Page 1 of 1

CloudStack: The Advanced zone (full IaaS) is here !

Posted: Tue Jul 30, 2013 10:34 am
by Admin
Hello again !

All tests (including simulated hardware failure for HA/failover) completed successfully on the shared zone, so we are now going to concentrate on the advanced zone with full IaaS offering capabilities.

What is the advanced zone ?

Well, the most appropriate analogy would be with a local lan connected to the internet through an advanced router.
Each advanced zone has own router which can do NAT, IPSec VPN, firewall, DHCP, load balancing, etc. You can have your own virtual office with everything, file server, gateway, application server(s), back-up space (we will add secondary storages at a lower price), workstations with the full freedom of importing own templates/ISOs, take snapshots, etc.
Basically, you will be able to have a virtual infrastructure in place, with much more than a real infrastructure can offer in terms of back-up and redundancies, conveniently setup in a few clicks, scalable and without upfront investments in hardware and with a reliable connection. If you do not think this is possible, follow this tutorial !

OK, let's start.

I will create a few VMs using templates for speed. Say, one will be a Debian smb server and another a workstation with ubuntu desktop. They will connect to the internet using NAT through the advanced router and between themselves on the local VLAN using non-routable IPs. The IPSec VPN can be used to bridge 2 LANs over the internet, one virtual, here and one real, say at your home, the VMs with us will act like being on your home/office LAN. This will not be covered here, though, just to show how easy it is to set up this end, the other end can be secured as easily with ipcop/pfsense, for example as well as many other firewall distributions, including DD-WRT.

First, lets create the debian server and while doing so we will also create the isolated network and firewall rules for it.

Go to your CloudStack UI:
https://master.iwstack.com/client/
Insert your username and password as well as domain, then go to instances/add instance:
Image
Make sure you select the IAAS zone as shown in picture. While you can select an ISO, we will use one of the minimal templates to expedite things and to take advantage of the password reset feature. In this case will use a Debian 7 32 bit image:
Image
All images are 10 GB in disk size by default, you can select memory and additional disks in the following screens.
I left default 1 core 10 GB disk and 512 RAM. he one core will appear at various speeds, do not worry, we do not actually provide a 2 MHz CPU, that is set for resource accounting purposes, CPUs are fair share.
The step 5, network, is the place where we create our isolated VLAN. We will need to give it a name. Later we can add more VMs by selecting it here.
Image
In the last step you can give a name to your VM as well make it part of a group (I have chosen myinfrastructure as group name).
Image
Click on LaunchVM.

It will take a while as the whole network is setup now, added the router, the vlan, the VM and template transferred, password created, etc. Make sure you are writing down or copy the password by selecting it with the mouse and CTRL+c. If you didnt manage, no worry, you can stop the VM later and do a password reset. Do not click around, you may miss the pop-up with the password:
Image

Now, as soon as the zone is created, there is no internet access (but all the VMs can connect to each other using the local IPs), all the machines are given non-routable IPs through DHCP and there is no traffic allowed through the router. You need to allow it piece by piece.

First, lets open a console and see the VM we just installed (hover the mouse over the + in the right):
Image

You will see that it cannot connect to the internet, all traffic is blocked, also, ifconfig will show a non-routable IP.
Image

In order to rectify this, we will have to open up the firewall to allow outgoing connections (I will allow all on all ports, remember, this is only for outgoing traffic).
Go to Network and go to the + at the isolated vlan we created, select view IP addresses and go again over the + at the right, click enable VPN:
Image

Now you can connect to the network over VPN and bridge your home/office LAN with the one in our cloud, you do not need to enable any internet access if you dont need, those machines will appear in your local LAN, but it is very likely you will need internet access for one thing or the other unless you wish to give internet access through your home/office gateway (highly unlikely).

Lets now give internet access for the outgoing connections (i.e. the VMs will be able to go on the internet, but the internet will not be able to access them).
In the network section, click on the network name and go to Egress rules and make it look like in the picture:
Image
That means we allow the VM to access the internet unrestricted. You can, of course, do a more granular access, but I will need all the VMS to access the Internet unrestricted. Therefore I write in CIDR box 0.0.0.0/0 (the whole internet) and select "all" in protocols, meaning the VM will be able to exit on all ports and protocols making it equivalent to your home computer in most cases (unless you have a restrictive firewall for some reason).
Now we are able to update the vm and ping everything we wish, but we will not be able to access the VM from outside, we will need to allow at least ssh (port 22) to connect. For that we need to do some port forwarding.
Go to the Network section, click the VLAN name, View IP Addresses, click on the IP address, go to the "Configuration" Tab and you will see the network configuration in a nice scheme:
Image

Right now we leave load balancing out, we will be going port forward to allow the internet to access some ports on our machine.
First click View all in the Port forward section:
Image

In this case I forwarded the public port 222 to port 22 of the VM internal address. I will also need to allow the port 222 through the firewall, so I go to the
Image
And click on View all in the firewall section. There are already some rules there autocreated when we setup the VPN. Now we need to allow connections from all internet (you can put your IP there if you will connect only from that machine and you have a static IP by changing 0.0.0.0/0 with xxx.xxx.xxx.xxx/32 where xxx.xxx.xxx.xxx is your IP and 32 is the mask for 1 IP only) port 222 TCP (not 22, the connection from outside will go to port 222, remember if you change port number). In order to do that, add the rule like in the picture and click Add:
Image

