Isolation based on Security Groups in Advance zone

 

 

 

 

 

 

Hypervisor support:   KVM   Xen

 

 

 

 

 

 

 

 

 

 

 

 

Testcase ID

Testcase Description

Steps

Expected  results

Priority

Type

Automatable

 

Create Zone

 

 

 

 

 

1

Create Advance Zone SG enabled  via API

Create  Advance Zone SG enabled   using API

zone creation should be successful.
In Db the value of  securityenabled attribute should set it to "true"

P0

Functional

Y

2

Create Advance Zone and enable SG  via API

1.Create Advance Zone   using API
2.enable Security groups using UpdateZone using Api

zone creation should be successful.
In Db the value of  securityenabled attribute should set it to "true"

P0

Functional

Y

3

Create Advance Zone SG enabled  via API       
Check the listZones() functionality

1.Create  Advance Zone SG enabled  using API
2.perform listZone()

listZones Api should return zone with "securitygroupsenabled":true

P0

Functional

Y

4

Create  Advance zone (SG disabled) via API                
Check the listZones() functionality by passing "securitygroupenabled=false"

1.Create Advance Zone  using API
2.perform listZone() by passing "securitygroupenabled=false"

listZones Api should return zone with "securitygroupsenabled":false

P0

Functional

Y

5

Create Advance zone SG enabled  and Advance zone SG disabled using API    
check  listZones() functionality passing "securitygroupenabled=false"

1.Create Advance zone SG enabled  and Advance zone SG disabled using API
2.perform listZone() by passing securitygroupenabled=false

listZones Api should return only non-SG enabled Zones

P0

Functional

Y

6

Check the triggered API calls by  enabling &disabling the SG through UI

1.triggered API calls by  enabling &disabling the SG through UI
2. enabled SG thorugh UI
3.disabled SG

Api call's should be  triggered with valid values  like when we enabled ,parameter should include securityenabled=true and when we disbale securityenabled=false  parameter shoud include

P0

Functional

Y

7

Check the Zone wizard for default value

1.Click on Add Zone
2.choose the Advance Zone with SG
3.Naviagate till end of Zone

1.Check the default supported cluster as KVM
2.Make sure traffic type public doesn't exists

 

Functional

Y

8

Create  ADV zone SG enabled  with more than 1 physical network

Setup:
1. Manually setup an adv zone with SG enabled
2. While setting up, create more than 1 physical network with different traffic labels  (Ex:- PhysicalNetwork1 -> Label as NIC1, PhysicalNetwork2 -> Label as NIC0)
Steps:
3. deploy VMs in physicalNetwork1 (Nic1)

1. make sure that default SG enabled shared network is present on PhysicalNetwork1(Nic1)
2. VM deployment should be successful and the communication is fine.

P0

Functional

Y

 

 

 

 

 

 

 

 

Supported Hypervisor

 

 

 

 

 

9

Create  ADV Zone SG enabled  HPV KVM

1. Add Advance Zone with SG
2.Provide IP ranges for Pod and guest ranges
3. Add cluster of KVM hosts
4. provide primary and secondary storage. Launch zone

zone creation with HPV KVM should be successful.
In Db the value of  securityenabled attribute should set it to "true"

P0

Functional

Y

10

Create  ADV Zone SG enabled  HPV XEN

1. Add Advance Zone with SG
2.Provide IP ranges for Pod and guest ranges
3. Add cluster of XEN hosts
4. provide primary and secondary storage. Launch zone

zone creation with HPV XEN should be successful.
In Db the value of  securityenabled attribute should set it to "true"

P0

Functional

Y

11

Create  ADV Zone SG enabled HPV other than KVM or XEN

1. Add Advance Zone with SG
2.Provide IP ranges for Pod and guest ranges
3. Either there is no provision to add cluster other than KVM or XEN, or creating cluster HPV other than KVM or XEN will fail in zone creation

In zone creation, either there is  no provision to create cluster  with HPV other than KVM or XEN, or zone creation should fail with HPV other than KVM or XEN.

P0

Functional

Y

12

Create  ADV Zone SG enabled  HPV XEN, launch zone. Create another cluster HPV other than KVM or XEN

1. Add Advance Zone with SG
2.Provide IP ranges for Pod and guest ranges
3. Add cluster of KVM hosts
4. provide primary and secondary storage. Launch zone
5. Either there is no provision to add cluster other than KVM or XEN, or creating cluster HPV other than KVM or XEN will fail in cluster creation

After zone creation, either there is  no provision to create cluster  with HPV other than KVM or XEN, or zone creation should fail with HPV other than KVM or XEN.

P0

Functional

Y

 

 

 

 

 

 

 

 

External Device unsupported

 

 

 

 

 

13

ADV zone SG enabled external device F5 unsupported

In ADV zone SG enabled, either there is no provision to add external device F5 or adding external device F5 fails

In ADV zone SG enabled, either there is no provision to add external device F5 or adding external device F5 fails

P0

Functional

Y

14

ADV zone SG enabled external device SRX unsupported

In ADV zone SG enabled, either there is no provision to add external device SRX  or adding external device SRX  fails

In ADV zone SG enabled, either there is no provision to add external device SRX  or adding external device SRX  fails

P0

Functional

Y

15

ADV zone SG enabled external device netscaler  unsupported

In ADV zone SG enabled, either there is no provision to add external device netscaler  or adding external device netscaler  fails

In ADV zone SG enabled, either there is no provision to add external device netscaler  or adding external device  netscaler  fails

P0

Functional

Y

16

Verify the Network service providers

Check the Network service providers

It should only show VR as supported provider

P0

Functional

Y

 

VPC unsupported

 

 

 

 

 

17

ADV zone SG enabled VPC unsupported

In ADV zone SG enabled, either there is no provision to add VPC  or adding VPC fails

In ADV zone SG enabled, either there is no provision to add VPC or adding VPC fails

P0

Functional

Y

 

Create shared  SG enabled  Networks

 

 

 

 

 

18

In multiple ADV zones  SG enabled create 1 SG enabled zone wide network

1. Create 3 ADV zone SG enabled
2. In ADV zone 1 SG enabled add 1  SG enabled zone wide network
3. In ADV zone 2 SG enabled add 1  SG enabled zone wide network
4. In ADV zone 3 SG enabled add 1  SG enabled zone wide network

In each ADV zone SG enabled  shared zone wide network added

P0

Functional

Y

19

create 1  SG enabled account specific network

1. In ADV zone SG enabled, create :
. Domain D1  account d1A domain-admin d1domain
  user d1user

2. add  SG enabled account specific network  for account d1A

In ADV zone SG enabled  shared account specific networks  added

P0

Functional

Y

20

create 1  SG enabled domain wide network with subdomain access set to true

1. In ADV zone SG enabled, create :
. Domain D1  account d1A domain-admin d1domain
  user d1user

2. add shared domain wide  network with subdomain access set to true for domain D1

In ADV zone SG enabled  shared domain wide networks  added

P0

Functional

Y

21

In multiple ADV zones SG enabled  add multiple  SG enabled zone wide network same vlan same subnet

