Not sure if this is the right place for this question but I am in the
process of migrating my datacenter to cloudstack from a manually managed
virtualization cluster. I am doing this because we need to implement
full segregation between assets owned by different entities and managing
that manually would be highly inefficient.
I have everything configured and working exactly the way I want it from
a segregation standpoint. When fully migrated we will have around 50
separate accounts all segregated onto their own vlans. The stumbling
block for me now is VPN access. We do not operate a public cloud. A
small number of sysadmins in my organization are responsible for all
management and administration of all assets hosted in the datacenter.
Afaik, to use the VPN capability of the VRouter I would have to create
users for each sysadmin in all 50 accounts and then propagate any
changes to access rights via the api or manually through the UI. Our
current setup has 7 segregated vlans that are accessible via a single
OpenVPN gateway that queries my ldap server to determine access rights
and pushes network routes when a user authenticates.
I would like to reproduce this capability in Cloudstack but am faltering
at determining how it could be done. I would prefer to keep all assets
including the Master VPN gateway as vms inside my Cloudstack environment
and really don't want to incur the overhead of adding an OpenVPN VM to
each account. I also can't really just create a shared network and give
each vm a nic on it since that breaks the asset segregation that
precipitated this move to cloudstack. Finally, I have to be able to
query my ldap server for authentication and authorization instead of the
Cloudstack database.
Has anyone dealt with a similar architecture? How do you minimize the
overhead of a small group of admins and automated scripts needing access
to all the accounts? We are a software development and hosting firm. I
have 20 years experience both in development and in datacenter
administration. I am not afraid to get my hands dirty and write
something custom to handle this but I am a novice at cloudstack and am
looking for some advice on how you would tackle this problem.
Thanks,
--
Matthew Smart
President
Smart Software Solutions Inc.
108 S Pierre St.
Pierre, SD 57501
Phone: (605) 280-0383
Skype: msmart13
Email: [email protected]
