daviftorres commented on PR #7288: URL: https://github.com/apache/cloudstack/pull/7288#issuecomment-2963663598
Dear @weizhouapache, I couldn't find any information why this route is necessary: `The SSVM has route to all internal allowed sites via private nic, for example (secstorage.allowed.internal.sites=10.0.0.0/16)` In my setup, both the management server cluster and all System VMs are behind a reverse proxy. I use the secstorage.allowed.internal.sites setting to whitelist these reverse proxies. The reverse proxy serves multiple purposes: WAF, rate-limiting abusive users, DoS/DDoS protection, SSL/TLS termination, etc. It is deployed in the public network, directly connected to the System VMs. However, when the SSVM creates a route via the private (management) network, this results in asymmetric routing, as requests come from the public network but replies are sent via the private NIC. Could you clarify the rationale behind enforcing this route via the private NIC? Is it strictly necessary for the SSVM to behave this way? I appreciate your time and insights. Best regards, -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