1. Create 3 ADV zones SG enabled
2. In ADV zone 1 SG enabled add 3 shared zone wide networks
z1znetwork1    z1znetwork2    z1znetwork3
3. In ADV zone 2 SG enabled add 3 SG enabled zone wide networks
z2znetwork1    z2znetwork2    z2znetwork3
4. In ADV zone 3 SG enabled add 3 shared zone wide networks
z3znetwork1    z3znetwork2    z3znetwork3

In each ADV zone SG enabled multiple shared zone wide networks added

P0

Functional

Y

22

add multiple SG enabled account specific networks  same vlan same subnet

1. In ADV zone 1 SG enabled, create :
. Domain D1 account d1A domainadmin d1domain user d1user
          
. Domain D2 account d2A domainadmin d2domain user d2user
          
. Domain D3 account d3A domainadmin d3domain user d3user
      
2. add shared account specific z1anetwork1 for account d1A
3. add shared account specific z1anetwork2 for account d2A
4. add shared account specific z1anetwork3 for account d3A

In ADV zone SG enabled  shared account specific networks  added

P0

Functional

Y

23

add multiple shared domain wide networks with subdomain access set to true for domain same vlan same subnet

1. In ADV zone 1 SG enabled, create :
. Domain D1 account d1A domainadmin d1domain user d1user
. Domain D2 account d2A domainadmin d2domain user d2user
. Domain D3 account d3A domainadmin d3domain user d3user

2. add domain wide  z1dnw1 subdomain access= true for domain D1
3. add domain wide  z1dnw2 subdomain access=true for domain D2
4. add domain wide  z1dnw3 subdomain access =true for domain D3

In ADV zone SG enabled  shared domain wide networks  added

P0

Functional

Y

24

Extend IP range for existing SG enabled zone wide network  for several times (with in the same subnet) when all the IPs in 1 SG network are consumed and deploy a VM

1. In  SG enabled  zone wide network deploy VMs to consume all Ips.
2. extend IP range in same subnet - add 2 IP
3. Repeat 1 & 2 several times

extend IP range in same subnet & deploy VMs several times succeed

P0

Functional

Y

25

Extend IP range for existing SG enabled domain wide network  for several times (with in the same subnet) when all the IPs in 1 SG network are consumed and deploy a VM

1. In  SG enabled  domain wide network deploy VMs to consume all Ips.
2. extend IP range in same subnet - add 2 IP
3. Repeat 1 & 2 several times

extend IP range in same subnet  & deploy VMs several times succeed

P0

Functional

Y

26

Extend IP range for existing SG enabled account specific network  for several times (with in the same subnet) when all the IPs in 1 SG network are consumed and deploy a VM

1. In  SG enabled  account specific network deploy VMs to consume all Ips.
2. extend IP range in same subnet - add 2 IP
3. Repeat 1 & 2 several times

extend IP range in same subnet  & deploy VMs several times succeed

P0

Functional

Y

27

Extend IP range for existing multiple shared SG enabled account specific networks  for several times (with in the same subnet) when all the IPs in all SG networks are consumed and deploy a VM

1. In  SG enabled  account specific network deploy VMs to consume all Ips.
2. extend IP range in same subnet - add 2 IP
3. Repeat 1 & 2 several times

extend IP range in same subnet  & deploy VMs several times succeed

P0

Functional

Y

28

delete one of the IP range while not in use in SG enabled zone wide  network

In  SG enabled  zone wide  network with multiple IP ranges & no VMs in network, delete one of the IP range

delete one of the IP range while not in use in SG enabled zone wide  network succeed

P0

Functional

Y

29

delete one of the IP range while not in use in SG enabled domain wide  network

In  SG enabled  domain wide  network with multiple IP ranges & no VMs in network, delete one of the IP range

delete one of the IP range while not in use in SG enabled domain wide  network succeed

P0

Functional

Y

30

delete one of the IP range while not in use in SG enabled account specific  network

In  SG enabled  account specific  network with multiple IP ranges & no VMs in network, delete one of the IP range

delete one of the IP range while not in use in SG enabled account specific  network succeed

P0

Functional

Y

31

delete one of the IP range while in use in SG enabled zone wide network

In  SG enabled  zone wide  network with multiple IP ranges & VMs in IP range of network, delete one of the IP range with VMs.

delete one of the IP range while in use by VMs in SG enabled zone wide  network fail
431 The IP range can't be deleted because it has allocated public IP addresses.

P0

Functional

Y

32

delete one of the IP range while in use in SG enabled domain wide network

In  SG enabled  domain wide  network with multiple IP ranges & VMs in IP range of network, delete one of the IP range with VMs.

delete one of the IP range while in use by VMs in SG enabled domain wide  network fail

P0

Functional

Y

33

delete one of the IP range while in use in SG enabled account specific network

In  SG enabled  account specific  network with multiple IP ranges & VMs in IP range of network, delete one of the IP range with VMs.

delete one of the IP range while in use by VMs in SG enabled account specific  network fail

P0

Functional

Y

34

delete SG zone wide  network while in use

In  SG enabled  zone wide  network with multiple IP ranges & VMs in IP range of network, delete network

delete zone wide network while in use by VMs  fail   431 The IP range can't be deleted because it has allocated public IP addresses.

P0

Functional

Y

35

delete SG domain wide  network while in use

In  SG enabled domain wide  network with multiple IP ranges & VMs in IP range of network, delete network

delete domain wide network while in use by VMs  fail

P0

Functional

Y

36

delete SG account specific  network while in use

In  SG enabled  account specific  network with multiple IP ranges & VMs in IP range of network, delete network

delete account specific network while in use by VMs fail

P0

Functional

Y

37

delete SG zone wide network when there are no VMs

delete SG zone wide network when there are no VMs

delete SG zone wide network when there are no VMs succeed

P0

Functional

Y

38

delete SG domain wide network when there are no VMs

delete SG domain wide network when there are no VMs

delete SG domain wide network when there are no VMs succeed

P0

Functional

Y

39

delete SG account specific network when there are no VMs

delete SG account specific network when there are no VMs

delete SG account specific network when there are no VMs succeed

P0

Functional

Y

40

ADV zone SG enabled isolate networks not supported

In ADV zone 1 SG enabled, no provision to add isolate network

In ADV zone 1 SG enabled, no provision to add isolate network

P0

Functional

Y

41

ADV zone SG enabled VPC networks not supported

In ADV zone 1 SG enabled,  add VPC network

In ADV zone 1 SG enabled,  add VPC network fail

P0

Functional

Y

42

ADV zone SG enabled, only admin allowed to create guest  networks 

1. Create Advance  zone SG enabled
2. Add domain d1 domainadmin d1domain acct d1domainA  
    Add domain d2 user d2user                    acct d2userA
3. login d1domain try add guest network via API
 No provision in UI  for d1domain to add guest network
4. login d2user try add guest network via API
 No provision in UI  for d2user to add guest network

3. domain admin cannot Add guest network even via API.
No provision in UI  for d1domain to add guest network
4. User cannot Add guest network even via API.
No provision in UI  for d2user to add guest network

P0

Functional

Y

43

Admin  allowed to add a Shared Network  SG enabled with a Vlan Id that is already associated with another Shared network SG enabled.

