can I run CloudStack without IPtables?
Hi,all: I am trying different network setups in my CloudStack eval effort, and I am wondering if CS can be configured to not use iptables at all , giving that my intended goal is for a private cloud dedicated to my own company, in our own datacenter and all our networks are behind our own hardware based firewalls already? If I can stop iptables on all system VM’s, hypervisors and management servers, then it would be much easier to trouble shoot my setups and accelerate the eval process. Thanks, Yiping
Re: can I run CloudStack without IPtables?
Yiping, Yes you can have non-iptables setup. Most of the enterprise installations don't rely on cloudstack's iptables, routing or vpc features and prefer to use existing physical firewalls and vlan isolation. If you have VLANs, but dont want to use iptables that comes thru virtual router, look into CloudStack Advanced Zone Setup with Shared Network Functionality. In this case, you only leverage dhcp, userdata and dns(optional). You can create your own network offerings and bind the network to non-vpc shared network offering. DHCP at this point in time is a required. Userdata and DNS can be optional. You can choose to use your own in-house DNS dont route DNS queries through CloudStack virtual router (you would need to create custom network offering, which is few clicks in UI). You can also bypass userdata and serve your own userdata through external userdata services, you would need to write something on your end to support it. Regards ilya On 6/9/14, 12:02 PM, Yiping Zhang wrote: Hi,all: I am trying different network setups in my CloudStack eval effort, and I am wondering if CS can be configured to not use iptables at all , giving that my intended goal is for a private cloud dedicated to my own company, in our own datacenter and all our networks are behind our own hardware based firewalls already? If I can stop iptables on all system VM’s, hypervisors and management servers, then it would be much easier to trouble shoot my setups and accelerate the eval process. Thanks, Yiping
Re: can I run CloudStack without IPtables?
Ilya: Thanks for quick clarification.I¹ll check out defining my own network offerings. Yiping On 6/9/14, 1:21 PM, ilya musayev ilya.mailing.li...@gmail.com wrote: Yiping, Yes you can have non-iptables setup. Most of the enterprise installations don't rely on cloudstack's iptables, routing or vpc features and prefer to use existing physical firewalls and vlan isolation. If you have VLANs, but dont want to use iptables that comes thru virtual router, look into CloudStack Advanced Zone Setup with Shared Network Functionality. In this case, you only leverage dhcp, userdata and dns(optional). You can create your own network offerings and bind the network to non-vpc shared network offering. DHCP at this point in time is a required. Userdata and DNS can be optional. You can choose to use your own in-house DNS dont route DNS queries through CloudStack virtual router (you would need to create custom network offering, which is few clicks in UI). You can also bypass userdata and serve your own userdata through external userdata services, you would need to write something on your end to support it. Regards ilya On 6/9/14, 12:02 PM, Yiping Zhang wrote: Hi,all: I am trying different network setups in my CloudStack eval effort, and I am wondering if CS can be configured to not use iptables at all , giving that my intended goal is for a private cloud dedicated to my own company, in our own datacenter and all our networks are behind our own hardware based firewalls already? If I can stop iptables on all system VM¹s, hypervisors and management servers, then it would be much easier to trouble shoot my setups and accelerate the eval process. Thanks, Yiping
Re: can I run CloudStack without IPtables?
Comments inline. On 10-Jun-2014, at 3:58 am, Yiping Zhang yzh...@marketo.com wrote: Ilya: Thanks for quick clarification.I¹ll check out defining my own network offerings. I use a shared network with a pfSense based firewall at home for all my VMs. The VMs spun on the shared network have a dedicated VLAN and a default gateway set to the pfSense firewall. Security Groups policies have no affect for Vms on a shared network. http://shankerbalan.net/blog/create-a-shared-network-with-public-ips-in-cloudstack/ should be helpful. Hth. @shankerbalan Yiping On 6/9/14, 1:21 PM, ilya musayev ilya.mailing.li...@gmail.com wrote: Yiping, Yes you can have non-iptables setup. Most of the enterprise installations don't rely on cloudstack's iptables, routing or vpc features and prefer to use existing physical firewalls and vlan isolation. If you have VLANs, but dont want to use iptables that comes thru virtual router, look into CloudStack Advanced Zone Setup with Shared Network Functionality. In this case, you only leverage dhcp, userdata and dns(optional). You can create your own network offerings and bind the network to non-vpc shared network offering. DHCP at this point in time is a required. Userdata and DNS can be optional. You can choose to use your own in-house DNS dont route DNS queries through CloudStack virtual router (you would need to create custom network offering, which is few clicks in UI). You can also bypass userdata and serve your own userdata through external userdata services, you would need to write something on your end to support it. Regards ilya On 6/9/14, 12:02 PM, Yiping Zhang wrote: Hi,all: I am trying different network setups in my CloudStack eval effort, and I am wondering if CS can be configured to not use iptables at all , giving that my intended goal is for a private cloud dedicated to my own company, in our own datacenter and all our networks are behind our own hardware based firewalls already? If I can stop iptables on all system VM¹s, hypervisors and management servers, then it would be much easier to trouble shoot my setups and accelerate the eval process. Thanks, Yiping -- @shankerbalan M: +91 98860 60539 | O: +91 (80) 67935867 shanker.ba...@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055 Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Buildhttp://shapeblue.com/iaas-cloud-design-and-build// CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Infrastructure Supporthttp://shapeblue.com/cloudstack-infrastructure-support/ CloudStack Bootcamp Training Courseshttp://shapeblue.com/cloudstack-training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.