Open kiranchavala opened 1 month ago
I remember there were some work in the past to support network settings and vpc settings. however I was not able to find the PR
There are network_details and vpc_details tables, so network and vpc level setting can be defined. The setting needs adding and the logic implementing.
ISSUE TYPE
Enhancement/Improvement request
COMPONENT NAME
Component: VPC
CLOUDSTACK VERSION
Cloudstack version 4.19.1.1
SUMMARY
Support the (global) setting "remote.access.vpn.client.iprange" for per vpc level, and also per simple/single Isolated networks (which also support remote VPN)
Currently we support the setting "remote.access.vpn.client.iprange" at
There are limitaions in this case
Limitation 1
VPC 1 Cidr >>> 10.0.0.0/8 VPC 2 Cidr >>> 172.16.0.0/16
Default account level setting of parameter "remote.access.vpn.client.iprange" >> "10.1.2.1-10.1.2.8"
Enable site to site vpn between the 2 vpc's or have a customer gateteway.
Enable VPN service in vpc 1
Connect a end user to vpn service of vpc1.
End user will get succesfully connected to vpn network but the routing will not work.
User cannot reach the vm's associated in vpc1, since the
As per this rule if VR sees a packet matching src 10.0.0.0/8 dst 172.16.0.0/16 it will apply the IPsec policy routing for the S2S VPN
As workaround Admin user has to change the value of parameter "remote.access.vpn.client.iprange" and Disable and enable the vpn
Since this is at account level is could affect other vpc's present in the account
Limitation 2
Have Multiple VPC's in a account (VPC 1 and VPC2)
Enable VPN service in both VPC's
The end user connects to vpc1 vpn service will be assigned a ip from remote.access.vpn.client.iprange
The end user connects to vpc2 vpn service will also be assigned a ip from remote.access.vpn.client.iprange
If the setting is at vpc level, It will be easy of the admin/account user to identify the probelmatic vpc and troubleshoot the issue
Expected behaviour
It would be beneficial for the end user if Cloudstack can provide an option of specifying the vpn client address range during the vpc creation time
Also cloudstack should not allow to change the value till the lifetime of vpc
Hyperscalers such as AWS, Azure support it at VPC level
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#addresspool