1.As Admin, create a shared network SG enabled with vlan id say 123
2.As Admin, try to create another shared network SG enabled with same vlan id say 123

User should be allowed to create this network.

P1

Functional

Y

44

Admin not allowed to add a Shared Network SG enabled  without specifying  a Vlan Id ,Guest Gateway,Guest Netmask,Guest start IP,Guest End IP

1.As Admin, create a shared network SG enabled with out specifying Vlan Id ,Guest Gateway,Guest Netmask,Guest start IP,Guest End IP

User should not be allowed to create this network.He should be forced to add all the required values.Following error message is presented to the user "StartIp/endIp/gateway/netmask are required when create network of type Shared and network of type Isolated with service SourceNat disabled"

P1

Functional

Y

45

Admin allowed to add a Shared Network SG enabled  with a Vlan Id that is already associated with Zone vlan

1.As Admin, create a shared network by providing a vlan  that is part of Zone Vlan.

User should be allowed to create this network.

P1

Functional

Y

 

VM Operations

 

 

 

 

 

46

DeployVM on Adv zone SG enabled  shared nw in with more than 1 physical network.

1. ADV zone  SG enabled
2. While setting up, create more than 1 physical network with different traffic labels  (Ex:- PhysicalNetwork1 -> Label as NIC1, PhysicalNetwork2 -> Label as NIC0)
3. deploy VMs in physicalNetwork0 (Nic0)

1. make sure that shared GuestNetwork is present on PhysicalNetwork0(Nic0) 2. VM deployment should be successful without  any issues and the communication is fine.

P3

Functional

Y

47

Update the Traffic label and deploy the VM

Setup:
1. ADV zone with SG enabled
2. While setting up, create more than 1 physical network with different traffic labels  (Ex:- PhysicalNetwork1 -> Label as NIC1, PhysicalNetwork2 -> Label as NIC0)
Steps:
3. deploy VMs in physicalNetwork1 (Nic1)
4.Update the Labels as ( (Ex:- PhysicalNetwork1 -> Label as NIC0, PhysicalNetwork2 -> Label as NIC1)
5.deploy VM in PhysicalNetwork1(Nic0)

4. make sure that shared GuestNetwork is present on PhysicalNetwork0(Nic0) 5. VM deployment should be successful without  any issues and the communication is fine.

P3

Functional

Y

48

ADV zone SG enabled multiple shared nw zone wide, Only Users in any account of any domain in that zone allowed to deploy VMs to that shared nw

1. Create ADV zone 1 SG enabled , ADV zone 2 SG enabled
2. zone 1 Add domain d1 domainadmin d1domain account d1domainA,  domain d2 user d2user  acct d2userA.
zone 2 Add domain d3 domainadmin d3domain account d3domainA,  domain d4 user d4user   acct d4userA
3. Create shared nw1  and nw2 zone wide  for zone 1,  shared nw3  and nw4 zone wide for  zone 2, 
4. login d1domain, deploy VMs to nw1    nw2  nw3    nw4  guest OS  Centos 5.6
5.  login d2user,  deploy VMs to nw1    nw2  nw3    nw4   guest OS  Centos 5.6
6. login d3domain, deploy VMs to nw1    nw2  nw3    nw4   guest OS  Centos 5.6
7.  login d4user,  deploy VMs to nw1    nw2  nw3    nw4   guest OS  Windows 2008R2
8. login admin, deploy VMs to nw1    nw2  nw3    nw4  guest OS  Windows 2008R2

3. shared networks  zone wide nw1 nw2 created
4,5. Any user in zone 1 able to add  VMs to any networks (nw1 nw2) of any account of any domain  in zone 1, not network nw3 and nw4 of zone 2
6,7. Any user in zone 2 able to add  VMs to any networks (nw3 nw4) of any account of any domain  in zone 2, not network nw1 and nw2 of zone 1
8. admin allowed to add VMs to any networks in any zone

P1

Functional

Y

49

ADV zone SG enabled multiple  account specific network, Only Users in that account   allowed to deploy VMs to that network

1. Create ADV  zone SG enabled
2. Add domain d1 domainadmin d1domain account d1domainA
            domain d1 user d1user account  d1userA  
            domain d2 user d2user account d2userA
3. Create shared nw1  scope account, account d1domainA.
Create shared nw2  scope account, account d1userA.
Create shared nw3  scope account, account d2userA.
4. login d1domain, deploy VM to nw1  nw2  nw3 guest OS Centos 6.2
5.  login d1user, deploy VM to nw1  nw2  nw3 guest OS Centos 6.2
6.  login d2user, deploy VM to nw1  nw2  nw3 guest OS Centos 6.2
7.    login admin, deploy VMs to nw1  nw2  nw3 guest OS Centos 6.2

3. shared networks account specific  nw1  nw2    nw3  added
4. d1domain able to add VM to nw1 only
5. d1user able to add VM to nw2 only
6. d2user able to add VM to nw3 only
7. admin unable to add VM to any nw

P1

Functional

Y

50

ADV zone SG enabled multiple shared nw domain wide, Only Users in accounts of that domain allowed to deploy VMs to that shared nw

1. Create ADV  zone SG enabled
2. Add domain d1 domainadmin d1domain  account d1domainA
            domain d1 user d1user account  d1userA  
            domain d2 user d2user account d2userA 
3. Create shared nw1 domain wide domain d1
Create shared nw2  domain wide    domain d1
Create shared nw3  domain wide   domain d2
4. login d1domain, deploy VM to nw1  nw2  nw3 guest OS Centos 5.3
5.  login d1user, deploy VM to nw1  nw2  nw3 guest OS Centos 5.3
6.  login d2user, deploy VM to nw1  nw2  nw3 guest OS Centos 5.3
7. login admin, deploy VMs to nw1  nw2  nw3 guest OS Centos 5.3

3. shared networks domain wide  nw1  nw2    nw3  added
4. d1domain able to add VM to nw1 and nw2 only
5. d1user able to add VM to nw1 and  nw2 only
6. d2user able to add VM to nw3 only
7. admin unable to add VM to any nw

P1

Functional

Y

51

In advance zone SG enabled,  delete account which has shared  networks  scope account

1. Create Advance  zone SG enabled
2. Add domain d1 user d1domain acct d1domainA role domainadmin domain d2 user d2user acct d2userA role user
3. Create 3 guest networks scope account account d1domainA with network offering shared
4. Create 3 guest networks scope account account d2userA with network offering shared
5. login d1domain  create VMs. loout. login admin delete account d1domainA

3. 3 guest netoworks for account d1domainA added
4. 3 guest netoworks for account d2userA added
5. account d1domainA, all its VMs,   shared networks deleted

P1

Functional

Y

52

deploy VM when all the IPs are consumed in 1 zone wide network

deploy VM when all the IPs are consumed in 1 zone wide network

deploy VM when all the IPs are consumed in 1 zone wide network fail

P1

Functional

Y

53

deploy VM when all the IPs are consumed in 1 domain wide network

deploy VM when all the IPs are consumed in 1 domain wide network

deploy VM when all the IPs are consumed in 1 domain wide network fail

P1

Functional

Y

54

deploy VM when all the IPs are consumed in 1 account specific  network

deploy VM when all the IPs are consumed in 1account specific network

deploy VM when all the IPs are consumed in 1 account specific network fail

P1

Functional

Y

55

deployVM with more than 1 SG enabled zone wide network list

deployVM with more than 1 SG enabled zone wide network list

error 431 Only support one zone wide network per VM if security group enabled

P1

Functional

Y

56

deploy Multiple VMs using different SG enabled network but using the same security group

deploy Multiple VMs using different SG enabled network but using the same security group

