Current as of Apache CloudStack 4.4/Citrix CloudPlatform 4.5

CloudStack NYCNetworking Overview

IntroductionsThanks to BWG Strategy and ShapeBlue

CloudStack Zone TypesBasicAdvanced

Security GroupsIsolatedVPC

BasicFlat Network

Single VLANConsecutive IP blocksSecurity and Isolation handled by Security Groups

Security Groups supported on:KVMXenServerLXCBare Metal

Compare to AWS Classic

Basic Zone

AdvancedSecurity Groups

Only supported on KVMLike Basic but allows VLAN Isolation between Guest, Management,and Storage Traffic

AdvancedIsolated

VLAN isolation between Networks and DomainsRequires Advanced Networking

Hypervisor Support:KVMXenServerVMware vSphereLXCHyper-VBare metal

Requires 802.1Q capable hardware (switch/router/firewall)

AdvancedIsolated

A single VM can live in one or more network(s)Each Isolated Network is a VLAN (even within a Domain)Cross-Network traffic can be routed via a VM in both networks orVPN.

AdvancedVPC

VLAN isolation between VPCs and DomainsRequires Advanced Networking

Hypervisor Support:KVMXenServerVMware vSphereLXCHyper-V

Requires 802.1Q capable hardware (switch/router/firewall)

AdvancedVPC

Domain VPC defines a SuperNet and Networks are created asSubnets of this SuperNet.A single VM can live in only one tier (Subnet)

(But it can live in a VPC tier and an isolated network)

Network Service OfferingsMeans of defining what Network Services you want to offer toyour DomainsDefaults provide most services for a given Network TypeNew offerings can be created to tie into other Network Devices:

NetscalerNicera NVPBrocadeBigSwitch VNSF5OpenDaylight (Experimental)Cisco VNMCMidonetNuage VSPJuniper SRXPalo Alto...and so many more...

Advanced Zone

Virtual RouterOne per-CIDR block for Basic and Advanced with Security GroupsOne per-network for Advanced IsolatedOne per-VPC for Advanced VPCProvides:

RoutingFirewallingNATLoad BalancingVPN

Road-Warrior for Advanced IsolatedSite-to-Site for Advanced VPC

DHCPDNSPXE (for BareMetal)

Networking Concerns

IP Addresses/VLANsMust hold at least 3 IP addresses for System VMs (more forAdvanced)Public Space

IP addresses for "Public" IPs"Public" IPs are held by Router VMs on their "outside"interface

Guest SpaceVLAN range used by Guest Networks in an AdvancedIsolated/VPC ZoneDefault CIDR block can be set in Zone creation...but Default CIDR block can be overridden

Management SpaceVLAN/IP space used to manage HypervisorsAlso used for "link-local" (System VM) management onVMware

Storage SpaceUsed for communication from Hypervisor to Primary andSecondary Storage

(ciscomentor.com)

Wrap-UpNetwork Diagram Icons (c) Node-Nine,

Inc.

Thank you BWG Strategy and ShapeBlue