Elastic Port Forwarding
1. Overview
While EIP can be used to bind a public IP to a VM that is on a private network, it opens all ports of that EIP to the world;
to achieve decent security, users may need to use security group along with EIP. Elastic port forwarding provides another way
to this problem; users can selectively bind one or several ports of an public IP to a VM on the private network, and restrict
what traffic can access these ports.
In this example, we will initially create a port forwarding rule for one VM, and later rebind it to another VM.
2. Prerequisites
We assume you have followed installation guide to install ZStack on a single Linux machine, and
the ZStack management node is up and running. To access the web UI, type below URL in your browser (Please use latest Chrome or Firefox browser.):
http://your_machine_ip:5000/
To make things simple, we assume you have only one Linux machine with one network card that can access the internet; besides, there are
some other requirements:
- At least 20G free disk that can be used as primary storage and backup storage
- Several free IPs that can access the internet
- NFS server is enabled on the machine (see end of this section for automatically setup NFS)
- SSH credentials for user root
Configure root user
The KVM host will need root user credentials of SSH, to allow Ansible to install necessary packages and to give the KVM agent full control
of the host. As this tutorial use a single machine for both ZStack management node and KVM host, you will need to configure credentials for
the root user.
CentOS:
sudo su
passwd root
Based on those requirements, we assume below setup information:
- ethernet device name: eth0
- host IP: 172.20.11.45
- public IP range: 10.121.9.20 ~ 10.121.9.200
- private IP range:192.168.1.2~192.168.1.254
- primary storage folder: /zstack_bs
- backup storage folder: /zstack_ps
Slow VM stopping due to lack of ACPID:
Though we don't show the example of stopping VM, you may find stopping a VM takes more than 60s. That's
because the VM image doesn't support ACPID that receives KVM's shutdown event, ZStack has to
wait for 60 seconds timeout then destroy it. It's not a problem for regular Linux distributions which have ACPID installed.
3. LogIn
open browser with URL(http://your_machine_ip:5000/) and login with admin/password:
4. Create Zone
click 'Hardware' in the left sidebar and then click 'Zone'to enter the zone page:
click button 'Create Zone' to open the dialog:
name your first zone as 'ZONE1' and click button 'OK':
5. Create Cluster
click 'Cluster' in the left sidebar to enter the cluster page:
click button 'Create Cluster' to open the dialog:
name the cluster as 'CLUSTER1' then click button 'OK':
6. Add Host
click 'Host' in the left sidebar to enter host page:
click 'Create Host' button to open the dialog:
- name the host as 'HOST1'
- select cluster(CLUSTER1) you just created
- input the host IP(172.20.11.45)
- input the ssh port(22)
- the most important thing: give SSH credentials for user root
- click 'OK' button
A little slow when first time adding a host
It may take a few minutes to add a host because Ansible will install all dependent packages, for example, KVM, on the host.
7. Add Primary Storage
click 'PrimaryStorage' in the left slider to enter primary storage page:
click button 'Add PrimaryStorage' to open the dialog:
- name the primary storage as 'PS1'
- select type 'LocalStorge'
- input url(/zstack_ps)
- select cluster 'CLUSTER1'
- click button 'OK'
Format of URL
The format of URL is exactly the same to the one used by Linux mount command.
It's actually multiple API calls
You will see two API finishing notification because it actually calls two APIs: addPrimaryStorage and attachPrimaryStorageToCluster.
8. Add Backup Storage
click 'BackupStorage' in left sidebar to enter backup storage page:
click button 'Add BackupStorage' to open the dialog:
- name the backup storage as 'BS1'
- choose type 'Sftp'
- input IP(172.20.11.45) in host IP
- input URL '/zstack_bs' which is the folder that will store images
Input ssh port(22), input SSH credentials for user root, and click button 'OK':
9. Add Image
click 'Resource Pool' in left sidebar and click 'Image' to enter image page:
click button 'Add Image' to open the dialog:
- name the image as 'Image1'
- select media type 'Image'
- select platform 'Linux'
- input URL http://cdn.zstack.io/product_downloads/images/zstack-image.qcow2
- select BackupStorage 'BS1'
- click button 'OK'
this image will be used as user VM image.
click 'Create Image' button again to add the virtual router image:
- name the image as 'VRouter'
- choose media type 'ISO'
- choose platform 'Linux'
- input URL http://cdn.zstack.io/product_downloads/vrouter/zstack-vrouter-2.0.0.qcow2
- choose BackupStorage 'BS1'
- click button 'OK'
Fast link for users of Mainland China
.................................
http://cdn.zstack.io/product_downloads/vrouter/zstack-vrouter-2.0.0.qcow2
Cache images in your local HTTP server
The virtual router image is about 432M that takes a little of time to download. We suggest you use a local HTTP server
to storage it and images created by yourself.
10. Create L2 Network
click 'Network' in left sidebar and click 'L2Network' to enter L2 network page:
click button 'Create L2Network' to open the dialog:
- name the L2 network as 'L2Network-public'
- choose type 'L2NoVlanNetwork'
- input physical interface as 'eth0'
- select cluster 'CLUSTER1'
- click button 'OK'
click 'Create L2Network' again to create the private L2 network:
- name the L2 network as 'L2Network-private'
- choose type 'L2VlanNetwork'
- input vlan as '100'
- input physical interface as 'eth0'
- select cluster(CLUSTER1) to attach
- click button 'OK':
11. Create L3 Network
click 'L3Network' in left sidebar to enter L3 network page:
click 'Public Network' in sidebar to enter L3 public network page:
click button 'Create Public Network' to open the dialog:
Name the L3 network as 'L3Neywork-public' and select L2Network 'L2Network-private'
- choose method 'IP Range'
- input start IP as '10.121.9.20'
- input end IP as '10.121.9.200'
- input netmask as '255.0.0.0'
- input gateway as '10.0.0.1'
Input DNS as '8.8.8.8' and click button 'OK'
No network services needed for PUBLIC-MANAGEMENT-L3'
No user VMs will be created on the public L3 network in this tutorial, so we don't specify any network services for it.
