You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

Isolation based on Security Groups in Advanced Zone

1       Background

Isolation of VM Traffic is achieved using Security Groups in Basic Zones. For Advanced zone, traffic can be isolated on a per network basis using VLANs.  Advanced Zones support shared as well as isolated networks.  Currently, there is no way to isolate guest traffic within a network.

Use Cases:

  • Isolation within a network:  Shared Networks can be created with different levels of scope. It can be shared within an account, domain, project or a global shared network. With multiple users deploying VMs on a shared network, users might want to control traffic on their VMs based on Security groups. 
  • Isolation across multiple networks: Some customers might deploy multiple shared networks and they might need to restrict communication not only within a network but also across different networks. For example, user A could have VM1 in Network 100 and VM2 in Network 200 but they might want to limit the communication on these VMs to just talk to each other and a limited set of Public IP Addresses.
  • VMs deployed using multiple Networks: There could be various cases in which a VM is deployed on two networks (an isolated network for the account and a common shared network providing monitoring capabilities).  In these cases, admins will want to limit the communication between different tenants who are sharing the common shared Network.
  • Isolated Network: With Isolated Networks (including VPC), users can deploy multiple applications on the same isolated Network or same VPC. Users might want to prevent communication between the applications within the same Network/VPC.

Customer Benefits:

  • Allowing users to control traffic within a network would help them deploy multiple applications without communication between application as well as prevent communication with other users’ VMs.

2        Requirements

  • Security Groups capability, identical to Security Groups (Ingress and Egress, Accounts & CIDRs) in basic zone, should be used for this feature.
  • Feature needs to be supported for Shared and Isolated Networks in Advanced Zones.
  • Feature needs to be supported in VPC as well as non-VPC deployments
  • Security Groups in Basic Zone is only supported for XenServer and KVM Hypervisors. Same feature set should be supported for XenServer and KVM in advanced Zone.
  • Following is what is supported for Security Groups in Basic Zones and should be supported in Advanced Zone for all Hypervisors.
    • Ingress  & Egress rules
    • Ability to create rules based on Security Group or CIDR
    • Protocol, Start Port, End Port and CIDR or Security Group
  • Users should be allowed to deploy security groups on VMs that are deployed on multiple networks.
  • UI workflow should be identical to Security Groups in basic zone.
  • The UI workflow should be same irrespective of Hypervisor.
  • As part of VM creation/update wizards, users should be able to select from a list of security groups.

3       UI / UX Requirements

  • UI workflow should be identical to Security Groups in basic zone.
  • The UI workflow should be same irrespective of Hypervisor.
  • As part of VM creation/update wizards, users should be able to select from a list of security groups.

4       Upgrade Scenarios

None

5       Non-Requirements

  • None

6       Bugs

7       Open Items:

  • None
  • No labels