Hi Nick Livens, I have gone through the FS and following are my review comments:
1. Will this LB appliance be placed between guest vms and the Nuage VSP provider(Nuage VSP and lb appliance will have one nic in guest network)? 2. Is there any specific reason for traffic filtering on lb appliance instead of Nuage VPS ? If we configure firewall rules for LB services on the Nuage VSP instead of the inline lb appliance (iptable rules for lb traffic), traffic can be filtered on the Nuage VSP before Natting? Best Regards, Sanjeev N Chief Product Engineer, Accelerite Off: +91 40 6722 9368 | EMail: sanjeev.neelar...@accelerite.com -----Original Message----- From: ilya [mailto:ilya.mailing.li...@gmail.com] Sent: Thursday, March 24, 2016 10:16 PM To: dev@cloudstack.apache.org Subject: Re: [DISCUSS] Request for comments : VPC Inline LoadBalancer (new plugin) Hi Nick, Being fan of SDN, I gave this proposal a thorough read. I do have only 1 comment - that you can perhaps can use to reconsider: "Each appliance will have 2 nics, one for management, and one in the guest network. " In general, 2 nics - one going to management and one going to guest - is looked very negatively upon by internal InfoSec team. This implementation will make an LB non-compliant from SOX or PCI perspective. Proposed alternate solution: Deploy a VM with 2 NICs but put them both on the same guest network (I believe the support 2 NICs on the *same* guest network has already been submitted upstream). 1 NIC for MGMT and 1 NIC for GUEST. Using SDNs ability to restrict communication flow (openvswitch or what not), only allow specific connections from CloudStack MS to Inline LB on MGMT NIC. You will need to block all external GUEST communication to MGMT NIC and only make it talk to CloudStack MS on specific ports. This approach should preserve the internal compliance and wont raise any red flags. Perhaps reach out to a client who requested this feature and ask what they think, maybe they have not thought this through. Regards ilya PS: If we were to entertain the idea of InLine LB, we would most likely ask for approach mentioned above. On 3/24/16 1:18 AM, Nick LIVENS wrote: > Hi all, > > I'd like to propose a new plugin called the "VPC Inline LB" plugin. > The design document can be found at : > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61340 > 894 > > Looking forward to hear your reviews / thoughts. > > Thanks! > > Kind regards, > Nick Livens > DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
