mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
228 lines
9.5 KiB
XML
228 lines
9.5 KiB
XML
<?xml version='1.0' encoding='utf-8' ?>
|
|
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
|
|
%BOOK_ENTITIES;
|
|
]>
|
|
<!-- Licensed to the Apache Software Foundation (ASF) under one
|
|
or more contributor license agreements. See the NOTICE file
|
|
distributed with this work for additional information
|
|
regarding copyright ownership. The ASF licenses this file
|
|
to you under the Apache License, Version 2.0 (the
|
|
"License"); you may not use this file except in compliance
|
|
with the License. You may obtain a copy of the License at
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
Unless required by applicable law or agreed to in writing,
|
|
software distributed under the License is distributed on an
|
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
KIND, either express or implied. See the License for the
|
|
specific language governing permissions and limitations
|
|
under the License.
|
|
-->
|
|
<section id="add-gateway-vpc">
|
|
<title>Adding a Private Gateway to a VPC</title>
|
|
<para>A private gateway can be added by the root admin only. The VPC private network has 1:1
|
|
relationship with the NIC of the physical network. You can configure multiple private gateways
|
|
to a single VPC. No gateways with duplicated VLAN and IP are allowed in the same data
|
|
center.</para>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Log in to the &PRODUCT; UI as an administrator or end user.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the left navigation, choose Network.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the Select view, select VPC.</para>
|
|
<para>All the VPCs that you have created for the account is listed in the page.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click the Configure button of the VPC to which you want to configure load balancing
|
|
rules.</para>
|
|
<para>The VPC page is displayed where all the tiers you created are listed in a
|
|
diagram.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click the Settings icon.</para>
|
|
<para>The following options are displayed.</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Internal LB</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Public LB IP</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Static NAT</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Virtual Machines</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>CIDR</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>The following router information is displayed:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Private Gateways</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Public IP Addresses</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Site-to-Site VPNs</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Network ACL Lists</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Select Private Gateways.</para>
|
|
<para>The Gateways page is displayed.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click Add new gateway:</para>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="./images/add-new-gateway-vpc.png"/>
|
|
</imageobject>
|
|
<textobject>
|
|
<phrase>add-new-gateway-vpc.png: adding a private gateway for the VPC.</phrase>
|
|
</textobject>
|
|
</mediaobject>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Specify the following:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">Physical Network</emphasis>: The physical network you have
|
|
created in the zone.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">IP Address</emphasis>: The IP address associated with the VPC
|
|
gateway.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Gateway</emphasis>: The gateway through which the traffic is
|
|
routed to and from the VPC.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Netmask</emphasis>: The netmask associated with the VPC
|
|
gateway.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">VLAN</emphasis>: The VLAN associated with the VPC
|
|
gateway.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Source NAT</emphasis>: Select this option to enable the source
|
|
NAT service on the VPC private gateway.</para>
|
|
<para>See <xref linkend="sourcenat-private-gateway"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">ACL</emphasis>: Controls both ingress and egress traffic on a
|
|
VPC private gateway. By default, all the traffic is blocked.</para>
|
|
<para>See <xref linkend="acl-private-gateway"/>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>The new gateway appears in the list. You can repeat these steps to add more gateway for
|
|
this VPC.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
<section id="sourcenat-private-gateway">
|
|
<title>Source NAT on Private Gateway</title>
|
|
<para>You might want to deploy multiple VPCs with the same super CIDR and guest tier CIDR.
|
|
Therefore, multiple guest VMs from different VPCs can have the same IPs to reach a enterprise
|
|
data center through the private gateway. In such cases, a NAT service need to be configured on
|
|
the private gateway to avoid IP conflicts. If Source NAT is enabled, the guest VMs in VPC
|
|
reaches the enterprise network via private gateway IP address by using the NAT service. </para>
|
|
<para>The Source NAT service on a private gateway can be enabled while adding the private
|
|
gateway. On deletion of a private gateway, source NAT rules specific to the private gateway
|
|
are deleted.</para>
|
|
<para>To enable source NAT on existing private gateways, delete them and create afresh with
|
|
source NAT. </para>
|
|
</section>
|
|
<section id="acl-private-gateway">
|
|
<title>ACL on Private Gateway</title>
|
|
<para>The traffic on the VPC private gateway is controlled by creating both ingress and egress
|
|
network ACL rules. The ACLs contains both allow and deny rules. As per the rule, all the
|
|
ingress traffic to the private gateway interface and all the egress traffic out from the
|
|
private gateway interface are blocked. </para>
|
|
<para>You can change this default behaviour while creating a private gateway. Alternatively, you
|
|
can do the following:</para>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>In a VPC, identify the Private Gateway you want to work with.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the Private Gateway page, do either of the following:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Use the Quickview. See <xref linkend="quickview"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Use the Details tab. See <xref linkend="details-tab"/> through .</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem id="quickview">
|
|
<para>In the Quickview of the selected Private Gateway, click Replace ACL, select the ACL
|
|
rule, then click OK</para>
|
|
</listitem>
|
|
<listitem id="details-tab">
|
|
<para>Click the IP address of the Private Gateway you want to work with.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the Detail tab, click the Replace ACL button. <inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="./images/replace-acl-icon.png"/>
|
|
</imageobject>
|
|
<textobject>
|
|
<phrase>replace-acl-icon.png: button to replace the default ACL behaviour.</phrase>
|
|
</textobject>
|
|
</inlinemediaobject></para>
|
|
<para>The Replace ACL dialog is displayed.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>select the ACL rule, then click OK.</para>
|
|
<para>Wait for few seconds. You can see that the new ACL rule is displayed in the Details
|
|
page.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
<section id="static-route">
|
|
<title>Creating a Static Route</title>
|
|
<para>&PRODUCT; enables you to specify routing for the VPN connection you create. You can enter
|
|
one or CIDR addresses to indicate which traffic is to be routed back to the gateway.</para>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>In a VPC, identify the Private Gateway you want to work with.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the Private Gateway page, click the IP address of the Private Gateway you want to
|
|
work with.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Select the Static Routes tab.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Specify the CIDR of destination network.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click Add.</para>
|
|
<para>Wait for few seconds until the new route is created.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
<section id="blacklist-route">
|
|
<title>Blacklisting Routes</title>
|
|
<para>&PRODUCT; enables you to block a list of routes so that they are not assigned to any of
|
|
the VPC private gateways. Specify the list of routes that you want to blacklist in the
|
|
<code>blacklisted.routes</code> global parameter. Note that the parameter update affects
|
|
only new static route creations. If you block an existing static route, it remains intact and
|
|
continue functioning. You cannot add a static route if the route is blacklisted for the zone.
|
|
</para>
|
|
</section>
|
|
</section>
|