As you can see. if I wish to move SSH to listen on another port, I dont have to do any change in the VM, I can do this from the firewall directly, so, i will connect to the VM by using the public IP address and port 222, the firewall will do the rest:
Image
You now have SSH access to your VM and it has full access to the internet. If you wish to add a web server, you will need to allow port 80 too through the firewall or 443 for HTTPS. Every service you add, you need to allow the corresponding port or range to be accessible through the firewall. If you have no concern and wisha ll ports to be open, you can just put ports from 1-65535 in both UDP and TCP open in the firewall from CIDR 0.0.0.0/0 and the firewall will block only ICMP (ping for instance). In order to allow ping too, allow ICMP type 8 and ICMP type 0. More details here:
viewtopic.php?f=8&t=1178

Re: CloudStack: The Advanced zone (full IaaS) is here !

Posted: Tue Jul 30, 2013 12:50 pm
by Admin
OK, now, that we have a server in the infrastructure, let's add a workstation too :)

I will use for it the Ubuntu LTS desktop template we have with full KDE.

Go to add instance, select the Ubuntu Desktop template, proceed like above and make sure you select the network we created before and the same group, otherwise the new VM will be in a different VLAN and will not be able to communicate with the debian server we made before over the internal network.

Write down password and use the console to login to your desktop:
Image
Since we already allowed external access to the network and this VM uses the same VLAN, we no longer need to do anything, our desktop will be able to browse the internet, for example:
Image
Now we will allow VNC access to the desktop.
We will need to enable Desktop Sharing in KDE (in applications, internet) to allow uninvited connections. You may or may not change the default port, it can be done both there or in the firewall, let's say we leave it default (5900) and change it in the firewall.
In the firewall open port 3003 and forward it to port 5900:
Image
Image
Make sure you select the right VM to which to forward the port, it is the ubuntu desktop, not the debian server.
And now you can use VNC to control your Ubuntu Desktop from home. You will use as address in your VNC viewer something like xxx.xxx.xxx.xxx:3003 where xxx.xxx.xxx.xxx is your IP and 3003 is the port we choose. You can put another, but make sure you adapt the firewall rules to match. If you do not wish to specify any port, you can use the default 5900.
Alternatively, you can install RDP and use that to control your Ubuntu Desktop, but again, your ports will be different. ou can also enable ssh, naturally, not ont he same port as before, in fact none of the ports can be reused, so, if you forwarded 222 to 22 on your debian server, you cannot use the same configuration, you need to forward another port, say 2222 to your Ubuntu's 22 port.

Once you can control a desktop inside the lan, everything is simple, youw ill be able to connect to debian server using the ssh client in Ubuntu, just this time is port 22 because you are already inside the LAN, no need for any forwarding. You will issue the command:

Code: Select all

ssh 10.1.1.127
to connect to your debian server in this case, that is the LAN IP of your debian server, you can always find it out issuing the ifconfig command.
Something like this:
Image

You can add more servers and workstations as long as you have the necessary resources (memory, disk space, CPUs) effectively simulating an entire lan inside with all the required stuff, from storage servers to web/email/ftp/application servers, etc. you can even load own ISO and install windows, free bsd, whatever, just be advised that without using the templates, the password reset function will not work.

Re: CloudStack: The Advanced zone (full IaaS) is here !

Posted: Tue Jul 30, 2013 1:06 pm
by Admin
Conclusions:

The CloudStack Advanced zone allows you to:
1. Create own isolated VLAN with exceptional security. By default it is completely isolated from Internet and you can add it to your LAN if you wish to, or can allow connections only over VPN to control it. You can fine-tune the firewall to allow external access only to what you wish to allow access as well as open only the ports needed for your applications.
2. You can share one IP through NAT and port forwarding between more server, but also can do load-balancing over multiple servers.
3. You can have internal connections between servers using non-routable addresses. You can also create more VLANs, each with own gateway to the internet and bridge those with IPSec VPNs to simulate complex infrastructures.
4. You can deploy complex test environments in a few minutes using templates and a few hours if you install from ISOs. In time our templates will include many OSes with only minimal installations to help you get even more productivity.

It is much better than a dedicated server whch uses virtualization because:
1. It is scalable. You can add-remove resources as you wish.
2. It has High Availability and fail-over. You will not experience downtime if a hard drive fails, for example.
3. The VMs are distributed across a number of physical nodes and the orchestrator takes care so the load is evenly distributed to ensure full speed whenever you need it. If one VM suddenly needs more CPU, will get it.
4. You only pay for what you use. You are done testing ? Destroy the VMs after taking a few snapshots and they are ready to be deployed in minutes when you need them again, you only pay cheaper secondary storage if you need to keep the snapshots or nothing at all if you dont.

Re: CloudStack: The Advanced zone (full IaaS) is here !

Posted: Thu Aug 01, 2013 1:39 am
by ErawanArifNugroho
Very nice tutorial and great solution :)

I never imagined something like this can be created, it's just like having a copy of my company system use. But they have base in Singapore. Using 1 server for serving the whole South East Asia, and installed a vm inside it.

Thanks M and Uncle :)