Configure CloudStack so it can be exposed to RightScale.
Table of Contents
For a cloud to be properly supported by the RightScale management platform, certain components need to be configured. The following provides details to ensure your CloudStack cloud is properly configured to interact with RightScale.
The URL of the CloudStack API should resemble the following structure:
Make sure access to the API is possible by opening up port 8080 (443 for SSL) to the CloudStack Management Server's PUBLIC_IP address. This enables inbound traffic between RightScale's services and the CloudStack Management Server. Note that various ports also need to be open from the CloudStack compute nodes out to the Internet. This is because the running servers within your CloudStack cloud will need to have access to RightScale through various ports. For more information, see CloudStack Reference Architecture.
Through the usage of HTTPS and certificates, essentially a simple VPN is established between RightScale and your CloudStack cloud.Therefore, your CloudStack API is only exposed to RightScale and not the entire Internet.
It is strongly recommended to have a firewall configured to allow access.
To configure this, allow HTTPS communication between our gateway and your CloudStack Management Server so RightScale can make calls to the Cloud Controller API (which reports the status of your CloudStack cloud). Contact RightScale to receive a whitelist of IP addresses from which the Cloud Management Server must accept requests. For information about whitelisting the inbound communications to the CloudStack Management Server, please see Private Cloud Network Connectivity Requirements.
From a cloud networking perspective, a cloud must have the basic networking that provides the following functionality:
Basic Networking (previously called Direct Networking) utilizes physical routers to handle virtual machine network traffic similar to a traditional networking model. There is no support for VLAN and guest isolation is achieved through the use of security groups. Basic Networking configuration is simple and commonly used by organizations that are a sole tenant to the cloud infrastructure as traffic isolation is not a concern. It is most similar to EC2 networking and fully supported within RightScale.
Advanced Networking implements VLANs in addition to security groups for increased guest isolation. This is typically used by service providers or those that need to provide network isolation. The physical network topology must support VLANs. Users can create VMs with one or more networks attached. With Advanced Networking, guest isolation options include:
The Cloud Management Server must be able to accept requests from RightScale services.
Some cloud providers want to limit how frequently a consumer can make API requests to the cloud. RightScale does not support limiting cloud API requests and strongly discourages against this practice because it creates a bad end user experience for cloud consumers.
Some cloud providers want to limit API calls that can be made by known cloud API consumers.
If a RightScale user manages a CloudStack using the RightScale Dashboard/API, all of the API calls to the cloud will come directly from RightScale. RightScale does not put any limitations or restrictions on which API calls are allowed.
Some cloud providers want to block external API access from unknown IP Addresses. As a result, they require RightScale to provide all IP Addresses from which access to the cloud is required.
RightScale does not recommend or approve this method. RightScale can provide IP addresses, if absolutely required. However, RightScale's Operations team has the ability to change IP addresses (as required) for elastic scaling. It is recommended that you configure your firewall to allow access from our fully qualified domain name. Although downtime might occur if we need to change our DNS records, it is a more reliable method than whitelist of IP addresses. Please consider IP Whitelisting as a security method as a last resort.
RightScale requires HTTPS endpoints for any supported cloud.
Optionally, RightScale also supports a mutual authentication mechanism that we can deploy on a case-by-case basis. Please let us know if you are interested in learning more about this method.
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.