Currently CloudStack VR of isolated network and VPC works in NAT mode. The guest VMs are publicly accessible by
Load balacing
The guest VMs are guarded by
This project adds a new network mode (ROUTED) to CloudStack Isolated networks and VPC .
Community PR (target to 4.20): https://github.com/apache/cloudstack/pull/9346
In ROUTED mode, CloudStack VR will act as the gateway of the guest networks. The IP of guest VMs will be publicly reachable from the outside of the network.
the following services are supported
only the network with network_mode=ROUTED can run in routed mode
SourceNat/StaticNat/Lb/PortForwarding/Vpn service are not supported in Routed mode
rename nsx_mode to network_mode.
A service "Gateway" is added to the network/vpc offering if network_mode=ROUTED
support APIs for zone IPv4 subnet: add/list/update/remove/dedicate/releaseDedicated
new API:
each subnet
new global setting:
CreateIpv4SubnetForGuestNetwork
A Public IP needs to be allocated as the Gateway (similar source nat)
A Public IP needs to be allocated as the Gateway (similar source nat)
the network offering for vpc tier must be ROUTED mode as well.
allocate a public IP for VR: if network has service "Gateway" or "SourceNat"
isolated network: eth0 (guest), eth1 (linklocal), eth2 (public)
vpc: eth0 (linklocal), eth1 (public), eth2/eth3... (guest),
add nftables rules in the VR
remove all iptables rules
create vpc offering
create network offering for isolated network
create network offering for vpc tier
add ipv4 subnet for zone
list, update and dedicated/release ipv4 networks for zone
create isolated network with routed mode
add firewall rules
validate the firewall rules in the VR (via linklocal IP)
remove firewall rules
create vpc and vpc tier with routed mode
create network acl list
replace vpc tier with network acl
add network acl to VPC tier
validate the network acl in the VPC VR
remove network acls
add static routes in the VRs (manually)
test the connectivity between the VMs and VRs (VR to VM in another network)
network can be created
supports routing firewall rules and ipv6 firewalls
th network ACL should support both ipv4/ipv6 is cidr is null
Is it necessary ?
next stage ?
the guest IPs are actually accessible from the outside
the public IP of VRs do not need to be Public
they can use private IPs
next stage ?
new APIs: support customized static routes ?
to be added.
to be added.
Milestone | Planned date | Actual date | |
---|---|---|---|
1 | Start development | 2024-05 | 2024-05 |
2 | main Development is done | 2024-06 | 2024-07-05 |
3 | dev testing is done | 2024-07 | 2024-07-17 |
4 | add marvin/unit test | 2024-07 | 2024-07-05 |
5 | Final dev review | 2024-07 | |
6 | pass over to QA | 2024-07 | |
7 | QA testing is done |
NAT - Network address translation
CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.network_offerings','network_mode', 'varchar(32) COMMENT "mode in which the network would route traffic"');