 

P2

Functional

Y

57

destroy a VM when all the Ips in zone wide network are consumed and deploy a VM

destroy a VM when all the Ips in zone wide network are consumed and deploy a VM

destroy a VM when all the Ips in zone wide network are consumed and deploy a VM sould succeed

P1

Functional

Y

58

DeployVM with default SG

Setup
1.Create SG enabled Advance zone
Steps:
1.deployVM by passing default SG

VM deployment should be successful

P1

Functional

Y

58

DeployVM with default SG & shared network

Setup
1.Create SG enabled Advance zone
2.create a  custmer network offering with SG
Steps:
3.CreateShared GuestNetwork
4.deployVM by passing  default SG id and Shared network ID.

VM deployment should be successful

P1

Functional

Y

59

DeployVM with CustomSG with shared network

Setup
1.Create SG enabled Advance zone
2.create a  custmer network offering with SG

Steps:
3.Create Shared GuestNetwork
4.deployVM by passing  custom SG id and Shared network ID.

VM deployment should be successful

P2

Functional

Y

60

Deploy VM with more than 1 Nic connected to SG through API/UI

Setup
1.Create SG enabled Advance zone
2.create a  custmer network offering with SG
Steps:
3.CretaeShared GuestNetwork
4.deployVM by passing first SG enabled Advanced Zone ID

its should fail  and shows error messge like "errortext":"Only support one network per VM if security group enabled"

P2

Functional

Y

61

Deploy VM with more than 1 Nic  with shared through API/UI

 

VM deployement should be successful

P2

Functional

Y

62

Stop &Start the VMs

Set up:
 Advanced zone set up with SG enabled.

1.Create an account.
2.Using this account , Deploy few Vms in the "Zone wide shared SG enabled" network.
3. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr2).
4.Deploy vms inthis network
5.access the VM using Guest IP
6.stop and start  the VM
7.access the VM using Guest IP

VM should be Up and running ,all the rules existing rules should programmed cirrectly

P1

Functional

Y

63

Reboot the VMS

Set up:
 Advanced zone set up with SG enabled.

1.Create an account.
2.Using this account , Deploy few Vms in the "Zone wide shared SG enabled" network.
3. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr2).
4.Deploy vms inthis network
5.access the VM using Guest IP
6.Reboot  the VM
7.access the VM using Guest IP

VM should be Up and running ,all the rules existing rules should programmed cirrectly

P1

Functional

Y

64

Destroy and restore VM

Set up:
 Advanced zone set up with SG enabled.

1.Create an account.
2.Using this account , Deploy few Vms in the "Zone wide shared SG enabled" network.
3. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr2).
4.Deploy vms inthis network
5.access the VM using Guest IP
6.Destroy and resore VM
7.access the VM using Guest IP

VM should be Up and running ,all the rules existing rules should programmed cirrectly

P1

Functional

Y

65

Destroy and Expunge VM

Set up:
 Advanced zone set up with SG enabled.
Steps:
1.Create an account.
2.Using this account , Deploy few Vms in the "Zone wide shared SG enabled" network.
3. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr2).
4.Deploy vms inthis network
5.access the VM using Guest IP
6.Destroy and expunge VM
7.access the VM using Guest IP

All the rules belongs to expunged VM should be removed/free

P1

Functional

Y

66

upgrade  default SG enable network offering

Set up:
 Advanced zone set up with SG enabled.
Steps:
Create more than one additonal Network with SG capability

It should fail with proper error message

P1

Functional

Y

67

migrateVM that has nic connect to SG enabled network

Set up:
 Advanced zone set up with SG enabled.
 Make sure KVM cluster has 2 hosts
Steps:
1.Deploy few Vms in the "Zone wide shared SG enabled" network
2.Create an account and deploy few VMs using shred Guest Network.
3.perform Migrate vm from one host to another

VM migrations should be successful.if it not supported then Message should be clear.

P1

Functional

Y

68

Migrate VM of account specific network from 1 host to another & verify SG rule re-programming

Migrate VM of account specific network from 1 host to another & verify SG rule re-programming

Migrate VM of  account specific networks successful

P1

Functional

Y

69

Migrate VM of domain wide network from 1 host to another & verify SG rule re-programming

Migrate VM of domain wide network from 1 host to another & verify SG rule re-programming

Migrate VM of  domain wide networks successful

P1

Functional

Y

70

Migrate VM of zone wide network from 1 host to another & verify SG rule re-programming

Migrate VM of zone wide network from 1 host to another & verify SG rule re-programming

Migrate VM of  zone wide networks successful

P1

Functional

Y

71

Check creation of default SG enable network without VLAN

Check creation of default SG enable network without VLAN

Creation shoud be failed with proper error message

P1

Functional

Y

72

Delete the  default security groups

Set up:
 Advanced zone set up with SG enabled
Step:
1.Delete the default SG

Delete SG group should be successful if no VMS asiiocated with default SG

P1

Functional

Y

73

Check systemVM  have a NIC in the Shared SG network,

create Advanace Zone with SG enble
Enable the Zone and check system Vms

System Vms should up and running
check the Nics created in  shared SG networks

P1

Functional

Y

74

Verify the Network service providers

Check the Network service providers

It should only show VR as supported provider

P1

Functional

Y

 

 

 

 

 

 

 

 

shared networks operation

 

 

 

 

 

75

ADV zone SG enabled,  restart  multiple  account specific networks, restart VR

Restart multiple  account specific networks

Restart shared network account specific  networks successful

P1

Functional

Y

76

ADV zone SG enabled,   restart  multiple  domain wide, restart VR

Restart  multiple  domain wide networks

Restart shared network domain wide  networks successful

P1

Functional

Y

77

ADV zone SG enabled,   restart  multiple   zone wide networks, restart VR

Restart  multiple zone wide networks

Restart shared network zone wide  networks successful

P1

Functional

Y

78

verify Security Group rules programming of VMs of account specific networks when the host is put in maintenance. Verfiy after host restart.

verify Security Group rules programming of VMs of account specific networks when the host is put in maintenance

 

P1

Sanity

Y

79

verify Security Group rules programming of VMs of zone wide networks when the host is put in maintenance. Verfiy after host restart.

verify Security Group rules programming of VMs of zone wide networks when the host is put in maintenance

 

P1

Sanity

Y

80

verify Security Group rules programming of VMs of domain wide  networks when the host is put in maintenance. Verfiy after host restart.

verify Security Group rules programming of VMs of domain wide  networks when the host is put in maintenance

 

P1

Sanity

Y

 

 

 

 

 

 

 

 

Basic Sanity ON security Grpups

 

 

 

 

 

81

Deploy a VM without passing any Security Groups

1.To the default security group, Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr1).
2.Create a Security Group SG1.
3. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr2).
4. Deploy a VM without passing any Security Groups.

