Introduction

Purpose:

CloudStack provides rich set of L4-L7 network services like firewall, load balancing, Source NAT, Static NAT and port forwarding to isolated networks in the advanced zone. For public cloud scenarios, CloudStack can provision a dedicated VR (Virtual Router) providing L4-L7 services for the isolated networks of the tenants. Quadrant 1 in below model is typically how public cloud network services are modeled. In contrast to public clouds, in enterprise/private clouds it is not uncommon to expect hardware appliances like firewall and load balancers devices to provide L4-L7 network services. Also in enterprise cloud environment there is lesser need for isolation, so its possible in a simplest of deployment a single shared network can be used by multiple accounts. There is need for CloudStack to be able to provide network services for deployments that map to quadrant 3, i.e. shared networks using physical LB and FW appliances for network services.

                                                  

In CloudStack shared networks can be created in both advanced zone and basic zone. In basic zone, only one shared network can be created. CloudStack provides Static NAT (with EIP) and LB (with ELB) network services (along with DNS, DHCP, IPAM) in shared network in basic zone. In advanced zone, admin can create one or more shared networks and make them available to the users. But for the shared networks in advanced zone only DNS, DHCP and IPAM services is provided by CloudStack.

This proposal is to enable Firewall, NAT and load balancing network services in the shared networks that gets created in the advanced zone. So with the functionality cloud admins shall have the ability to

  1. create shared network in basic zone with EIP, ELB, security group, DNS, DHCP, IPAM services  
  2. create shared networks in advanced zone, with only DNS, DHCP, IPAM services
  3. create shared network in advanced zone with LB, FW, NAT, DNS, DHCP and IPAM services.

Purpose of this document is provide functional specification to enable L4-L7 services in shared network created in advanced zone  (#3 in above listing). Bug CLOUDSTACK-312 is opened to track this.

Usecase:

1) An enterprise admin would like to setup a private cloud for his enterprise where multiple divisions can self-service creating new VM instances and providing internet connectivity to their VM's. He wish to keep simple network deployment model with out the need of configuring multiple VLAN's as there is no need to isolate the traffic of individual divisions. He creates a deployment with CloudStack and creates a shared network and make the network available to all divisions. He provides no further network offering with which users can create additional networks. Admin set's up FW and LB device in two-arm mode as shown in below diagram. Individual divisions then start creating VM's. They can self service their networking needs by acquiring public IP and enable LB, FW, NAT service to their VM's.

                                                     

2) An enterprise admin would like to setup a private cloud for his enterprise where multiple divisions can self-service creating new VM instances and providing internet connectivity to their VM's. He would like to ensure that each division gets a isolated network and internet connectivity as well. He creates a deployment with CloudStack and creates a enterprise level shared network and make the network available to all divisions. He also creates a network offering with isolated guest traffic type, with no NAT, LB and firewall services and makes the network offering available to all divisions. Admin set's up FW and LB device in two-arm mode as shown in below diagram. Individual divisions starts creating their fenced isolated networks. For the VM's that need external connectivity VM's are setup dual homed in isolated network and shared enterprise network. Each division can self service their networking needs by acquiring public IP and enable LB, FW, NAT service to their VM's.

                                                      

In both the use cases CloudStack can orchestrate configuring firewall, nat, lb rules on the FW and LB devices and provide the firewall and load-balancing services to the VM's on the shared network. 

Glossary:

L4-L7 services: In this document, L4-L7 services would refer to any of the load balancing, source NAT, static NAT, port forwarding, firewall network services that are provided by CloudStack

shared network: though a 'shared network' can be created in the basic zone and the advanced zone, in this document shared network generally refers to shared network in the advanced zone unless its explicitly called out as shared network in basic zone.

Scope:

  • Scope of this proposal is restricted to providing L4-L7 network services with external devices only. Since Juniper SRX is the only supported external firewall device currently, SRX is assumed as the firewall device. For load balancer, it could be any of the supported (NetScaler, F5, Brocade) LB devices. Virtual router can continue to provide DNS, DHCP and IPAM services as it does it today in the shared networks.
  • Once framework is in place to create network services in the shared network, then its possible to use VR(Virtual Router) as network services provider. But support of VR is not the goal of this feature.
  • scope of this proposal is restricted to providing L4-L7 network services to shared networks created in the advanced zone only.

Functional Specification

Services to be supported in shared networks in advanced zone:

  • Following network services shall be made available to the VM's in the shared network. Subset of these service can be chosen while creating network offering for shared network type. Services available in the shared network is defined by the network offering and the service chosen in the network offering.
    • Source NAT
    • Static NAT
    • Port forwarding
    • Firewall
    • Load balancing
  • if network offering for shared network has source NAT service enabled then by default a public IP shall be provisioned and source NAT is configured on the firewall device to provide public access to the VM's on the shared network.
  • static nat, port forwarding, load balancing and firewall services shall be available only on the acquired public IP's associated with shared network

Operation flow of enabling L4-L7 services in shared network:

Admin (shared networks can only be created by Admin account) goes through following operations to enable network services in the shared networks.

  • create network offering with L4-L7 services
  • create a shared network using network offering that supports L4-L7 service

An account in the deployment goes through following operations to use network services for the VM's owned by him which are on the shared network.

