The virtual router will be deployed once for a shared network to provide DHCP and DNS services, or per account and isolated guest network when advanced networking is used. It has three network interface cards - one connected to the isolated guest network to serve as the gateway, DHCP, and DNS server for VMs on that network, one on the management network, and one on the public network with a public IP address. The virtual router isolates VMs and performs source NAT for outbound traffic by default. It uses a secure Debian OS configuration with essential packages only and non-standard services ports.

1. CloudStack Virtual Router
Alex Huang
November 5 2012

2. CloudStack Virtual Router (Virtual
Router)
• The Virtual Router will be deployed once (when the first
instance is deployed in a Zone) when a Shared Network is used
providing DHCP and DNS services for the Zone’s Instances (IPs
will be allocated from the Public IP Range entered in
CloudStack)
• When Advanced is used the Router will be deployed Per-
Account (and Per Unique Isolated Guest Network)
• Virtual Router can serve and isolate VMs even if deployed on a
different Hypervisor

3. CloudStack Virtual Router
• The Virtual Router will have 3 NICs:
– Eth0 will be connected to the Isolated Guest Network (for Advanced VLAN). It will have the first IP in
the CIDR (for example10.1.1.1) and it will be the DNS, DHCP and Gateway for the Instances in the
Private Guest Network.
– Eth1 resides on local-link network (only for KVM and XenServer) or the Management Network (on
VMware) and is used by CloudStack to configure the virtual router. On VMware it will use an IPs from
the Management Network IP Range (e.g. Pod Private Range)
– Eth2 resides on the Public Network and assigned with a Public IP from the range entered in CloudStack
(users can ‘Acquire New IPs’ if needed)
• In the default Isolated Mode - Source NAT is automatically configured on
the virtual router to forward outbound traffic for all guest VMs and block all
incoming traffic (users can manage incoming rules from UI)

4. Virtual Router Information (applies to
all Sys. VMs)
• Debian 6.0 ("Squeeze"), 2.6.32 kernel with the latest security patches from the Debian security
APT repository. No extraneous accounts
• 32-bit for enhanced performance on Xen/VMWare
• Only essential software packages are installed. Services such as, printing, ftp, telnet, X, kudzu,
dns, sendmail are not installed.
• SSHd only listens on the private/link-local interface. SSH port has been changed to a non-
standard port. SSH logins only using keys (keys are generated at install time and are unique for
every customer)
• pvops kernel with Xen paravirt drivers + KVM virtio drivers + VMware tools for optimum
performance on all hypervisors. Xen tools inclusion allows performance monitoring
• Template is built from scratch and is not polluted with any old logs or history
• Latest versions of haproxy, iptables, ipsec, apache from debian repository ensures improved
security and speed
• Latest version of jre from Oracle ensures improved security and speed