mirror of
https://github.com/apache/cloudstack.git
synced 2025-11-04 00:02:37 +01:00
108 lines
5.6 KiB
XML
108 lines
5.6 KiB
XML
<?xml version='1.0' encoding='utf-8' ?>
|
|
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
|
|
%BOOK_ENTITIES;
|
|
]>
|
|
<!-- Licensed to the Apache Software Foundation (ASF) under one
|
|
or more contributor license agreements. See the NOTICE file
|
|
distributed with this work for additional information
|
|
regarding copyright ownership. The ASF licenses this file
|
|
to you under the Apache License, Version 2.0 (the
|
|
"License"); you may not use this file except in compliance
|
|
with the License. You may obtain a copy of the License at
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
Unless required by applicable law or agreed to in writing,
|
|
software distributed under the License is distributed on an
|
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
KIND, either express or implied. See the License for the
|
|
specific language governing permissions and limitations
|
|
under the License.
|
|
-->
|
|
<section id="inter-vlan-routing">
|
|
<title>About Inter-VLAN Routing (nTier Apps)</title>
|
|
<para>Inter-VLAN Routing (nTier Apps) is the capability to route network traffic between VLANs.
|
|
This feature enables you to build Virtual Private Clouds (VPC), an isolated segment of your
|
|
cloud, that can hold multi-tier applications. These tiers are deployed on different VLANs that
|
|
can communicate with each other. You provision VLANs to the tiers your create, and VMs can be
|
|
deployed on different tiers. The VLANs are connected to a virtual router, which facilitates
|
|
communication between the VMs. In effect, you can segment VMs by means of VLANs into different
|
|
networks that can host multi-tier applications, such as Web, Application, or Database. Such
|
|
segmentation by means of VLANs logically separate application VMs for higher security and lower
|
|
broadcasts, while remaining physically connected to the same device.</para>
|
|
<para>This feature is supported on XenServer, KVM, and VMware hypervisors.</para>
|
|
<para>The major advantages are:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The administrator can deploy a set of VLANs and allow users to deploy VMs on these
|
|
VLANs. A guest VLAN is randomly alloted to an account from a pre-specified set of guest
|
|
VLANs. All the VMs of a certain tier of an account reside on the guest VLAN allotted to that
|
|
account.</para>
|
|
<note>
|
|
<para>A VLAN allocated for an account cannot be shared between multiple accounts. </para>
|
|
</note>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The administrator can allow users create their own VPC and deploy the application. In
|
|
this scenario, the VMs that belong to the account are deployed on the VLANs allotted to that
|
|
account.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Both administrators and users can create multiple VPCs. The guest network NIC is plugged
|
|
to the VPC virtual router when the first VM is deployed in a tier. </para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The administrator can create the following gateways to send to or receive traffic from
|
|
the VMs:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">VPN Gateway</emphasis>: For more information, see <xref
|
|
linkend="create-vpn-gateway-for-vpc"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Public Gateway</emphasis>: The public gateway for a VPC is
|
|
added to the virtual router when the virtual router is created for VPC. The public
|
|
gateway is not exposed to the end users. You are not allowed to list it, nor allowed to
|
|
create any static routes.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Private Gateway</emphasis>: For more information, see <xref
|
|
linkend="add-gateway-vpc"/>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Both administrators and users can create various possible destinations-gateway
|
|
combinations. However, only one gateway of each type can be used in a deployment.</para>
|
|
<para>For example:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">VLANs and Public Gateway</emphasis>: For example, an
|
|
application is deployed in the cloud, and the Web application VMs communicate with the
|
|
Internet.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">VLANs, VPN Gateway, and Public Gateway</emphasis>: For
|
|
example, an application is deployed in the cloud; the Web application VMs communicate
|
|
with the Internet; and the database VMs communicate with the on-premise devices.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The administrator can define Network Access Control List (ACL) on the virtual router to
|
|
filter the traffic among the VLANs or between the Internet and a VLAN. You can define ACL
|
|
based on CIDR, port range, protocol, type code (if ICMP protocol is selected) and
|
|
Ingress/Egress type.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>The following figure shows the possible deployment scenarios of a Inter-VLAN setup:</para>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="./images/multi-tier-app.png"/>
|
|
</imageobject>
|
|
<textobject>
|
|
<phrase>mutltier.png: a multi-tier setup.</phrase>
|
|
</textobject>
|
|
</mediaobject>
|
|
<para>To set up a multi-tier Inter-VLAN deployment, see <xref linkend="configure-vpc"/>.</para>
|
|
</section>
|