1. VM should be deployed as part of default security group.
2. We should be able to able access this VM from cidr1.
3. From this VM , we should be able to access anyone. All egress traffic will be allowed.

P1

Sanity

Y

82

Deploy a VM by passing a Security Group.

1.To the default security group, Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr1).
2.Create a Security Group SG1.
3. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr2).
4. Deploy a VM by passing  Security Group SG1.

1. VM should be deployed as part of only SG1 not default security group.
2. We should not be able to able access this VM from cidr1.
3. We should be able to able access this VM from cidr2.

P1

Sanity

Y

83

Deploy a VM by passing a list of Security Groups.

1. Create a Security Group SG1.
2. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr1).
3. Create a Security Group SG2.
4. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr2).
3. Create a Security Group SG3.
4. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr3).
4. Deploy a VM  using all the 3 security groups.

1. VM should be deployed as part of all 3 SG rules.
2. VM should be accessible from cidr1,cidr2 and cidr3.

P1

Sanity

Y

 

CIDR based Ingress rules

 

 

 

 

 

84

Deploy a VM in a Security group which has an ingress rule that allows TCP protocols for  a port range for a cidr.

1.Create a Security Group SG1.
2. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.

1. VM deployment should succeed.
2. We should be able to access this VM from cidr1 using all ports from 22 -80.
3. We should NOT be able to access this VM from any other ipadress .

P1

Sanity

Y

85

Deploy a VM in a Security group which has an ingress rule that allows ICMP protocols for  -1 type and -1 code  for a cidr.

1.Create a Security Group SG1.
2. Add a ICMP ingress rule for  -1 type and -1 code for  any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.

1. VM deployment should succeed.
2. Make sure that in iptables the correct type and code for ICMP is programmed.

P1

Sanity

Y

86

Deploy few Vms  in a Security group which has an ingress rule that allows TCP protocols for cidr1.
Add an ingress rule to allow TCP protocols for cidr2.

1.Create a Security Group SG1.
2. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.
4. Add an ingress rule to allow TCP protocols for cidr2.

Before Step4:
We should  be able to access the VM from cidr1.
We should not be able to access the VM from cidr2.
After Step4:
We should  be able to access the VM from cidr1.
We should  be able to access the VM from cidr2.

P1

Sanity

Y

87

Deploy few Vms  in a Security group which has an ingress rule that allows TCP protocols for cidr1.
Add an ingress rule to allow ICMP protocols for cidr1 and cidr2.

1.Create a Security Group SG1.
2. Add a TCP ingress rule  for a port range (22-80) for any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.
4. Add an ingress rule to allow ICMP protocols for cidr1 and cidr2.

Before Step4:
We should  be able to access the VM from cidr1.
We should not be able to ping the VM from cidr1 and cidr2.
After Step4:
We should  be able to access the VM from cidr1.
We should be able to ping the VM from cidr1 and cidr2.

P1

Sanity

Y

88

Deploy few Vms  in a Security group which has an ingress rule that allows TCP protocols for cidr1 and cidr2.
Delete the existing ingress rule for cidr1.

1.Create a Security Group SG1.
2. Add a TCP ingress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Delete the existing TCP ingress rule for cidr1.

Before Step4:
We should  be able to access the VM from cidr1 and cidr2.
After Step4:
We should  NOT be able to access the VM from cidr1.
We should  be able to access the VM from cidr2.

P1

Sanity

Y

89

Deploy few Vms  in a Security group which has an ingress rule that allows ICMP protocols for cidr1 and cidr2.
Delete the existing ingress rule for cidr1.

1.Create a Security Group SG1.
2. Add a ICMP ingress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Delete the existing ICMP ingress rule for cidr1.

Before Step4:
We should  be able to ping the VM from cidr1 and cidr2.
After Step4:
We should  NOT be able to ping the VM from cidr1.
We should  be able to access the VM from cidr2.

P1

Sanity

Y

90

Deploy a VM by passing a list of Security Groups each of which has ingress rule that allows TCP  for cidr.        Add ingress rule to each Security Group to allow ICMP for cidr.
Delete existing ingress rule TCP from 1 security group
Delete existing ingress rule ICMP from 1 security group

1. Create SG1. Add TCP ingress rule port range (22-80) for any ipaddress (cidr1).
2. Create SG2. Add TCP ingress rule port range (22-80) for any ipaddress (cidr2).
3. Create SG3. Add TCP ingress rule port range (22-80) for any ipaddress (cidr3).
4. Deploy a VM  using all 3 SGs.
5. Add ingress rule ICMP for each cidr to SG1  SG2  SG3
6. Delete ingress rule TCP   for cidr3 in SG3
7. Delete ingress rule ICMP for cidr2 in SG2

4. VM should be deployed as part of all 3 SG rules & accessible from cidr1,cidr2 and cidr3.
5. Able to ping VM from cidr1  cidr2   cidr3
6. Unable to access VM from cidr3
7. Unable to ping VM from cidr2

P1

Sanity

Y

91

Add Ingress rules when the VM is in stopped state.

1.Create a Security Group SG1.
2. Add a TCP ingress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Stop this VM.
5. Add a TCP ingress rule  for ipaddresses cidr3 in SG1.
6. Start this VM.

As part of starting the VM , we should see the iptable rules being reprogrammed.
We should  be able to access the VM from cidr1,cidr2 and cidr3.

P1

Sanity

Y

92

Delete an  Ingress rules when the VM is in stopped state.

1.Create a Security Group SG1.
2. Add a TCP ingress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Stop this VM.
5. Delete the existing TCP ingress rule  for ipaddresses cidr1 in SG1.
6. Start this VM.

Before Step4:
We should  be able to access the VM from cidr1,cidr2.
We should  NOT be able to access the VM from cidr3.
 
After Step4:
As part of starting the VM , we should see the iptable rules being reprogrammed.
We should  be able to access the VM from cidr1,cidr2 and  cidr3.

P1

Sanity

Y

 

Account based ingress rules

 

 

 

 

 

93

Deploy a VM in a Security group which has an ingress rule that allows TCP protocols for  a port range for another Security Group - SG2.

1. Deploy few Vms in Security Group - SG2.
2. Create a Security Group SG1 that has a TCP ingress rules that allows port 22-80 for SG2.
3. Deploy a VM in SG1.

VM should get deployed successfully.
From all the VMs in SG2 , we should be able to access this VM on port 22 - port 80 using TCP protocol.

P1

Sanity

Y

94

VM should be accessible using their vm name from any other VM.

1. Deploy few VM in Security Group - SG2.
2. Create a Security Group SG1 that has a TCP ingress rules that allows port 22-80 for SG2.
3. Deploy VM with display name in SG1.

VM should get deployed successfully.
From all the VMs in SG2 , we should be able to access this VM using the display name on port 22 - port 80 using TCP protocol.

P1

Sanity

Y

95

Deploy a VM in a Security group which has an ingress rule that allows ICMP protocols for  a port range for another Security Group - SG2.

1. Deploy few Vms in Security Group - SG2.
2. Create a Security Group SG1 that has a ICMP ingress rules that allows port 22-80 for SG2.
3. Deploy a VM in SG1.

VM should get deployed successfully.
From all the VMs in SG2 , we should be able to PING this VM.

