Great. Thanks again, this is very helpful. So the way I am doing it is good for now. If IP space becomes an issue (when people are actually using it), I could implement the 'per zone' approach as well.
In the per zone approach, the firewall would be initially configured with a public IP and a generic source nat rule which would map the entire guest network range in the trusted zone to the preconfigured public IP in the untrusted zone. I understand how this works now and why the source nat rules will not need to be managed by cloudstack. Thanks again for the explanation. On Thu, Apr 18, 2013 at 6:12 PM, Sheng Yang <[email protected]> wrote: > Hi Will, > > "per account" is perfectly fine in your case. "per zone" can be used if > user want to preserve some public IPs. And with "per zone", CloudStack just > won't care about source nat ip allocation etc any more, it would assume > that the firewall should already has taken care of that. Source NAT IP > would be blank in Cloudstack(a.k.a. isolated network without source nat > ip). > > It's not requirement to support "per zone". In fact as long as your device > can support of the source nat mechanism then it's fine. But I don't think > you need to handle source nat rules if you use "per zone" mode(from CS's > perspective). E.g. Juniper SRX has such a configuration: > > nat { > source { > pool inat-pool { > address { > 10.223.161.18/32; > } > } > rule-set trust { > from zone trust; > to zone untrust; > rule i-nat { > match { > source-address 10.0.0.0/8; > } > then { > source-nat { > pool { > inat-pool; > } > } > } > } > } > } > } > > This one would fit all traffic from "trust" zone(every newly created > isolated network would be in trust zone) to "untrust" zone(public network), > using source nat. > > --Sheng > > On Thu, Apr 18, 2013 at 2:50 PM, Will Stevens <[email protected]> > wrote: > > > Thanks for the answer Sheng. > > > > I currently have the Palo Alto firewall using the 'per account' method > and > > when 'IpAssocCommand' is run (when the first VM is added to a palo alto > > network ), I am dynamically creating a public sub-interface and > assigning a > > public IP (provided by cloudstack). I am also creating a private > > sub-interface on the PA which I am using the the gateway for the CS > > network. I am dynamically creating/deleting the SourceNat rules between > > the two sub-interfaces (gateway/cidr# -> public_ip/32) on implement and > > shutdown. > > > > In your eyes, is this the best way to handle this? If I was to use the > > 'per zone' option, how would the Source Nat IP get set in Cloudstack? So > > there would be one public IP per zone which all the public traffic would > go > > through for all networks? I would still have to handle the source nat > > rules from each CS network to that single public IP I believe. > > > > I am slowly getting this all documented at: > > > > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Palo+Alto+Firewall+Integration > > > > Thanks... > > > > > > On Thu, Apr 18, 2013 at 5:19 PM, Sheng Yang <[email protected]> wrote: > > > > > Hi Will, > > > > > > "Per zone" is mostly for external network devices(e.g. SRX). We can > > > configure one public network address on SRX, and use that one(which is > > out > > > of Cloudstack's control) for all the public traffic go through the > > device. > > > That's "Per zone". > > > > > > "Per account" is the other way, used by VR in CloudStack. It would > > acquire > > > one public ip from public ip pool in the zone for each isolated > network, > > > and make it source nat IP for the network. The name "per account" > because > > > in the past one user would have only one isolated network, so the > network > > > is de facto per account. It's not necessary true now, but the name > > remained > > > I think. > > > > > > There are probably bad names, we should get better name than them... > > > > > > --Sheng > > > > > > > > > On Thu, Apr 18, 2013 at 2:07 PM, Will Stevens <[email protected]> > > > wrote: > > > > > > > Oh, my bad. I forgot about that. > > > > > > > > On the 'create network service offering' overlay, if you select > > > 'SourceNat' > > > > in Supported Services, there is a drop down which get added. The > drop > > > down > > > > has the title of 'Supported Source Nat Type' and has two options: > 'Per > > > > zone' and 'Per account' > > > > > > > > Thanks, > > > > > > > > Will > > > > > > > > > > > > On Thu, Apr 18, 2013 at 4:09 PM, Chip Childers < > > > [email protected] > > > > >wrote: > > > > > > > > > Will, > > > > > > > > > > Images and other attachments are stripped on this list (text only > > > > > please!) > > > > > > > > > > Can you post the image somewhere or describe the list? > > > > > > > > > > On Thu, Apr 18, 2013 at 04:05:36PM -0400, Will Stevens wrote: > > > > > > In the 'Create network service offering' flow there is this > > dropdown: > > > > > > > > > > > > [image: Inline image 1] > > > > > > > > > > > > What are the implications for picking one or the other? > > > > > > > > > > > > This code seems related in > > > > > > > > > > > > > > > > > > > > > 'com.cloud.network.ExternalFirewallDeviceManagerImpl.manageGuestNetworkWithExternalFirewall()' > > > > > > : > > > > > > NetworkOffering offering = > > > > > > _networkOfferingDao.findById(network.getNetworkOfferingId()); > > > > > > boolean sharedSourceNat = offering.getSharedSourceNat(); > > > > > > > > > > > > IPAddressVO sourceNatIp = null; > > > > > > if (!sharedSourceNat) { > > > > > > // Get the source NAT IP address for this account > > > > > > List<? extends IpAddress> sourceNatIps = > > > > > > > _networkMgr.listPublicIpsAssignedToAccount(network.getAccountId(), > > > > > > zoneId, true); > > > > > > > > > > > > if (sourceNatIps.size() != 1) { > > > > > > String errorMsg = "External firewall was unable to find > the > > > > > source > > > > > > NAT IP address for account " > > > > > > + account.getAccountName(); > > > > > > s_logger.error(errorMsg); > > > > > > return true; > > > > > > } else { > > > > > > sourceNatIp = > > > > > _ipAddressDao.findById(sourceNatIps.get(0).getId()); > > > > > > } > > > > > > } > > > > > > > > > > > > How does the 'sourceNatIp' get set if 'sharedSourceNat' is true? > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Will > > > > > > > > > > > > > > > > > > > >
