apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

[DOCS] files for s2s

Browse Source
This commit is contained in:
Radhika PC 2012-09-14 12:09:24 -04:00 committed by David Nalley
parent b968cb855b
commit 006931aebb
2 changed files with 229 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
docs/en-US/site-to-site-vpn.xml
View File

@ -3,43 +3,60 @@
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="site-to-site-vpn">
<title>Site-to-Site VPN</title>
<para></para>
<para>To add a Virtual Private Cloud (VPC):</para>
<orderedlist>
<listitem><para>Log in to the &PRODUCT; UI as an administrator or end user. </para></listitem>
<listitem><para>In the left navigation, choose Network</para></listitem>
<listitem><para>In the Select view, select site-to-site VPN.</para></listitem>
<listitem><para>Click Add site-to-site VPN. Provide the following information:</para>
<itemizedlist>
<listitem><para><emphasis role="bold">IP Address</emphasis>:.</para></listitem>
<listitem><para><emphasis role="bold">Gateway</emphasis>: The IP address of the remote gateway.</para></listitem>
<listitem><para><emphasis role="bold">CIDR list</emphasis>: The guest CIDR list of the remote subnets. Enter a CIDR or a comma-separated list of CIDRs. </para></listitem>
<listitem><para><emphasis role="bold">IPsec Preshared Key</emphasis>: The preshared key of the remote gateway.</para></listitem>
<listitem><para><emphasis role="bold">IKE Policy</emphasis>: Internet Key Exchange (IKE) policy for phase 1. Specify it as a combination of the encryption algorithm(aes,3des,des) and hash algorithm(sha1,md5). For example: aes-sha1, 3des-sha1.</para></listitem>
<listitem><para><emphasis role="bold">ESP Policy</emphasis>: Encapsulating Security Payload (ESP) policy for phase 2. Specify it as a combination of the encryption algorithm(aes,3des,des) and hash algorithm(sha1,md5). For example: aes-sha1, 3des-sha1.</para></listitem>
<listitem><para><emphasis role="bold">Lifetime (seconds)</emphasis>: Lifetime of SA in seconds. Default is 86400 seconds(1day).</para></listitem>
</itemizedlist></listitem>
<listitem><para>Click OK.</para></listitem>
</orderedlist>
</section>
<title>Setting Up a Site-to-Site VPN Connection</title>
<para>A Site-to-Site VPN connection helps you establish a secure connection from an enterprise
datacenter to the cloud infrastructure. This allows users to access the guest VMs by
establishing a VPN connection to the virtual router of the account from a device in the
datacenter of the enterprise. Having this facility eliminates the need to establish VPN
connections to individual VMs.</para>
<para>The supported endpoints on the remote datacenters are: </para>
<itemizedlist>
<listitem>
<para>Cisco ISR with IOS 12.4 or later</para>
</listitem>
<listitem>
<para>Juniper J-Series routers with JunOS 9.5 or later</para>
</listitem>
</itemizedlist>
<note>
<para>In addition to the specific Cisco and Juniper devices listed above, the expectation is
that any Cisco or Juniper device running on the supported operating systems are able to
establish VPN connections.</para>
</note>
<para> To set up a Site-to-Site VPN connection, perform the following:</para>
<orderedlist>
<listitem>
<para>Create a Virtual Private Cloud (VPC).</para>
<para>See <xref linkend="configure-vpc"/>.</para>
</listitem>
<listitem>
<para>Create a VPN Customer Gateway.</para>
</listitem>
<listitem>
<para>Create a VPN gateway for the VPC that you created.</para>
</listitem>
<listitem>
<para>Create VPN connection from the VPC VPN gateway to the customer VPN gateway.</para>
</listitem>
</orderedlist>
<xi:include href="create-vpn-customer-gateway.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="create-vpn-gateway-for-vpc.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="create-vpn-connection-vpc.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="delete-reset-vpn.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</section>