P1

Sanity

Y

96

Deploy a VM in a SG that is allowed Ingress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2.
2. Create a Security Group SG1 that has a TCP ingress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Deploy a VM in the SG2.

This should result in the new VM's ipaddress being added to the ingress chain of all the Vms that are part of SG1.

From the new VM , we should be able to access all the Vms in SG1.

P1

Sanity

Y

97

Deploy VM in multiple Sgs each of which is allowed Ingress access to another Security Group.

Pre-Red:
1. Deploy few Vms in  SG2.
2. Create SG1 TCP ingress rules that allow port 22-80 for SG2. Deploy few VM in SG1.
3. Deploy few Vms in SG4.
4. Create SG3 TCP ingress rules that allow port 22-80 for SG4. Deploy few VM in SG3
5. Deploy few Vms in SG6.
6. Create SG5 TCP ingress rules that allow port 22-80 for SG6. Deploy few VMs in SG5.
Steps
8. Deploy a VM with SG2  SG4  SG6

This should result in new VM's ipaddress being added to ingress chain of all the Vms that are part of SG1  SG3  SG5

From new VM should be able to access all Vms in SG1  SG3   SG5

P1

Sanity

Y

98

Stop a VM that is  in a SG that is allowed Ingress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2.
2. Create a Security Group SG1 that has a TCP ingress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Stop one of the VMS in SG2.

This should result in the stopped VM's ipaddress being removed from the ingress chain of all the Vms that are part of SG1.

P1

Sanity

Y

99

Stop and Start a VM  that is in a SG that is allowed Ingress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2.
2. Create a Security Group SG1 that has a TCP ingress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Stop one of the VMS in SG2.
2. Start this VM.

After Step1:
This should result in the stopped VM's ipaddress being removed from the ingress chain of all the Vms that are part of SG1.
After Step2:
This should result in this  VM's ipaddress being added to the ingress chain of all the Vms that are part of SG1.
From this VM , we should be able to access all the Vms in SG1.

P1

Sanity

Y

100

Destroy a VM that is in a SG that is allowed Ingress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2.
2. Create a Security Group SG1 that has a TCP ingress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Destroy one of the VMS in SG2.

This should result in the destroyed VM's ipaddress being removed from the ingress chain of all the Vms that are part of SG1.

P1

Sanity

Y

101

Destroy a VM in SG that is allowed Ingress access to multiple Sgs.

Pre-Red:
1. Deploy few Vms in Security Group - SG2.
2. Create SG1 TCP ingress rules that allows port 22-80 for SG2.
3. Create SG3 TCP ingress rules that allows port 22-80 for SG2.
4. Create SG4 TCP ingress rules that allows port 22-80 for SG2.
5. Deploy few VMs in SG1, SG3, SG4
Steps:
1. Destroy one of the VMS in SG2.

This should result in the destroyed VM's ipaddress being removed from the ingress chain of all the Vms that are part of SG1  SG3   SG4

P1

Sanity

Y

102

Restore a destroyed VM that is in a SG that is allowed Ingress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2.
2. Create a Security Group SG1 that has a TCP ingress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Destroy one of the VMS in SG2.
2. Restore this VM back.

After Step1:
This should result in the destroyed VM's ipaddress being removed from the ingress chain of all the Vms that are part of SG1.
After Step2:
This should result in this  VM's ipaddress being added to the ingress chain of all the Vms that are part of SG1.
From this VM , we should be able to access all the Vms in SG1.

P1

Sanity

Y

103

Reboot a VM that is in a SG that is allowed Ingress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2.
2. Create a Security Group SG1 that has a TCP ingress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Reboot one of the VMS in SG2.

After Reboot is successful:
From this VM , we should still be able to access all the Vms in SG1.

P1

Sanity

Y

 

CIDR based Ingress rules

 

 

 

 

 

104

Deploy a VM in a Security group which has NO egress rules.

1.Create a Security Group SG1.
2. Have no egress rules.
3. Deploy a VM as part of  SG1.

1. VM deployment should succeed.
2. From this VM , we should we able to access any ipaddress. No egress traffic should be blocked.

P1

Sanity

Y

105

Deploy a VM in a Security group which has an egress rule that allows TCP protocols for  a port range for a cidr.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for a port range (22-80) for any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.

1. VM deployment should succeed.
2. From this VM , we should we able to access cidr1 using all ports from 22 -80.
3. From this VM, We should NOT be able to access any other ipadress .

P1

Sanity

Y

106

Deploy a VM in a Security group which has an egress rule that allows ICMP protocols for  1 type and 1 code  for a cidr.

1.Create a Security Group SG1.
2. Add a ICMP egress rule for  any 1 type and 1 code for  any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.

1. VM deployment should succeed.
2. Make sure that in iptables the correct type and code for ICMP is programmed.

P1

Sanity

Y

107

Deploy few Vms  in a Security group which has an egress rule that allows TCP protocols for cidr1.
Add an egress rule to allow TCP protocols for cidr2.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for a port range (22-80) for any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.
4. Add an egress rule to allow TCP protocols for cidr2.

Before Step4:
From this VM , we should be able to access cidr1.
From this VM , we should NOT be able to access cidr2.
After Step4:
From this VM , we should be able to access cidr1.
From this VM , we should  be able to access cidr2.

P1

Sanity

Y

108

Deploy few Vms  in a Security group which has an egress rule that allows TCP protocols for cidr1.
Add an egress rule to allow ICMP protocols for cidr1 and cidr2.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for a port range (22-80) for any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.
4. Add an egress rule to allow ICMP protocols for cidr1 and cidr2.

Before Step4:
From this VM , we should be able to access cidr1.
From this VM , we should NOT be able allowed to PING cidr1 and cidr2.
After Step4:
From this VM , we should be able to access cidr1.
From this VM , we should be able allowed to PING cidr1 and cidr2.

P1

Sanity

Y

109

Deploy few Vms  in a Security group which has an egress rule that allows TCP protocols for cidr1 and cidr2.
Delete the existing egress rule for cidr1.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Delete the existing TCP egress rule for cidr1.

 

P1

Sanity

Y

106

Deploy a VM by passing a list of Security Groups each of which has egress rule that allows TCP  for cidr.        Add egress rule to each Security Group to allow ICMP for cidr.
Delete existing egress rule TCP from 1 security group
Delete existing egress rule ICMP from 1 security group

1. Create SG1. Add TCP egress rule port range (22-80) for any ipaddress (cidr1).
2. Create SG2. Add TCP egress rule port range (22-80) for any ipaddress (cidr2).
3. Create SG3. Add TCP egress rule port range (22-80) for any ipaddress (cidr3).
4. Deploy a VM  using all 3 SGs.
5. Add egress rule ICMP for each cidr to SG1  SG2  SG3
6. Delete egress rule TCP   for cidr3 in SG3
7. Delete egress rule ICMP for cidr2 in SG2

4. VM should be deployed as part of all 3 SG rules. From this VM able to access  cidr1,cidr2 and cidr3.
5. From this VM able to access  cidr1  cidr2   cidr3
6. From this VM  Unable to access   cidr3
7. From this VM Unable to ping VM  in  cidr2

P1

Sanity

Y

111

Deploy few Vms  in a Security group which has an egress rule that allows ICMP protocols for cidr1 and cidr2.
Delete the existing egress rule for cidr1.