12. Create Router Image
click 'Virtual Router' in left sidebar and click 'Virtual Router Image' to enter virtual router image page:
click button 'Add Virtual Router Image' to open the dialog:
- name the virtual router image as 'Virtualrouterimage1'
- input URL where latest cloud route mirroring is
- seclect BackupStorage 'BS1'
- click button 'OK'
13. Create Virtual Router Offering
click 'Virtual Router Offering' in the left sidebar to enter virtual router offering page:
click 'Create Virtual Router Offering' to open the dialog:
- name the virtual router offering as 'VR-offering1'
- input CPU NUM as '2'
- input CPU speed as '2'
- choose image 'Virtualrouterimage1'
Choose management L3 network 'L3Network-public' , choose public L3 network 'L3Network-public' and click button 'OK'
14. Create Private Network
click 'Network' in the left sidebar, click 'L3Network' and click 'Private Network' to enter L3Network private network page:
click 'Create Private Network' button again to create the private L3 network:
- name the L3 network as 'L3Network-private'
- choose L2Network 'L2Network-private'
- choose type 'V Router'
- choose Virtual Router Offering 'VR-offering1'
- choose method 'CIDR'
- input network CIDR as '192.168.1.0/24'
- input DNS as '8.8.8.8'
- click button 'OK'
15. Create Instance Offering
click 'Resource Pool' in the left sidebar and click 'InstanceOffering' to enter instance offering page:
click button 'Create InstanceOffering' to open the dialog:
- input name as 'IO1'
- input CPU as '1'
- input Memory as '1'
- click button 'OK'
14. Create Virtual Machine
click 'Resource Pool' in the left sidebar and click 'VmInstance' to enter VM instance page:
click button 'Create VmInstance' to open the dialog:
- choose Type 'Single'
- input name as 'VM1'
- choose instance offering 'IO1'
- choose network 'L3Network-private'
- click button 'OK'
The first user VM takes more time to create
For the first user VM, ZStack needs to download the image from the backup storage to the primary storage and create a virtual router VM on
the private L3 network, so it takes about 1 ~ 2 minutes to finish.
15. Create Port Forwarding Rule
click 'Network' in the left sidebar,click 'Network service' and then click 'Port Forwarding' in the left sidebar to enter the port forwarding page:
click button 'Create Port Forwarding' to open the dialog:
- input name as 'PORT-FORWARDING1'
- choose VIP method 'Create New VIP'
- choose L3 Network 'L3Network-public'
- select protocol as 'TCP'
- select port as 'specifies the port'
- input VIP start port as 22
- input VIP end port as 22
- input guest start port as 22
- input guest end port as 22
- click button 'OK'
- select vm instance 'VM1'
- click button 'OK'
Click 'VIP' in the left sidebar to see the vip for port forwarding:10.121.9.96
SSH login from a machine that can reach public IP (10.121.9.96), you should be able to login into the VM1:
16. Rebind The Port Forwarding Rule
follow instructions in section 14. Create Virtual Machine to create another VM(VM2) on
the private L3 network(L3Network-private).
Subsequent VMs are created extremely fast
As the image has been downloaded to the image cache of the primary storage and the virtual router VM has been created,
new VMs will be created extremely fast, usually less than 3 seconds.
go to the port forwarding page:
- select 'PORT-FORWARDING1'
- click button 'Port Forwarding Actions'
- select item 'Detach'
- click button 'OK' to confirm detaching
to reattach the 'PORT-FORWARDING1' to VM2:
Click button 'Port Forwarding Actions' again, select item 'Attach' and select VM2, finnally click button 'OK':
SSH login to the public IP (10.121.9.96) again, you should see it's in VM2 now:
17. Create The 2nd Port Forwarding Rule
Follow instructions in 15. Create Port Forwarding Rule to create another rule.
This time we bind port 2222 of VIP to port 22 of VM1.
To create the port forwarding rule, go to port forwarding page, click button 'New Port Forwarding Rule' again:
- input name as 'PORT-FORWARDING1'
- choose VIP method 'Create New VIP'
- choose L3 Network 'L3Network-public'
- select protocol as 'TCP'
- select port as 'specifies the port'
- input source start port as 2222
- input source end port as 2222
- input vminstance start port as 22
- input vminstance end port as 22
- click button 'OK'
- select vm instance 'VM1'
- click button 'OK'
Click 'VIP' in the left sidebar to see the vip for port forwarding:10.121.9.183
SSH login to public IP (10.121.9.183) with port 2222, you should login to VM1:
Summary
In this tutorial, we showed you how to create port forwarding rules that allow public traffic to reach
specific ports of VMs on the private L3 network. Despite we only show you one port forwarding rule per a
VIP, it actually possible to create multiple VIP rules on a single VIP as long as the VIP ports don't conflict.
For more details, please visit Elastic Port Forwarding in user manual.