209
docs/en-US/vpc.xml
View File

@ -3,40 +3,181 @@
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="vpc">
<title>Virtual Private Cloud</title>
<para></para>
<para>To add a Virtual Private Cloud (VPC):</para>
<orderedlist>
<listitem><para>Log in to the &PRODUCT; UI as an administrator or end user. </para></listitem>
<listitem><para>In the left navigation, choose Network</para></listitem>
<listitem><para>In the Select view, select VPC.</para></listitem>
<listitem><para>Click Add VPC. Provide the following information:</para>
<itemizedlist>
<listitem><para><emphasis role="bold">Name</emphasis>: A short name for the VPC that you are creating.</para></listitem>
<listitem><para><emphasis role="bold">Description</emphasis>: A brief description of the VPC.</para></listitem>
<listitem><para><emphasis role="bold">Zone</emphasis>: Choose the zone where you want the VPC to be available.</para></listitem>
<listitem><para><emphasis role="bold">CIDR</emphasis>: To accept the traffic only from the IP addresses within a particular address block, enter a CIDR or a comma-separated list of CIDRs. The CIDR is the base IP address of the incoming traffic. For example, 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para></listitem>
<listitem><para><emphasis role="bold">Network Domain</emphasis>: If you want to assign a special domain name to this network, specify the DNS suffix.</para></listitem>
</itemizedlist></listitem>
</orderedlist>
</section>
<title>About Virtual Private Clouds</title>
<para>&PRODUCT; Virtual Private Cloud is a private, isolated part of &PRODUCT;. A VPC can have its
own virtual network topology that resembles a traditional physical network. You can launch VMs
in the virtual network that can have private addresses in the range of your choice, for example:
10.0.0.0/16. You can define network tiers within your VPC network range, which in turn enables
you to group similar kinds of instances based on IP address range.</para>
<para>For example, if a VPC has the private range 10.0.0.0/16, its guest networks can have the
network ranges 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, and so on.</para>
<formalpara>
<title>Major Components of a VPC:</title>
<para>A VPC is comprised of the following network components:</para>
</formalpara>
<itemizedlist>
<listitem>
<para><emphasis role="bold">VPC</emphasis>: A VPC acts as a container for multiple isolated
networks that can communicate with each other via its virtual router.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Network Tiers</emphasis>: Each tier acts as an isolated network
with its own VLANs and CIDR list, where you can place groups of resources, such as VMs. The
tiers are segmented by means of VLANs. The NIC of each tier acts as its gateway.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Virtual Router</emphasis>: A virtual router is automatically
created and started when you create a VPC. The virtual router connect the tiers and direct
traffic among the public gateway, the VPN gateways, and the NAT instances. For each tier, a
corresponding NIC and IP exist in the virtual router. The virtual router provides DNS and
DHCP services through its IP.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Public Gateway</emphasis>: The traffic to and from the Internet
routed to the VPC through the public gateway. In a VPC, the public gateway is not exposed to
the end user; therefore, static routes are not support for the public gateway.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Private Gateway</emphasis>: All the traffic to and from a private
network routed to the VPC through the private gateway. For more information, see <xref
linkend="add-gateway-vpc"/>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">VPN Gateway</emphasis>: The VPC side of a VPN connection.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Site-to-Site VPN Connection</emphasis>: A hardware-based VPN
connection between your VPC and your datacenter, home network, or co-location facility. For
more information, see <xref linkend="site-to-site-vpn"/>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Customer Gateway</emphasis>: The customer side of a VPN
Connection. For more information, see <xref linkend="create-vpn-customer-gateway"/>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">NAT Instance</emphasis>: An instance that provides Port Address
Translation for instances to access the Internet via the public gateway. For more
information, see <xref linkend="enable-disable-static-nat-vpc"/>.</para>
</listitem>
</itemizedlist>
<formalpara>
<title>Network Architecture in a VPC</title>
<para>In a VPC, the following four basic options of network architectures are present:</para>
</formalpara>
<itemizedlist>
<listitem>
<para>VPC with a public gateway only</para>
</listitem>
<listitem>
<para>VPC with public and private gateways</para>
</listitem>
<listitem>
<para>VPC with public and private gateways and site-to-site VPN access</para>
</listitem>
<listitem>
<para>VPC with a private gateway only and site-to-site VPN access</para>
</listitem>
</itemizedlist>
<formalpara>
<title>Connectivity Options for a VPC</title>
<para>You can connect your VPC to:</para>
</formalpara>
<itemizedlist>
<listitem>
<para>The Internet through the public gateway.</para>
</listitem>
<listitem>
<para>The corporate datacenter by using a site-to-site VPN connection through the VPN
gateway.</para>
</listitem>
<listitem>
<para>Both the Internet and your corporate datacenter by using both the public gateway and a
VPN gateway.</para>
</listitem>
</itemizedlist>
<formalpara>
<title>VPC Network Considerations</title>
<para>Consider the following before you create a VPC:</para>
</formalpara>
<itemizedlist>
<listitem>
<para>A VPC, by default, is created in the enabled state.</para>
</listitem>
<listitem>
<para>A VPC can be created in Advance zone only, and can't belong to more than one zone at a
time.</para>
</listitem>
<listitem>
<para>The default number of VPCs an account can create is 20. However, you can change it by
using the max.account.vpcs global parameter, which controls the maximum number of VPCs an
account is allowed to create.</para>
</listitem>
<listitem>
<para>The default number of tiers an account can create within a VPC is 3. You can configure
this number by using the vpc.max.networks parameter.</para>
</listitem>
<listitem>
<para>Each tier should have an unique CIDR in the VPC. Ensure that the tier's CIDR should be
within the VPC CIDR range.</para>
</listitem>
<listitem>
<para>A tier belongs to only one VPC. </para>
</listitem>
<listitem>
<para>All network tiers inside the VPC should belong to the same account.</para>
</listitem>
<listitem>
<para>When a VPC is created, by default, a SourceNAT IP is allocated to it. The Source NAT IP
is released only when the VPC is removed.</para>
</listitem>
<listitem>
<para>A public IP can be used for only one purpose at a time. If the IP is a sourceNAT, it
cannot be used for StaticNAT or port forwarding.</para>
</listitem>
<listitem>
<para>The instances only have a private IP address that you provision. To communicate with the
Internet, enable NAT to an instance that you launch in your VPC.</para>
</listitem>
<listitem>
<para>Only new networks can be added to a VPC. The maximum number of networks per VPC is
limited by the value you specify in the vpc.max.networks parameter. The default value is
three.</para>
</listitem>
<listitem>
<para>The load balancing service can be supported by only one tier inside the VPC.</para>
</listitem>
<listitem>
<para>If an IP address is assigned to a tier:</para>
<itemizedlist>
<listitem>
<para>That IP can't be used by more than one tier at a time in the VPC. For example, if
you have tiers A and B, and a public IP1, you can create a port forwarding rule by using
the IP either for A or B, but not for both.</para>
</listitem>
<listitem>
<para>That IP can't be used for StaticNAT, load balancing, or port forwarding rules for
another guest network inside the VPC.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Remote access VPN is not supported in VPC networks.</para>
</listitem>
</itemizedlist>
</section>