1.Create a Security Group SG1.
2. Add a ICMP egress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Delete the existing ICMP egress rule for cidr1.

Before Step4:
From this VM , we should be able to ping cidr1 and cidr2.
After Step4:
From this VM , we should be able to ping cidr2.But we should not be able to ping cidr2.

P1

Sanity

Y

112

Add egress rules when the VM is in stopped state.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Stop this VM.
5. Add a TCP egress rule  for ipaddresses cidr3 in SG1.
6. Start this VM.

As part of starting the VM , we should see the iptable rules being reprogrammed.
We should  be able to access the VM from cidr1,cidr2 and cidr3.

P1

Sanity

Y

113

Delete an  egress rules when the VM is in stopped state.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Stop this VM.
5. Delete the existing TCP egress rule  for ipaddresses cidr1 in SG1.
6. Start this VM.

Before Step4:
From this VM , we should be able to access cidr1 and cidr2.
From this VM , we should NOT be able to access cidr3.
After Step4:
From this VM , we should be able to access cidr1,cidr2 and cidr3.

P1

Sanity

Y

 

CIDR based egress rules

 

 

 

 

 

114

Deploy a VM in a Security group which has NO egress rules.

1.Create a Security Group SG1.
2. Have no egress rules.
3. Deploy a VM as part of  SG1.

1. VM deployment should succeed.
2. From this VM , we should we able to access any ipaddress. No egress traffic should be blocked.

P1

Sanity

Y

115

Deploy a VM in a Security group which has an egress rule that allows TCP protocols for  a port range for a cidr.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for a port range (22-80) for any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.

1. VM deployment should succeed.
2. From this VM , we should we able to access cidr1 using all ports from 22 -80.
3. From this VM, We should NOT be able to access any other ipadress .

P1

Sanity

Y

116

Deploy a VM in a Security group which has an egress rule that allows ICMP protocols for  1 type and 1 code  for a cidr.

1.Create a Security Group SG1.
2. Add a ICMP egress rule for  any 1 type and 1 code for  any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.

1. VM deployment should succeed.
2. Make sure that in iptables the correct type and code for ICMP is programmed.

P1

Sanity

Y

117

Deploy few Vms  in a Security group which has an egress rule that allows TCP protocols for cidr1.
Add an egress rule to allow TCP protocols for cidr2.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for a port range (22-80) for any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.
4. Add an egress rule to allow TCP protocols for cidr2.

Before Step4:
From this VM , we should be able to access cidr1.
From this VM , we should NOT be able to access cidr2.
After Step4:
From this VM , we should be able to access cidr1.
From this VM , we should  be able to access cidr2.

P1

Sanity

Y

118

Deploy few Vms  in a Security group which has an egress rule that allows TCP protocols for cidr1.
Add an egress rule to allow ICMP protocols for cidr1 and cidr2.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for a port range (22-80) for any ipaddress (cidr1).
3. Deploy a VM as part of  SG1.
4. Add an egress rule to allow ICMP protocols for cidr1 and cidr2.

Before Step4:
From this VM , we should be able to access cidr1.
From this VM , we should NOT be able allowed to PING cidr1 and cidr2.
After Step4:
From this VM , we should be able to access cidr1.
From this VM , we should be able allowed to PING cidr1 and cidr2.

P1

Sanity

Y

119

Deploy few Vms  in a Security group which has an egress rule that allows TCP protocols for cidr1 and cidr2.
Delete the existing egress rule for cidr1.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Delete the existing TCP egress rule for cidr1.

 

P1

Sanity

Y

120

Deploy a VM by passing a list of Security Groups each of which has egress rule that allows TCP  for cidr.        Add egress rule to each Security Group to allow ICMP for cidr.
Delete existing egress rule TCP from 1 security group
Delete existing egress rule ICMP from 1 security group

1. Create SG1. Add TCP egress rule port range (22-80) for any ipaddress (cidr1).
2. Create SG2. Add TCP egress rule port range (22-80) for any ipaddress (cidr2).
3. Create SG3. Add TCP egress rule port range (22-80) for any ipaddress (cidr3).
4. Deploy a VM  using all 3 SGs.
5. Add egress rule ICMP for each cidr to SG1  SG2  SG3
6. Delete egress rule TCP   for cidr3 in SG3
7. Delete egress rule ICMP for cidr2 in SG2

4. VM should be deployed as part of all 3 SG rules. From this VM able to access  cidr1,cidr2 and cidr3.
5. From this VM able to access  cidr1  cidr2   cidr3
6. From this VM  Unable to access   cidr3
7. From this VM Unable to ping VM  in  cidr2

P1

Sanity

Y

121

Deploy few Vms  in a Security group which has an egress rule that allows ICMP protocols for cidr1 and cidr2.
Delete the existing egress rule for cidr1.

1.Create a Security Group SG1.
2. Add a ICMP egress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Delete the existing ICMP egress rule for cidr1.

Before Step4:
From this VM , we should be able to ping cidr1 and cidr2.
After Step4:
From this VM , we should be able to ping cidr1.But we should not be able to ping cidr2.

P1

Sanity

Y

122

Add egress rules when the VM is in stopped state.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Stop this VM.
5. Add a TCP egress rule  for ipaddresses cidr3 in SG1.
6. Start this VM.

As part of starting the VM , we should see the iptable rules being reprogrammed.
We should  be able to access the VM from cidr1,cidr2 and cidr3.

P1

Sanity

Y

123

Delete an  egress rules when the VM is in stopped state.

1.Create a Security Group SG1.
2. Add a TCP egress rule  for ipaddresses cidr1 and cidr2.
3. Deploy a VM as part of  SG1.
4. Stop this VM.
5. Delete the existing TCP egress rule  for ipaddresses cidr1 in SG1.
6. Start this VM.

Before Step4:
From this VM , we should be able to access cidr1 and cidr2.
From this VM , we should NOT be able to access cidr3.
After Step4:
From this VM , we should be able to access cidr1,cidr2 and cidr3.

P1

Sanity

Y

 

Account based egress rules

 

 

 

 

 

124

Deploy a VM in a Security group which has an egress rule that allows TCP protocols for  a port range for another Security Group - SG2.

1. Deploy few Vms in Security Group - SG2 that has a TCP ingress rules that allows port 22-80 for SG1.
3. Create a Security Group SG1 that has a TCP egress rules that allows port 22-80 for SG2.
4. Deploy a VM in SG2.

VM should get deployed successfully.
From Vms in SG1 , we should be able to access all the Vms in SG2.
From Vms in SG1 , we should not be able to access any other Vms (vms that are part of other SG and vms that are part of the same group)

P1

Sanity

Y

125

Deploy a VM in a Security group which has an egress rule that allows ICMP protocols for another Security Group - SG2.

1. Deploy few Vms in Security Group - SG2  that has a ICMP ingress rules that allows SG2.
2. Create a Security Group SG1 that has a ICMP egress rules that allows port 22-80 for SG2.
3. Deploy a VM in SG2.

