Apache CloudStack provides basic and advanced networking models. The basic model uses L3 isolation and security groups, while the advanced model enables L2 isolation, IP management, firewalls, load balancing, and other features. Network offerings define networks for users, specifying isolation type, services, and virtual router configuration. Virtual routers are virtual machines that act as DHCP servers and provide routing, firewalling, load balancing, and other services within CloudStack networks.

1. Apache CloudStack Networking
Overview
Sheng Yang
Jan 28, 2014

2. Outline
●
Network models
–
Basic network
–
Advanced network
●
Network Offering
●
Virtual Router
●
And more

3. Basic Networking
●
EC2 Classic-style network
–
L3 Isolation
–
Segmentation done by security group
–
Easy to setup and easy to scale
–
EIP/ELB supported
●
With Netscaler devices

4. Advanced Networking
●
Virtual Private Cloud(VPC) supported
●
L2 isolation
–
VLAN by default
●
IP Address Management, DNS, Firewall, NAT, VPN, LB
●
External hardware firewall/LB supported
●
Traffic accounting
●
Access control(ACL)
●
Software Defined Network(SDN)
●
Redundant Virtual Router support
–
For isolated network only

5. Basic vs Advanced Networking
●
Basic:
–
–
Easier to deploy
–
●
L3 isolation
Scalability
Advanced:
–
L2 isolation
–
Feature rich

6. Basic Networking
Public network
L2/L3 Core Switch
Guest Network
Pod L2 Switch
Pod L2 Switch
Web VM 1
Web VM 2
App VM 2
DB Master
Web VM 3
App VM 1
DHCP Server
VM
Web VM 4
DB Slave
DHCP server
VM
Web security group
CloudStack Appliance
App security group
DB security group

7. Isolated network
Road Warrior
Remote Access VPN
Public network Virtual router
VM
VLAN 1000
Web 1
App 1
Redundant Virtual router
VM Master
VLAN 1001
Load Balancing
Redundant Virtual router
VM Backup
CloudStack Appliance
App 2
Web 1
Web 2
Web 3
Redundant Virtual Router
Firewall,
NAT,
Remote Access VPN,
Load balancing,
Password/Userdata

8. Isolated network
with external devices
Side-by-Side Mode
Public network
VLAN 1001
Juniper SRX
Web 1
Netscaler
Load Balancer
Web 2
DHCP server
VM
Load Balancing
Inline Mode
Public network
VLAN 1001
Juniper SRX
Netscaler
Load Balancer
Web 1
Load Balancing
CloudStack Appliance
Web 2
DHCP server
VM
Firewall,
NAT,
Load balancing,
Password/Userdata

9. Virtual Private Cloud
Road Warrior
Web Tier: 10.1.0.1/24
VLAN 1001
Web 1
Remote Access VPN
Public network
10.1.0.1/16
VPC router
VM
Web 2
Web 3
Public Load balancing
App Tier: 10.1.1.1/24
VLAN 1000
App 1
App 2
Internal LB
VM
Internal Load balancing
Site-to-site VPN
DB Tier: 10.1.2.1/24
VLAN 1002
Remote Network
Router
CloudStack Appliance
DB Master
DB Slave
ACL,
NAT,
Load balancing,
Remote Access VPN,
Site-to-Site VPN,
Password/Userdata

10. Virtual Private Cloud
with shared network
Road Warrior
10.10.10.1/24
Web Tier: 10.1.0.1/24
VLAN 1001
Web 1
Remote Access VPN
Public network
10.1.0.1/16
VPC router
VM
Web 2
App Tier: 10.1.1.1/24
VLAN 1000
App 1
Site-to-site VPN
Web 3
App 2
DB Tier: 10.1.2.1/24
VLAN 1002
Remote Network
Router
DB Master
DB Slave
Monitor VM
DHCP Server
VM
CloudStack Appliance
VLAN 1010

11. Network Offering
●
How would user want to define a network
●
Type of the network
–
●
Service needed
–
●
External network devices e.g. Netscaler can be used for certain services
Virtual Router's system offering
–
●
DHCP, DNS, source NAT, static NAT, port forwarding, load balancing, VPN, etc.
The provider of the services
–
●
VPC, Isolated or Shared network
CPU, memory, etc.
And various capabilities:
–
Redundant router, in-line mode or side-by-side mode, etc.

12. Virtual Router
●
●
●
A key component of CloudStack networking
infrastructure
A CloudStack generated VM acting as DHCP
server or router in the network
Created/destroyed with network/VPC
–
Automatically shutdown if there is no active VM in
the network

13. Virtual Router Internal
●
Based on latest Debian stable release
–
Debian 7 “Wheezy” at this point
●
Dnsmasq: DNS, DHCP
●
IPtables: firewall, ACL, NAT
●
HAproxy: load balancing
●
OpenSwan: VPN
●
Apache HTTP server: user data, password
●
Keepalived: redundant virtual router

14. Virtual Router Mechanism
●
All commands to VR would be executed by some scripts in the VR
●
NICs:
–
–
Control NIC
–
●
Public NIC
Guest network NIC
Configure when VR is booting up
–
–
●
IP of the nics
Default state and configuration for services
Automatically update the scripts when rebooting
–
Through a mounted iso file(systemvm.iso)

15. What's more
●
IPv6 support
●
SDN
–
●
External Network Devices
–
●
OpenVSwitch, Nicira NVP, MidoNet, Big Switch
VNS, Juniper Contrail, etc.
Netscaler, Juniper SRX, F5 Big-IP, Palo Alto
Firewall, etc.
More and more is coming from community