About Netris Switch Fabric

Netris Switch Fabric provides an intent-based approach to network management. Instead of configuring switches, routers, and firewalls manually, administrators define the desired network outcomes, Netris then translates those intents into the necessary configurations across the infrastructure. Its controller includes a REST API and graphical dashboard for visibility, automation, and lifecycle management of network resources.

By abstracting low-level network details, Netris enables teams to operate modern, scalable data centre networks with the same agility and repeatability found in cloud environments.
 

Why Integrate Netris with CloudStack?

Integrating Netris with Apache CloudStack introduces a fully automated and policy-driven approach to network management. It allows CloudStack to orchestrate complex networking functions through Netris, ensuring that connectivity, routing, and security policies evolve dynamically as cloud resources are created or modified. This brings a new level of consistency and scalability to environments running the KVM hypervisor.

• Automated Network Provisioning

Networks, subnets, NAT, ACLs, and load balancers are automatically created and updated as CloudStack resources change, keeping compute and network layers synchronized.

• Consistent Policy Enforcement

Centralized SDN policies guarantee uniform application of routing, security, and IP management rules across all CloudStack-managed networks.

• Rapid Scaling

As new Instances, VPCs, or network tiers are added, Netris provisions the required network infrastructure automatically, supporting fast and reliable cloud expansion.

• Advanced Features

Dual-stack IPv4/IPv6, dynamic routing, site-to-site VPN, and granular ACLs are supported though Netris, simplifying the deployment of advanced network architectures.

• Reduced Operational Overhead

Routine network changes, upgrades, and maintenance tasks are executed programmatically, reducing downtime and the risk of misconfiguration.

• Improved Security

Automated ACLs and NAT policies minimize human error, while real-time monitoring enables faster detection and response to potential threats.

• Native Integration with KVM

In CloudStack environments running KVM hypervisor, Netris automates the underlying network fabric, removing the need for manual switch or router configuration.

 

Benefits in CloudStack Environments Running KVM

When deployed in Apache CloudStack environments that use the KVM hypervisor, Netris Switch Fabric simplifies network orchestration and streamlines day-to-day operations. It enables administrators to automate the entire network lifecycle, from provisioning to policy enforcement, through a single, centralized control plane.

• Zero-touch Networking

Network connectivity is provisioned automatically, removing the need for manual switch or router configuration.

• Faster deployments

Networks become available immediately as new Instance or VPC Networks are created, accelerating workloads delivery.

• Unified management

Administrator can manage compute and network resources consistently though the Netris Controller and CloudStack UI/API.

• Enterprise-Grade Features

Features such as load balancing, NAT, ACLs, and IP address management (IPAM) are delivery natively though the SDN layer, reducing complexity and operation overhead.
 

Integration Overview and Requirements

Hypervisor:                         KVM

Netris Version:                    4.4.0

CloudStack Version:          4.21 and onwards

 

The Netris plugin introduces Netris as a Network Service Provider within CloudStack. This allows Administrators to create and manage Virtual Private Cloud (VPC) Networks using the Netris Controller as the backend for network orchestration.

Through this integration, CloudStack can delegate a wide range of network functions to Netris, including:

• VXLAN-based network segmentation
• Routing between public IP and private network segments (Routed Mode)
• Source NAT, DNAT, 1:1 NAT between public and private networks (Natted Mode)
• Routing between VPC network tiers
• ACLs between VPC tiers and public networks (TCP, UDP, ICMP)
• Internal and external load balancing
• Integration with CloudStack Virtual Router services such as DHCP, DNS, UserData, and Password Injection

A Netris Java SDK is included to facilitate communication between CloudStack Management Servers and Netris Controllers.

A new Global Setting, netris.plugin.enable, has been added (disabled by default). Enabling this setting activates Netris plugin in CloudStack.
 

Configuration in CloudStack

When creating a new zone with Netris as isolation method, some additional steps have been added to the wizard.
 

Network -> Physical Network

Only Core Zone with Advanced Network is supported when using Netris and KVM hypervisor. Select Netris as Isolation method to proceed:

 

Network -> Netris Provider

When selecting Netris as isolation method, a new form will be presented to the Zone creation wizard. Fill in the data regarding the Netris provider and proceed:

 

Netris provider name: An internal name for reference

Netris provider URL: The Netris controller endpoint URL

Netris provider username: The Netris username

Netris provider password: The Netris password

Netris provider Site name: The Netris Site Name to be linked to

Netris provider admin Tenant Name: The name of the Admin Tenant on the Netris provider

Netris tag: A tag to be used on each Netris VNET creation

 

Network -> Public Traffic

In this screen, Public Traffic refers to the IP ranges used internally by CloudStack rather than the Public IP pool exposed to users. The first Public IP range is reserved for SystemVMs and is tagged as systemvm, while the next Public IP range is reserved for Virtual Routers. This differs from other isolation methods, where Public Traffic usually maps directly to the user-facing Public IP address range.

