Enable Security groups for Shared networks in Advanced zone

Functional Description

Right now users get confused b/w adv zone with or without security groups; there’s nothing “special” and why we can’t just mix this use-case by having SG/host-firewall for shared networks in a non-SG enabled adv zone.

• Also helps for purpose of edge zones and simplifying zone deployment options

• Support security groups in adv zones (without needing the feature flag by zone); merge the zone subtypes in upgrade path

• Reduce zone-selection complexity and have firewall on hypervisor hosts (security groups or similar melded) for VMs on shared networks.

The feature due to its nature is limited to only KVM (and XenServer/XCP-ng)

The task of the FR is to simplify zones for users:

• allow users to have firewall in shared networks (or SG in shared networks) in an adv zone;
• (in the future) merge and remove adv zone with/without SG → adv zone can allow SG on per shared network basis
• (in the future) remove the subtype of zone; so it’s just a core vs edge zone; longer term (TBD) all that a basic zone can do an adv zone can do too.

High-Level design

• The procedure to create zones (basic zone, advanced zone without SG, advanced zone with SG) are not changed on UI/API.
• A global/zone setting is add to advanced zones: enable.security.groups.for.shared.networks, the default value is "false"
• When the value is "true", security group is enabled for shared networks with SG, the following actions are supported and visible on UI
  • create shared network with SG (for example using network offering: DefaultSharedNetworkOfferingWithSGService)
  • security group page is enabled on UI (currently it is visible only if at least a zone supports SG)
  • security group section is visible when create a vm on shared network with SecurityGroup service (provider is SecurityGroupProvider ?)
• Please note
  • The feature supports only KVM (probably Xenserver in the future)
  • the rules should be applied (iptables,ebtables,ipset). Refer to Wido's talk in CCC 2023.
  • VM could have mutliple nics on different shared networks
  • VM could have mutitple secondary IPs on the same shared network
  • VM could use both Ipv4 and ipv6
  • VM could use both shared network (with SG) and isolated network

References

• KVM Security Groups Under the Hood | CloudStack Collaboration Conference 2023 (https://www.youtube.com/watch?v=NU1b7x2HO_E)