Hi all, We are investigating security groups support in Advanced zones. it would be nice to get your feedback.
Some background knowledge: (1) there are 3 types of zones in cloudstack: Basic, Advanced, Advanced with Security groups (support KVM and Xenserver. vmware is not supported) (2) Admins can create shared networks in all 3 zones, but they can only create isolated networks in the Advanced zones. (3) For vms on shared networks in Basic zone or Advanced zone with Security groups. users can create security groups and associate it to the VMs as firewalls. The security group rules are applied on hypervisors (kvm/xenserver) (4) For vms on shared networks in an Advanced zone , there are no security group rules. all ports are open, users have to configure firewall inside vms. I am wondering if it is necessary to add security groups for shared networks in Advanced zones. Here are some advantages (1) vms on shared networks will have firewall rules (applied on hypervisor). (2) we do not need to manage multiple zone types. Basic zones = advanced zone with only 1 shared network Advanced zone with security groups = advanced zone with multiple shared networks. What's your opinion ? Will it be helpful for you ? Kind regards, Wei
