1. Overview
Three tiered network gets its popularity because users can deploy presentation layer, application layer, and database layer
into separate networks, in order to get better isolation and security.
In this example, we will create a deployment that consists of three L3 networks: web network, application network, and database
network. The web network connecting to internet can be reached by public traffic, application network and database network
are private but can reach internet through source NAT. For the sake of demonstration, we will create 3 VMs: web-vm, application-vm,
and database-vm; web-vm will have two nics that one is on web network and another is on application network; application-vm will
have two nics too that one is on application network and another is on database network; database-vm will have only one nic that is
on database network.
2. Prerequisites
We assume you have followed installation guide to install ZStack on a single Linux machine, and
the ZStack management node is up and running. To access the web UI, type below URL in your browser (Please use latest Chrome or Firefox browser.):
http://your_machine_ip:5000/
To make things simple, we assume you have only one Linux machine with one network card that can access the internet; besides, there are
some other requirements:
- At least 20G free disk that can be used as primary storage and backup storage
- Several free IPs that can access the internet
- NFS server is enabled on the machine (see end of this section for automatically setup NFS)
- SSH credentials for user root
Configure root user
The KVM host will need root user credentials of SSH, to allow Ansible to install necessary packages and to give the KVM agent full control
of the host. As this tutorial use a single machine for both ZStack management node and KVM host, you will need to configure credentials for
the root user.
CentOS:
sudo su
passwd root
Based on those requirements, we assume below setup information:
- ethernet device name: eth0
- eth0 IP: 172.20.11.34
- free IP range: 10.121.10.20 ~ 10.121.10.200
- primary storage folder: /zstack_ps
- backup storage folder: /zstack_bs
Slow VM stopping due to lack of ACPID:
Though we don't show the example of stopping VM, you may find stopping a VM takes more than 60s. That's
because the VM image doesn't support ACPID that receives KVM's shutdown event, ZStack has to
wait for 60 seconds timeout then destroy it. It's not a problem for regular Linux distributions which have ACPID installed.
3. LogIn
open browser with URL(http://your_machine_ip:5000/) and login with admin/password:
4. Create Zone
click 'Hardware' in the left sidebar and then click 'Zone'to enter the zone page:
click button 'Create Zone' to open the dialog:
name your first zone as 'ZONE1' and click button 'OK':
5. Create Cluster
click 'Cluster' in the left sidebar to enter the cluster page:
click button 'Create Cluster' to open the dialog:
name the cluster as 'CLUSTER1' then click button 'OK':
6. Add Host
click 'Host' in the left sidebar to enter host page:
click 'Create Host' button to open the dialog:
- name the host as 'HOST1'
- select cluster(CLUSTER1) you just created
- input the host IP(172.20.11.45)
- input the ssh port(22)
- the most important thing: give SSH credentials for user root
- click 'OK' button
A little slow when first time adding a host
It may take a few minutes to add a host because Ansible will install all dependent packages, for example, KVM, on the host.
7. Add Primary Storage
click 'PrimaryStorage' in the left slider to enter primary storage page:
click button 'Add PrimaryStorage' to open the dialog:
- name the primary storage as 'PS1'
- select type 'LocalStorge'
- input url(/zstack_ps)
- select cluster 'CLUSTER1'
- click button 'OK'
Format of URL
The format of URL is exactly the same to the one used by Linux mount command.
It's actually multiple API calls
You will see two API finishing notification because it actually calls two APIs: addPrimaryStorage and attachPrimaryStorageToCluster.
8. Add Backup Storage
click 'BackupStorage' in left sidebar to enter backup storage page:
click button 'Add BackupStorage' to open the dialog:
- name the backup storage as 'BS1'
- choose type 'Sftp'
- input IP(172.20.11.45) in host IP
- input URL '/zstack_bs' which is the folder that will store images
Input ssh port(22), input SSH credentials for user root, and click button 'OK':
9. Add Image
click 'Resource Pool' in left sidebar and click 'Image' to enter image page:
click button 'Add Image' to open the dialog:
- name the image as 'Image1'
- select media type 'Image'
- select platform 'Linux'
- input URL http://cdn.zstack.io/product_downloads/images/zstack-image.qcow2
- select BackupStorage 'BS1'
- click button 'OK'
this image will be used as user VM image.
10. Create Public L2 Network
click 'Network' in left sidebar and click 'L2Network' to enter L2 network page:
click button 'Create L2Network' to open the dialog:
- name the L2 network as 'PUBLIC-MANAGEMENT-L2'
- choose type 'L2NoVlanNetwork'
- input physical interface as 'eth0'
- select cluster 'CLUSTER1'
- click button 'OK'
11. Create Public L3 Network
click 'L3 Network' in left sidebar to enter L3 network page:
click 'Public Network' in sidebar to enter L3 public network page:
click button 'Create Public Network' to open the dialog:
Name the L3 network as 'PUBLIC-MANAGEMENT-L3' and select L2Network 'PUBLIC-MANAGEMENT-L2'
- choose method 'IP Range'
- input start IP as '10.121.10.20'
- input end IP as '10.121.10.200'
- input netmask as '255.0.0.0'
- input gateway as '10.0.0.1'
- click the button 'OK'
12. Create Virtual Router Image
click 'Virtual Router' in left sidebar and click 'Virtual Router Image' to enter virtual router image page:
click button 'Add Virtual Router Image' to open the dialog:
- name the virtual router image as 'Virtualrouterimage1'
- input URL where latest cloud route mirroring is
- seclect BackupStorage 'BS1'
- click button 'OK'
Fast link for users of Mainland China
.................................
http://cdn.zstack.io/product_downloads/vrouter/zstack-vrouter-2.0.0.qcow2
Cache images in your local HTTP server
The virtual router image is about 432M that takes a little of time to download. We suggest you use a local HTTP server
to storage it and images created by yourself.
