My problem is that I want to integrate f5 load balancer also. So I'm stuck with advanced mode. Also I don't like that VMs have per default public IPs in basic mode..
Bjoern On Oct 18, 2013, at 6:22 AM, "Murali Reddy" <murali.re...@citrix.com<mailto:murali.re...@citrix.com>> wrote: Bjoern, Sorry that commit, only fixes part of the problem. Still there are two more issues (source NAT and SG + source NAT combination is not permitted and public traffic type is not allowed in security group based shared network). I opened a feature enhancement CLOUDSTACK-4891 bug for this issue. You may want to try basic zone model of CloudStack which provides security group based L3 isolation with EIP(1:1 NAT) & ELB services with NetScaler. Thanks, Murali From: Bjoern Teipel <bjoern.tei...@internetbrands.com<mailto:bjoern.tei...@internetbrands.com>> Reply-To: "users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>" <users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>> Date: Thursday, 17 October 2013 10:29 AM To: "users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>" <users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>> Subject: Re: Creating advanced network Hi Murali, I saw your git commits. I want to compile now your changes into our source code. Do i need just the one for 4.2 or also the master commits: Commit 4d07493a5e6e13462b80ba09c3535fa4af0ebdc7 in branch refs/heads/4.2 from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy> <https://issues.apache.org/jira/browse/CLOUDSTACK-4717#> [cid:part3.09050002.00050203@internetbrands.com]ASF subversion and git services<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot> added a comment - Today 06:18 Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/master from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy> <https://issues.apache.org/jira/browse/CLOUDSTACK-4717#> [cid:part3.09050002.00050203@internetbrands.com]ASF subversion and git services<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=jira-bot> added a comment - Today 14:45 Commit df3b09944968718111d9b6b29d4c7f5a5cfaf630 in branch refs/heads/ui-restyle from Murali Reddy<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=murali.reddy> Thanks, Bjoern On 10/16/2013 2:35 AM, Murali Reddy wrote: On 16/10/13 12:23 PM, "Bjoern Teipel" <bjoern.tei...@internetbrands.com><mailto:bjoern.tei...@internetbrands.com> wrote: Murali, That would be great if you're right. But I'm now in a dead lock: Adding new network offering including LB: 2013-10-15 23:34:50,920 WARN [network.element.VirtualRouterElement] (catalina-exec-19:null) Virtual router can't enable services [Dns Dhcp UserData Lb ] without source NAT service 2013-10-15 23:34:50,924 ERROR [cloud.api.ApiServer] (catalina-exec-19:null) unhandled exception executing api command: createNetworkOffering com.cloud.exception.UnsupportedServiceException: Provider VirtualRouter doesn't support services combination: [Dns, Dhcp, UserData, Lb] That forces me to add source nat, but once I want add a guest network in the zone I get the opposite error. I can't mix SG + sourceNat 013-10-15 23:46:30,896 INFO [cloud.api.ApiServer] (catalina-exec-22:null) Service SourceNat is not allowed in security group enabled zone First issue is know issue (CLOUDSTACK-4717) is getting addressed in 4.2.1. Not sure why source NAT should not be allowed in SG network. Sorry, this is indeed a dead lock situation. It does not look like you can use LB with in shared network with SG in advanced zone. So no internal lb ? Thanks, Bjoern On 10/15/2013 11:28 PM, Murali Reddy wrote: On 16/10/13 7:17 AM, "Bjoern Teipel" <bjoern.tei...@internetbrands.com><mailto:bjoern.tei...@internetbrands.com> wrote: Wow, all user@cloudstack mails got catched in my spam filter, so sorry for the late response. After tinkering the whole day I gave up using a tagged VLAN for the storage traffic, seems not to work. It ignores the VID and doesn't create the VLAN on the hypervisor. I added the vlan to the hypervisor now and bound cloudbr1 to it and using it untagged in cloudstack. Finally all is up. :-) Now I was looking how to use a load balancer like the internal cloudstack one or even the F5 and it seems it's not supported. No cloudstack support for internal LB (the VR one) or F5 ? Really !!! According to the advanced network and security groups specification ( https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+o n+ Security+Groups+in+Advance+zone) AddF5LoadBalancerCmd api commands will just fail in SG enabled zone. That's just a joke. 4.1 did not support PF/NAT/LB services in shared network. From 4.2, all network services are supported in shared network with or without SG so you should be able to use F5/VR/Netscaler for LB. I'm really close to end the cloudstack adventure and move on with open stack. Having a shared network with SG and loadbalancer is not really a uncommon solution