972, e enviada exclusivamente a seu destinatario e pode conter > informacoes confidenciais, protegidas por sigilo profissional. Sua > utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. > Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao > emitente, esclarecendo o equivoco. > > Confidentiality note > > This message from > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government > company established under Brazilian law (5.851/72), is directed > exclusively to its addressee and may contain confidential data, > protected under professional secrecy rules. Its unauthorized use is > illegal and may subject the transgressor to the law's penalties. If you > are not the addressee, please send it back, elucidating the failure. >
Re: How to create one network per project using as few public addresses as possible?
Returning to this topic with the 4.19 release, I can create a domain VPC and tiers in each project connected to this domain VPC. Each tier has its ACL rules. This is ok to filter Egress traffic, for example. But, I couldn't find a way to configure port forward in VPC (Ingress). Is there in GUI? For example, in Networks > Public IP addresses -> choose any isolated network. I can see options like "Details, Firewall, Port forwarding, Load balancing, VPN, Events, Comments". When a tier is created its public IP is also listed in Networks > Public IP addresses. But, when I click on the public IP address from the VPC the options are only "Details, VPN". How can I configure ingress options, as port forwarding? For example, I need to forward ports 80 and 443 to a specific VM in some tier. Thank you! Em qua., 29 de nov. de 2023 às 14:50, Jorge Luiz Correa < jorge.l.cor...@embrapa.br> escreveu: > Hi Gabriel! This is exactly what I was looking for. I couldn't find this > request in github when looking for something. Thank you for sharing. > > No problem in creating through the API. So, I'll wait for the test > results. If you could share with us, I would appreciate. And thank you so > much for these tests! > > :) > > Em qua., 29 de nov. de 2023 às 10:01, Gabriel Ortiga Fernandes < > gabriel.ort...@hotmail.com> escreveu: > >> Hello Jorge, >> >> A soon as release 4.19 is launched, the feature of Domain VPCs( >> https://github.com/apache/cloudstack/pull/7153) will be available, which >> will allow users and operators to create tiers to VPCs for any account (or >> in your case project) to which the VPC owner has access, regardless of >> domain, thus, allowing all the projects to share a single VR. >> >> For now, this feature is not available in the GUI; however, you can >> create a tier through the API 'createNetwork', informing both the projectId >> and vpcId. >> >> This feature has been tested using accounts, but not projects, so I will >> run some tests in the next few days and give you an answer regarding its >> viability. >> >> Kind regards, >> >> GaOrtiga >> >> PS: This email will probably be a duplicate since I tried sending it >> through a different provider, but it took too long, so I am sending this >> again to save time. >> > -- __ Aviso de confidencialidade Esta mensagem da Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro de 1972, e enviada exclusivamente a seu destinatario e pode conter informacoes confidenciais, protegidas por sigilo profissional. Sua utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao emitente, esclarecendo o equivoco. Confidentiality note This message from Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government company established under Brazilian law (5.851/72), is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you are not the addressee, please send it back, elucidating the failure.
RE: Re: How to create one network per project using as few public addresses as possible?
Hello Jorge, I have run some tests on the tiers created for projects, such as acquiring IP addresses, deploying VMs and creating port forward and load balancer rules and it all seems to be working as intended. The only caveat is that, same as when creating the tier, some of these features will not work properly on the GUI, so most actions must be performed through the API. Kind regards, GaOrtiga
RE: How to create one network per project using as few public addresses as possible?
Hello Jorge, I have run some tests on the tiers created for projects, such as acquiring IP addresses, deploying VMs and creating port forward and load balancer rules and it all seems to be working as intended. The only caveat is that, same as when creating the tier, some of these features will not work properly on the GUI, so most actions must be performed through the API. Kind regards, GaOrtiga
Re: How to create one network per project using as few public addresses as possible?
Hi Gabriel! This is exactly what I was looking for. I couldn't find this request in github when looking for something. Thank you for sharing. No problem in creating through the API. So, I'll wait for the test results. If you could share with us, I would appreciate. And thank you so much for these tests! :) Em qua., 29 de nov. de 2023 às 10:01, Gabriel Ortiga Fernandes < gabriel.ort...@hotmail.com> escreveu: > Hello Jorge, > > A soon as release 4.19 is launched, the feature of Domain VPCs( > https://github.com/apache/cloudstack/pull/7153) will be available, which > will allow users and operators to create tiers to VPCs for any account (or > in your case project) to which the VPC owner has access, regardless of > domain, thus, allowing all the projects to share a single VR. > > For now, this feature is not available in the GUI; however, you can create > a tier through the API 'createNetwork', informing both the projectId and > vpcId. > > This feature has been tested using accounts, but not projects, so I will > run some tests in the next few days and give you an answer regarding its > viability. > > Kind regards, > > GaOrtiga > > PS: This email will probably be a duplicate since I tried sending it > through a different provider, but it took too long, so I am sending this > again to save time. > -- __ Aviso de confidencialidade Esta mensagem da Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro de 1972, e enviada exclusivamente a seu destinatario e pode conter informacoes confidenciais, protegidas por sigilo profissional. Sua utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao emitente, esclarecendo o equivoco. Confidentiality note This message from Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government company established under Brazilian law (5.851/72), is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you are not the addressee, please send it back, elucidating the failure.
RE: How to create one network per project using as few public addresses as possible?