13. Create Virtual Router Offering
click 'Virtual Router Offering' in the left sidebar to enter virtual router offering page:
click 'Create Virtual Router Offering' to open the dialog:
- name the virtual router offering as 'VR-offering1'
- input CPU NUM as '2'
- input CPU speed as '2'
- choose image 'Virtualrouterimage1'
Choose management L3 network 'PUBLIC-MANAGEMENT-L3' , choose public L3 network 'PUBLIC-MANAGEMENT-L3' and click button 'OK'
14. Create Application L2 Network
click button 'New L2 Network' again to create the application L2 network:
- name the L2 network as 'APPLICATION-L2'
- choose type 'L2VlanNetwork'
- input vlan as '2017'
- input physical interface as 'eth0'
choose cluster 'CLUSTER1' and click button 'OK'
15. Create Application L3 Network
click 'Network' in the left sidebar, click 'L3Network' and click 'Private Network' to enter L3Network private network page:
click 'Create Private Network' button again to create the private L3 network:
- name the L3 network as 'APPLICATION-L3'
- choose L2Network 'APPLICATION-L2'
- choose type 'V Router'
- choose Virtual Router Offering 'VR-offering1'
- choose method 'CIDR'
- input network CIDR as '192.0.0.0/24'
- input DNS as '8.8.8.8'
- click button 'OK'
16. Create Database L2 Network
click button 'New L2 Network' again to create the database L2 network:
- name the L2 network as 'DATABASE-L2'
- choose type 'L2VlanNetwork'
- input vlan as '2018'
- input physical interface as 'eth0'
select cluster(CLUSTER1) to attach, and click button 'OK':
17. Create Database L3 Network
click 'Network' in the left sidebar, click 'L3Network' and click 'Private Network' to enter L3Network private network page:
click 'Create Private Network' button again to create the private L3 network:
- name the L3 network as 'DATABASE-L3'
- choose L2Network 'DATABASE-L2'
- choose type 'V Router'
- choose Virtual Router Offering 'VR-offering1'
- choose method 'CIDR'
- input network CIDR as '172.16.1.0/24'
- input DNS as '8.8.8.8'
- click button 'OK'
18. Create Instance Offering
click 'Resource Pool' in the left sidebar and click 'InstanceOffering' to enter instance offering page:
click button 'Create InstanceOffering' to open the dialog:
- input name as 'IO1'
- input CPU as '1'
- input Memory as '1'
- click button 'OK'
18. Create WEB VM
click 'Resource Pool' in the left sidebar and click 'VmInstance' to enter VM instance page:
click button 'Create VmInstance' to open the dialog:
- choose Type 'Single'
- input name as 'WEB-VM'
- choose instance offering 'IO1'
- choose image 'Image1'
- choose L3 network 'WEB-L3' and set it as default web
- choose L3 network 'APPLICATION-L3'
- click button 'OK'
The first user VM takes more time to create
For the first user VM, ZStack needs to download the image from the backup storage to the primary storage and create a virtual router VM on
the private L3 network, so it takes about 1 ~ 2 minutes to finish.
19. Create Application VM
click button 'Create VmInstance' to open the dialog:
- choose Type 'Single'
- input name as 'APPLICATION-VM'
- choose instance offering 'IO1'
- choose image 'Image1'
- choose L3 network 'WEB-L3'
- choose L3 network 'APPLICATION-L3' and set it as default web
- click button 'OK'
Again, slow because of creating the virtual router VM
Because it's the first VM on DATABASE-L3 network, ZStack will start the virtual router VM before creating APPLICATION-VM,
it will takes about 1 minute to finish. Future VMs creation on the DATABASE-L3 will be extremely fast.
20. Create Database VM
click button 'Create VmInstance' to open the dialog again:
- choose Type 'Single'
- input name as 'DATABASE-VM'
- choose instance offering 'IO1'
- choose image 'Image1'
- choose L3 network 'Database-L3'
- click button 'OK'
21. Confirm Network Connectivity
select WEB-VM, click button 'VmInstance Actions' then click item 'Console' to open VM's console:
in the popup window, login the VM by username: root, password: password.
- ping google.com, it should succeed.
- ping DATABASE-VM, it should succeed.
- ping APPLICATION-VM, it should failed.
select APPLICATION-VM, click button 'Action' then click item 'Console' to open VM's console:
in the popup window, login the VM by username: root, password: password.
- ping google.com, it should succeed.
- ping DATABASE-VM, it should succeed.
- ping WEB-VM, it should succeed.
select DATABASE-VM, click button 'Action' then click item 'Console' to open VM's console:
in the popup window, login the VM by username: root, password: password.
- ping google.com, it should succeed.
- ping WEB-VM, it should succeed.
- ping APPLICATION-VM, it should fail.
Summary
In this example, we showed you how to create a three tiered network in ZStack. For the sake of demonstration, we don't
apply any firewall. You can use security group combining with this example to create a more secure deployment. For
more details, please visit L3 Network in user manual.