Network -> Netris Public IP Pool

In this step, administrators must define the Public IP range that Netris will use for VPC operations such as Source NAT, Load Balancing, Port Forwarding, and Static NAT. This range is marked with the netris tag.

 

Under the hood: Mapping Netris Operations to CloudStack Actions

 

Zone Creation

When a Zone is created, CloudStack triggers the following operations on the Netris side:

• An IPAM allocation is created for the Netris IP Pool range and linked to the default VPC in Netris.
• If an existing IPAM allocation already contains the provided Netris IP Pool range, the range is added as a new IPAM subnet under that allocation, with purpose set to common.

The common purpose allows the creation of child subnets for nat and load-balancer use cases.

Important: CloudStack expects Public IP ranges to be defined in the same order presented in the Zone Wizard. This order must be preserved when adding, editing, or removing Public IP ranges:

• SystemVM Public Range
• VRs Public Range
• Netris Public Range

 

VPC Creation

When a VPC is created in CloudStack, the following actions occur on Netris:

• A new VPC is created under the tenant defined during Zone creation.
• A new IPAM allocation is created for the VPC Guest CIDR.
• For NAT mode only: a Source NAT entry is created (details in the next section).

 

VPC Tier Creation

Creating a VPC Tier in CloudStack results in the following actions on Netris:

• A new IPAM subnet is created for the VPC Tier CIDR.
• The subnet purpose is set to common, indicating it can be used for general services such as vNets.
• A new VNET is created and assigned a VXLAN ID from the range configured during Zone creation.
• ACLs associated with the tier are created in Netris.

For tiers created using the default VPC network offering for Netris – Routed Mode, the IPAM subnet for the Tier Guest CIDR is also configured with global routing = true, enabling IP advertisement required for Routed Mode.
 

Supported Operations for the Default VPC Offering – NAT Mode

 

Source NAT

• A new IPAM subnet is created under the Netris IP Pool allocation, with purpose = nat and prefix = /32.
• A corresponding SNAT rule is created.

 

Port Forwarding

• A new IPAM subnet is created under the Netris IP Pool allocation for the Public IP acquired for Port Forwarding, with purpose = nat and prefix = [public IP]/32.
• A corresponding DNAT rule is created.

 

Static NAT

• A new IPAM subnet is created under the Netris IP Pool allocation, with purpose = nat and prefix = [public IP]/32.
• A corresponding DNAT rule is created.

 

Load Balancing

• A new IPAM subnet is created under the Netris IP Pool allocation, with purpose = load-balancer and prefix = [public IP]/32.
• A new Layer-4 Load Balancer DNAT rule is created.

 

ACLs

• A new ACL entry is created for each CloudStack ACL rule defined on the VPC tier.

While Netris handles the primary network operations, CloudStack still deploys a VPC Virtual Router. This instance is responsible for DHCP, DNS, SSH key injection, password resets, and other guest network services.

For details on parameter definitions and naming conventions,

https://docs.cloudstack.apache.org/en/4.21.0.0/plugins/netris-plugin.html

https://www.netris.io/docs/en/latest/tutorials/netris-cloudstack.html
 

Conclusion

The Netris integration in Apache CloudStack 4.21 provides a practical way to automate network orchestration in environments running the KVM hypervisor. CloudStack continues to manage compute and system services, while Netris handles routing, NAT, load balancing and IPAM through its intent-based SDN controller. This separation of responsibilities gives administrators a predictable and programmable network fabric without increasing operational complexity.

By delegating core network functions to Netris, CloudStack environments gain consistency across VPCs, tiers, and public IP workflows. Tasks that previously depended on manual switch or router configuration now happen automatically as resources are created, updated, or removed. The result is a more stable foundation for scaling VPC-based architectures, adopting IPv6, and preparing for hybrid or multi-site topologies.

For operators running CloudStack on KVM, this integration offers a straightforward step toward modernizing the network layer, improving reliability, and reducing the effort required to maintain day-to-day networking operations.