PROPUESTAS ESTRATÉGICAS PARA LAS CERVEZAS

CloudStack provides a public IP address which can be associated with any instance using a NetScaler appliance. This NetScaler appliance can provide both Elastic Load Balancing as well as Elastic IP addresses. There must be a public VLAN to be present and the zone must be security group enabled. The public IP address is allocated from this range of the IP addresses. A user can request the public IP address using the API call associateIp and can configure static NAT. These IP addresses can be associated with any instance within the same zone.

CloudStack provides Static NAT (1:1) service in a basic Zone using Elastic IP

addresses. When a user deploys a VM, it can access the Internet using the static NAT service between its private IP address and a public IP address, this public IP address can be attached to or detached from any running instance in a zone.

EIP cannot be moved between zones. The users can acquire new public IPs when they want to and it is provided to their account and it can be associated with any instance in that account.

Security groups

CloudStack provides isolation of traffic to VMs by the use of security groups. The security group is basically a group of VMs that provides filtering of the incoming and outgoing traffic as per the rule configuration. We can set the ingress and the egress rules for the network using security groups. The network traffic is filtered according to the rules configured in the security groups. As we have already discussed, a zone with basic network configuration has isolation implemented using security groups. These security groups are very useful in a zone with basic network configuration as all the guest VMs are present in a single network.

The security groups provide IP address filtering and have rules defined within it which define the incoming and outgoing traffic characteristics, like for example, the protocol, port and the source of the communication which is to be allowed or denied. CloudStack provides a default security group which has some rules predefined with itself and it can be modified whenever required. This default security group has rules defined to deny all incoming traffic and allow all outbound traffic. Users can modify this security group or define new ones as per their requirements. An instance is associated with a security group when it is created and it cannot be changed afterwards, this security group can be the default one or any other security group created by the users. The security group associated with the instance defines the traffic that will be allowed or denied for that instance and it can be modified at any point of time and the new configuration will define the traffic rules from that point irrespective of the VM's state (stopped/started).

The zone has a security group feature that must be enabled before the security group functionality can be used in the zone. The enablement of a security group in a zone is defined by the administrator when creating the zone. As we have seen, while creating a zone, the administrator selects the type of network offering, the security group feature is defined in the network offerings and if the administrator wants the security group to be enabled in the zone, he must choose a network offering with security group functionality. The security group feature is provided by the CloudStack virtual router. The network offerings can be created to include services such as the security groups as described earlier. We can do this by selecting the Security Groups check box in the list below while creating a new network offering.

To add a new security group, follow these steps: 1. Click on the Network tab in the left pane.

2. Select one of the networks from the list. The selected network must have an offering with a security group.

4. Name / Description: Provide the name and a description of the security group.

5. Click on OK.

The newly created security group appears in the list of security groups.

Once you have added a security group, you can add or delete new rules to it. If a security group has no rules defined in it, no traffic is allowed to it. Add the Ingress and Egress rules as follows:

1. Click on the security group you want to add or delete the rules to.

2. Select the rule that you want to add—if you want to add an Ingress rule, click on the Ingress Rules tab, and fill the fields in the following screenshot:

Fill in the information as follows:

• Add by CIDR/Account: This field defines whether the source of the traffic will be defined by an IP range or by a security group already present in a CloudStack account. If you want to allow the traffic from a particular existing account, then select "Account". This is done to allow traffic from one account to another. For example, if this security group is for a Database server and you want to allow traffic from the WebServer then you must select the WebServer account. Or if you want to allow the traffic defined by an IP range, then you must select the IP range. For example, if this security group is to be associated with a WebServer, and traffic from all over the internet is to be allowed, then select CIDR range.

° Protocol: Select the networking protocol from the list (TCP, UDP, ICMP, etc.). The traffic from the source using this protocol will be allowed.

° Start Port, End Port: This field is for the TCP and UDP protocol in the protocol field. This is the range of the listening ports where the incoming traffic will be sent for this rule.

° ICMP Type, ICMP Code: This is only for ICMP rule. It is the type of ICMP message or error code that should be accepted as per this rule. ° CIDR: If you have selected CIDR in the first option, enter the CIDR

range(s) or IP address(es) from which the traffic should be allowed. For example, if you want all the traffic from all over the internet to be allowed for the WebServer instance, specify 0.0.0.0/0 or if it is internal application to be used only for private set of users, enter their IP ranges, like 192.8.0.0/24.

° Account/Security Group: This option is when you select the account option. Enter the name of the existing CloudStack account or an existing security group for which this rule is defined. If you have a security group for WebServer instances and this security group is for the Database server, then enter the WebServer instances' security group.

3. Click on Add.