Self-service Shared Networks l CloudStack Feature Deep Dive
In Apache CloudStack it is possible to deploy three types of Guest Networks: Isolated, VPC and Shared Networks. Previously in Apache CloudStack, Domain Admins and Regular Users could deploy only Isolated and VPC Networks. Shared Networks could only be deployed by Root Admins (as they require the selection of a VLAN) which adds considerable overhead and reduces the agility of the cloud offering.
From the platform operator’s perspective, Shared Networks might not be made available to the Users at all due to the extra burden.
From CloudStack 4.17 onwards, Domain Admin and Regular Users are now able to deploy Shared Networks. Furthermore, a new network type “Associated Network” has been introduced where an existing Isolated or L2 Network can be used, sharing the same VLAN tag.
Common use cases
There are several use cases for Users, such as:
• Create a Shared Network which can be accessed by all Accounts in a Domain.
• Create a network with DHCP / DNS running on the CloudStack Virtual Router but out of the data path.
• Interconnect a Shared Network to an Isolated or L2 Network.
• Interconnect a VPC’s Private Gateway to an Isolated or L2 Network.
Self-service Shared Networks support in CloudStack
Support for self-service Shared Networks in CloudStack can be summarized in two steps:
• Root Admin can create a new Shared Network Offering, which allows Users to create a new Shared Network without specify the VLAN tag.
• Domain Admins and Regular Users can create Shared Networks with an optional Associated Network.
The following are the CloudStack APIs that have been modified to support these operations:
|CreateNetworkOffering||The “specifyvlan” parameter is now supported when create network offerings for shared networks.|
|CreateNetwork||A new parameter has been added: “associatednetworkid”.|
|ListNetworks||Two new parameters have been added: “associatednetworkid”, “networkfilter”.|
Step 1 – Create a Shared Network Offering when specifyvlan is false
In the UI, the “Shared” tab in the “Add Network” dialog is visible for Users when they try to create a new network via “Network” / “Guest Networks” / “Add Network”.
However, by default, there is no Network Offering available. When Users try to create a new Shared Network, they will see the following message:
To support self-service Shared Networks, a Network Offering needs to be created by the Root Admin. As shown below, the Root Admin must choose the appropriate services but NOT select “Specify VLAN”.
Now, Users will be able to create a new Shared Network selecting the Network Offering created in the previous step.
Step 2.1 – Creating a Shared Network without specifying a VLAN
To create a Shared Network without specifying a VLAN tag, login as any user type (Root Admin, Domain Admin or Regular User), navigate to “Network” -> “Guest Networks”, click on the icon “Add Network +”, click “Shared” tab in the dialog and then follow the steps below:
• Set scope to All (Root Admin only), Domain (Root Admin and Domain Admin only), Account or Project
• Choose the Domain, Account or Project in the dropdown list.
• Keep “Associated Network” as empty.
• Click “OK”.
At the end, a Shared Network will be created using a VLAN tag from the Guest VLAN range.
Step 2.2 – Create a Shared Network with an Associated Network
Before proceeding, please ensure you have created an Isolated or a L2 Network.
2.2.1. To add an Isolated Network, navigate to “Network” / “Guest Networks”, click on “Add Network +” and then select “Isolated” tab.
2.2.2. To add a L2 Network, navigate to “Network” / “Guest Networks”, click on “Add Network +”, and then “L2” tab.
Users can now create a Shared Network associated with an existing Isolated or L2 network. The steps are the same as those used to create a Shared Network addressed in step 2.1, differing only in selecting an Isolated or L2 Network in “Associated Network”.
Some important points:
1. The Isolated Network will be implemented with Virtual Router(s) being created for the network elements, the Network’s state will then change to “Implemented”.
2. The Isolated Network cannot be removed unless the associated Shared Network has been removed.
3. The Isolated Network will not be shut down by Apache CloudStack, which means the VLAN will not be released.
4. Both Networks will use the same VLAN tag, as shown below:
This new feature allows Users to create their own Shared Networks and VPC Private Gateways, thus reducing operational overhead and allowing for more flexible and complex network topologies to be deployed without the intervention of the Root Administrator.
It is available from Apache CloudStack 4.17 LTS onwards.