  • create VM which use shared network provisioned by the admin
  • acquire a public IP (associate with shared network)
  • create Firewall/PF/NAT/LB rules on the acquired public IP that provide services to the VM's on the shared network

API Changes:

  • createNetworkOffering API shall be enhanced to accept port forwarding, source Nat, Static NAT, LB  and firewall services as valid supported services when the 'guestIptype' parameter of the createNetworkOffering API is 'Shared'
  • createNetwork API shall be enhanced to take 'shared' network offering with L4-L7 services enabled and create shared guest network in the advanced zone.
  • In CloudStack if isolated networks uses network offering with external devices (SRX, NetScaler, F5) as service providers then CIDR can not be specified for the guest network. CloudStack automatically creates a unique CIDR for the isolated guest network. In case of shared network in the advanced zone, this restriction shall be relaxed when using createNetwork API, and let the user specify CIDR for the shared network. CIDR will be accepted as long it does not overlap with existing shared network CIDR's and isolated network CIDR's.
  • associateIpAddr API shall be enhanced to associate a public IP with both account and a shared network in the advanced zone.
  • disassociateIpAddr API shall be enhanced to dis-associate the public IP owned by the caller and is associated with shared network
  • listPublicIpAddresses API shall be enhanced to take network ID corresponding to the shared network in the advanced zone. When listAll API parameter is set to true, API shall return list of the public IP's associated with the network which caller is authorised to see. When listAll API parameter is set to false then API shall return the list of public IP's owned by the caller and associated with the network.
  • On acquired public IP that is associated with shared network and owned by the user, user shall be able to invoke following API's to provide network services to the VM's on the shared network.
    • createPortForwardingRule
    • deletePortForwardingRule
    • listPortForwardingRules
    • createFirewallRule
    • deleteFirewallRule
    • listFirewallRules
    • enableStaticNat
    • disableStaticNat
    • createIpForwardingRule
    • deleteIpForwardingRule
    • listIpForwardingRule

Shared Network life cycle changes:

Following sections specify the changes that shall be done at each stage off shared network lifecycle with LB, PF, NAT, Firewall services in advanced zone.

  • Create:
    • During network design phase of network creation, 'Direct network Guru' which designs the shared networks shall setup the network to be in Network.State.Allocated if shared network is being created in advanced zone and with L4-L7 services enabled
    • if no L4-L7 services enabled, Direct network guru shall continue to set the network to be in 'Network.State.Setup' as it does today with shared networks
  • Implement:
    • implement phase for shared network in the advanced zone without L4-L7 service shall continue to by-pass the implementing the network on the back end as it does now
    • implement phase of shared network in the advanced zone with L4-L7 services enabled, shall result in the 
      • implement() on JuniperSRXFirewall element. 
        • SRX device shall be set up as gateway of shared network. 
        • Private interface of SRX device is trunked to Vlan allocated for the shared network.
      • implement() on NetScalerElement or F5 element depending on the LB provider defined in the network offering with which shared network is created. 
        • Private interface of the LB device is trunked with the vlan allocated for the shared network. 
        • A subnet IP from the IP range configured for shared network, is reserved for LB device and subnet IP is associated with LB device
    • apply rules shall result in
      • applying all Firewall, Static Nat, port forwarding rules configured on the shared network on the Juniper SRX
      • applying LB rules configured on the shared network on the LB device
    • network state set to Network.State.Implemented
  • Shutdown
    • revoke all rules shall result in
      • revoking all Firewall, Static Nat, PF rules configured on the shared network on the Juniper SRX
      • revoking LB rules configured on the shared network on the LB device
    • shutdown phase of shared network in the advanced zone with L4-L7 services enabled, shall result in the
      • shutdown() on JuniperSRXFirewall element. 
        • SRX device shall be removed up as gateway of shared network.
        • Vlan and gateway IP is deleted from the SRX device.
      • shutdown() on LB device's network element. 
        • Vlan and subnet IP is deleted from the LB device.
  • Destroy
    • destroy on shared network with L4-L7 services shall result in the
      • shutting down the network which  should result in same set of actions as defined for the 'Shutdown' phase of shared network
    • destroy() on Juniper SRX network element
    • destroy() on the network element corresponding to the LB device
  • Restart
    • revoke Firewall, PF, Source NAT and Static NAT rules associated with shared network on the SRX device
    • revoke LB rules associated with shared network on the LB device
    • shutdown() on the Juniper SRX network element
    • shutdown() on the network element corresponding to LB device
    • implement shared network on the Juniper SRX device
    • implement shared network on the LB device
    • apply Firewall, PF, Source NAT and Static NAT rules associated with shared network on the SRX device
    • apply LB rules associated with shared network on the LB device

Upgrade:

On upgrade, existing shared network will continue to provide DNS, DHCP, IPAM services only in advanced zone. Only the newly created shared networks in the advanced zone L4-L7 services can be enabled. There is no schema changes required for this feature.

UI Change:

  • For admin Create network offering dialog box shall permit choosing source NAT, static NAT, port forwarding , firewall and load balancing services when 'guest type' is shared
  • On shared network with L4-L7, user shall be able to list IP address associated with the network and owned/authorised  to list by user. 
  • On the listed IP address, user shall be able to configure LB, FW, port forwarding, static NAT rules

Assumptions:

  • Its assumed that by enabling network service to be available in both isolated and shared networks gives more flexibility to the cloud admin. Its responsibility of admin to design the private cloud network topology and enable network service to the guest network as he wish. There is no assumptions are validations made on how the shared network with L4-L7 services is used together with isolated networks or other shared networks. 
  • No labels