Hello Jorge, A soon as release 4.19 is launched, the feature of Domain VPCs(https://github.com/apache/cloudstack/pull/7153) will be available, which will allow users and operators to create tiers to VPCs for any account (or in your case project) to which the VPC owner has access, regardless of domain, thus, allowing all the projects to share a single VR. For now, this feature is not available in the GUI; however, you can create a tier through the API 'createNetwork', informing both the projectId and vpcId. This feature has been tested using accounts, but not projects, so I will run some tests in the next few days and give you an answer regarding its viability. Kind regards, GaOrtiga PS: This email will probably be a duplicate since I tried sending it through a different provider, but it took too long, so I am sending this again to save time.
Re: How to create one network per project using as few public addresses as possible?
You can have a look at global setting max.project.public.ips If project has been created, you can update the project resource limitations. -Wei On Tuesday, 28 November 2023, Jorge Luiz Correa wrote: > We have a lot of research centers here. Each one is a domain in CloudStack > with its administrators. I would like each domain to use as few public IPs > as possible and also use Projects to make management easier. For example, > it would be ok if each domain had one virtual router with one public IP for > NAT. > > a) If each Project has a network, each will use one public IP (VR). Many > projects, many public IPs, what I'm trying to avoid. > > b) If I use one VPC all VMs should be in the same Project. I can't share > VPC or Tiers with different Projects, as it is possible with Isolated > Networks. So, Projects lose their purpose. Here I can separate VMs in > different networks (tiers) but I can't use Projects features. > > c) If I use one Isolated Network (for example, created by a domain admin), > I can share it with all projects inside the domain. However, all the VMs > should be connected to this network, without project isolation. In fact, > this would be a flat network shared by all VMs inside the domain and > Projects will be just separating VMs in groups with their administrators. > > Anyone could suggest a way to use Domains with Projects and one or two > public IPs per domain? > > Will it be possible to share different tiers with different projects, at > some point? > > I appreciate any suggestions! Thank you! > > -- > Jorge Luiz Corrêa > Embrapa Agricultura Digital > > echo "CkpvcmdlIEx1aXogQ29ycmVhCkFu > YWxpc3RhIGRlIFJlZGVzIGUgU2VndXJhbm > NhCkVtYnJhcGEgQWdyaWN1bHR1cmEgRGln > aXRhbCAtIE5USQpBdi4gQW5kcmUgVG9zZW > xsbywgMjA5IChCYXJhbyBHZXJhbGRvKQpD > RVAgMTMwODMtODg2IC0gQ2FtcGluYXMsIF > NQClRlbGVmb25lOiAoMTkpIDMyMTEtNTg4 > Mgpqb3JnZS5sLmNvcnJlYUBlbWJyYXBhLm > JyCgo="|base64 -d > > -- > __ > Aviso de confidencialidade > > Esta mensagem da > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica > federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro > de 1972, e enviada exclusivamente a seu destinatario e pode conter > informacoes confidenciais, protegidas por sigilo profissional. Sua > utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. > Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao > emitente, esclarecendo o equivoco. > > Confidentiality note > > This message from > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government > company established under Brazilian law (5.851/72), is directed > exclusively to its addressee and may contain confidential data, > protected under professional secrecy rules. Its unauthorized use is > illegal and may subject the transgressor to the law's penalties. If you > are not the addressee, please send it back, elucidating the failure. >
How to create one network per project using as few public addresses as possible?
We have a lot of research centers here. Each one is a domain in CloudStack with its administrators. I would like each domain to use as few public IPs as possible and also use Projects to make management easier. For example, it would be ok if each domain had one virtual router with one public IP for NAT. a) If each Project has a network, each will use one public IP (VR). Many projects, many public IPs, what I'm trying to avoid. b) If I use one VPC all VMs should be in the same Project. I can't share VPC or Tiers with different Projects, as it is possible with Isolated Networks. So, Projects lose their purpose. Here I can separate VMs in different networks (tiers) but I can't use Projects features. c) If I use one Isolated Network (for example, created by a domain admin), I can share it with all projects inside the domain. However, all the VMs should be connected to this network, without project isolation. In fact, this would be a flat network shared by all VMs inside the domain and Projects will be just separating VMs in groups with their administrators. Anyone could suggest a way to use Domains with Projects and one or two public IPs per domain? Will it be possible to share different tiers with different projects, at some point? I appreciate any suggestions! Thank you! -- Jorge Luiz Corrêa Embrapa Agricultura Digital echo "CkpvcmdlIEx1aXogQ29ycmVhCkFu YWxpc3RhIGRlIFJlZGVzIGUgU2VndXJhbm NhCkVtYnJhcGEgQWdyaWN1bHR1cmEgRGln aXRhbCAtIE5USQpBdi4gQW5kcmUgVG9zZW xsbywgMjA5IChCYXJhbyBHZXJhbGRvKQpD RVAgMTMwODMtODg2IC0gQ2FtcGluYXMsIF NQClRlbGVmb25lOiAoMTkpIDMyMTEtNTg4 Mgpqb3JnZS5sLmNvcnJlYUBlbWJyYXBhLm JyCgo="|base64 -d -- __ Aviso de confidencialidade Esta mensagem da Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro de 1972, e enviada exclusivamente a seu destinatario e pode conter informacoes confidenciais, protegidas por sigilo profissional. Sua utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao emitente, esclarecendo o equivoco. Confidentiality note This message from Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government company established under Brazilian law (5.851/72), is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you are not the addressee, please send it back, elucidating the failure.