VM should get deployed successfully.
From all the VMs in SG1 , we should be able to PING all the Vms in SG2.

P1

Sanity

Y

126

Deploy a VM in a SG that is allowed egress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2 that has a TCP ingress rules that allows SG2.
2. Create a Security Group SG1 that has a TCP egress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Deploy a VM in the SG2.

This should result in the new VM's ipaddress being added to the egress chain of all the Vms that are part of SG1.

From the new VM , we should be able to access all the Vms in SG2.

P1

Sanity

Y

127

Deploy VM in multiple SGs each of which is allowed egress access to another Security Group.

Pre-Red:
1. Deploy few Vms in SG2 with TCP ingress rules that allow SG2.
2. Create SG1 TCP egress rules that allow port 22-80 for SG2.  Deploy few VMs in SG1
3. Deploy few Vms in SG4 with TCP ingress rules that allow SG4
4. Create SG3 TCP ingress rules that allow port 22-80 for SG4.  Deploy few VMs in SG3
5. Deploy few Vms in SG6 with TCP ingress rules that allow SG6
6. Create SG5 TCP ingress rules that allow port 22-80 for SG6.
Deploy few VMs in SG5.
Steps
8. Deploy a VM with SG2  SG4  SG6

This should result in new VM's ipaddress being added to ingress chain of all the Vms that are part of SG1  SG3  SG5

From new VM should be able to access all Vms in SG1  SG3   SG5

P1

Sanity

Y

128

Stop a VM that is  in a SG that is allowed egress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2 that has a TCP ingress rules that allows SG2.
2. Create a Security Group SG1 that has a TCP egress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Stop one of the VMS in SG2.

This should result in the stopped VM's ipaddress being removed from the egress chain of all the Vms that are part of SG1.

P1

Sanity

Y

129

Stop and Start a VM  that is in a SG that is allowed egress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2  that has a TCP ingress rules that allows SG2.
2. Create a Security Group SG1 that has a TCP egress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Stop one of the VMS in SG2.
2. Start this VM.

After Step1:
This should result in the stopped VM's ipaddress being removed from the egress chain of all the Vms that are part of SG1.
After Step2:
This should result in this  VM's ipaddress being added to the egress chain of all the Vms that are part of SG1.
From this VM , we should be able to access all the Vms in SG1.

P1

Sanity

Y

130

Destroy a VM that is in a SG that is allowed egress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2 that has a TCP ingress rules that allows SG2.
2. Create a Security Group SG1 that has a TCP egress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Destroy one of the VMS in SG2.

This should result in the destroyed VM's ipaddress being removed from the egress chain of all the Vms that are part of SG1.

P1

Sanity

Y

131

Restore a destroyed VM that is in a SG that is allowed egress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2.
2. Create a Security Group SG1 that has a TCP egress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Destroy one of the VMS in SG2.
2. Restore this VM back.

After Step1:
This should result in the destroyed VM's ipaddress being removed from the egress chain of all the Vms that are part of SG1.
After Step2:
This should result in this  VM's ipaddress being added to the egress chain of all the Vms that are part of SG1.
From this VM , we should be able to access all the Vms in SG1.

P1

Sanity

Y

132

Reboot a VM that is in a SG that is allowed egress access to another Security Group.

Pre-Red:
1. Deploy few Vms in Security Group - SG2.
2. Create a Security Group SG1 that has a TCP egress rules that allows port 22-80 for SG2.
3. Deploy few VMs in SG1.
Steps:
1. Reboot one of the VMS in SG2.

After Reboot is successful:
From this VM , we should still be able to access all the Vms in SG1.

P1

Sanity

Y

133

Deploy a VM in a Security group that allows for all Vms with in the Security Group to communicate with each other

1. Create a Security Group SG1 that has a TCP ingress rules that allows port 22-80 for SG1.
2. Deploy few VMs in SG1.

VM should get deployed successfully.
All the Vms on SG1 , should be able to communicate with each other on TCP protocol for port 22-80.

P1

Sanity

Y

134

Deploy a VM in a Security group that allows for all Vms with in the Security Group to communicate with each other. This Security Group should also have restricted egress access to few other cidrs.

1. Create a Security Group SG1 that has a TCP ingress rules that allows port 22-80 for SG1.
2. Deploy few VMs in SG1.
3. Add an egress rule for cidr1.
4. Add another egress rule for allowing SG1.

After Step2:
All the Vms on SG1 , should be able to communicate with each other on TCP protocol for port 22-80.
After Step3:
All the Vms on SG1 , should NOT be able to communicate with each other on TCP protocol for port 22-80.
All the Vms should be able to access cidr1.
All the Vms should NOT be able to access any other ipaddress other than cidr1.
After Step4:
All the Vms on SG1 , should be able to communicate with each other on TCP protocol for port 22-80.
All the Vms should be able to access cidr1.
All the Vms should NOT be able to access any other ipaddress other than cidr1.

P1

Sanity

Y

 

Upgrade

 

 

 

 

 

135

Upgrade from 2.2.14(Advance zone with SG)to 3.0.x(campo)

1.Install 2.2.14 GA build
2.H ave at least 2 Advance SG enabled zones. In each zone add Account specific Direct networks.
3 Add diff vlan ranges to the same Direct SG enabled zone wide network.
4. Initiate vm start in both Vlans. Make sure each diff Vlan gets separate VR.
5 Add account specific networks, start user vms in them.
6.upgrade to campo

#Check that all Vms(including System Vms) are still functioning and can access the network.
#Start new user Vms in existing networks(Shared SG Zone wide and Shared account specific networks)
#Add one more different vlan to existing Shared SG enabled network. Manage to Start vm in this network. Verify that the VR starts up, and the vm can access the network.
#Check able to download templates.
# Able to lauch and view console view of System VMS and Guest VMs

P1

Functional

Y

136

Upgrade from 3.0.5 advance zone to campo

1.Install 3.0.5 GA build
2.  Advance zones. Add VPC networks. Add guest networks
3. Create domains, domain admins, users. Login as domain admins & users, Create vms  in  VPC networks & guest networks
4. Upgrade to campo
4. Add account specific  and All networks. Create VMs

#Check that all Vms(including System Vms) are still functioning and can access the network.
#Start new user Vms in existing networks

#Check able to download templates.
# Able to launch and view console of System and Guest VMs
#Create advance zone SG enabled. Create shared networks scope account. create shared networks scope All. Add Vms to shared networks. Add ingress and egress rules. Verify sanity and functional operations of VMs

P1

Functional

Y

137

Upgrade from 3.0.6 advance zone to campo

1.Install 3.0.6 GA build
2.  Advance zones. Add VPC networks. Add guest networks
3. Create domains, domain admins, users. Login as domain admins & users, Create vms  in  VPC networks & guest networks
4. Upgrade to campo
4. Add account specific  and All networks. Create VMs

#Check that all Vms(including System Vms) are still functioning and can access the network.
#Start new user Vms in existing networks

#Check able to download templates.
# Able to launch and view console of System VMS and Guest VMs
#Create advance zone SG enabled. Create shared networks scope account. create shared networks scope All. Add Vms to shared networks. Add ingress and egress rules. Verify sanity and functional operations of VMs

P1

Functional

Y

Labels parameters

  • No labels