source/installguide/locale/zh_CN/LC_MESSAGES/managing

��L%|J|J?}JM�JQK7]KI�K+�KsLML#�L~�LJpMC�M.�N<.PfkPw�P JQTR(ZS��S�T��Th�U=V�@V�0X��X�Y�Z�[o�\;Y^�^+�`)�a� b��b�:d��dD�e%g�=h`i0eiT�iT�iP@jU�j,�j5lKJlK�lL�lM/m}m3�n��n��op>p��p �q>�q��q��s��u@�wx�w%Nxtx3�x��xR�y4�yQz9kz:�zG�zH({Gq{��{��|�;}_"~_�~Z�~W=(��W��?��*ނn ��x��D�27��j�C&�Aj�T��>�<@�X}��֊n��!�<&�,c�9��@ʎ0�4<�!q�=��Dя�?"�9b�1��Bΐ��;��>x��#��+�+ݗ� �H��k��l�R>��o�[�[L�H��`�~R��џ�f�E%�Fk��F��ޤEߥ�%��Z�x^�DשL�xi�^�mA�y��)�<�X��s�y �F��M�Y/�V��8��_��_Z�x��3��@��I��ż��]��P�m@��N�R�<X��n�'��-��'��?��3�89��r��~��dW��2G�dz��A��B�� B�L�N�Z�f�~��2��K}��\��7��35�Ji�a��_��v��n��f��Y�Y��;J��!��e�e~��+a�T��D�jG�8��f��R�i�"z�%��%/�U�r�z�$��"��/�+K�Nw�3��$��+�K�X�k��&��!��"�|;��v��,�bK��i�1m�C��H��D,�Iq�2��c��<,��i��c��F��6��v��UM�� &��%�--�J[��\��)��g(��E#iYx2��cVJ��0�P��) .� ) &? f � �?��I�/I\y��5 D ` jz 8� >;W�� !�� %65-l�C� ��A.p��E�%4ZDp!�,�=BI_Z�JCO\�&�N.A}�]�B6)y+�!�#�)L@�K�V�\P��H�>(5gI�:�1"4T1�8�#��\��6 �!��"��#Aq$j�%6'JU(]�)��*4�-��/5�1b�1!2�'4�4C�4-6�@6+7,771d7I�7E�7 &8=G8�8�81�8'�899$=92b9"�9#�9,�9# :%-:/S:R�:@�:;;KS;.�;1�;6< 7<E<2d<%�<�<=�<D=�Z=s�=V><p>��>�8?:�?.�?-@�@@+�@+A&GA#nA�A$�A�A"�AB!B>B,[B��B(C*5C$`CC�C�E��E-�F�FGL G?mG�G �G��GI�H��Iq�JjPKW�K9LML)TLF~L*�L1�N!"ODO"_O3�O�O �O)�O>PPYP��Pl�Q�RP�S��Sk�TL U�mU?8V%xV�V�V�V��WwzX�X�Y3�Y3�YHZ�IZ��ZU�[�[�[_\Ud\��\�v]�-^��^��_e.`��`yao�aib`mbr�bAc�]crXe��ebif<�fG g'QgCyg�ge�g$+jEPjw�nXogo wo?�o �o%�ov�o�mqH rOVr"�r!�r�r �r �rs"s4sLRs��s)!t6Kt.�t�tC�t7u(Huqu�u'v�-v�w��yM�zj�z�H{�>|��|w�}<,~ii~q�~eE��'8�c`�%ă��܄fw�ޅ��##�QG�G��,�M�P\�'��Ռh��k�� =�LE�P��r��w��-��ʝ��O��Cӟ��סv��5��:0�uk�J�I,�v�$��_��X��t�2O�/��:��d�FR�;��_ժ85�3n�g��/ �:�0Z�v��1�C4�*x�%��Pɭ �1$�,V�*��4��*�.��=�)��&�'�.8�(g�&��&��޲Za�7��<��1��6��.��H�� 8��-3��a�0Q��>��*1�*\�"��%��W��Q(�7z�-��+��>�/K�-{�<��0��24�g�>k��E�Y�Lw�q��(6��_�"��9�>N�5��K��?�Q�^��k�s��s��%V�|��=��z��DR�#��O_�� 2��u��7L��>v�R��2��N��=�!��5��x4�i��.'�6V�� "�� 4�A�_�*w��3��h�w�+��bL�(��4�� (#�jL��,��Q �[��g�A�[U�S��]�Pc�.��-0�U^��>�A�P�%o��%��0��6 �A�2U��$��H��=,�*j�;��9��<�4H�#}��!��2��(�?=��}�0?�p�*�� j��)�oG�(��7��./��^�U�m� s�6~�/��K��R1��3�8�~<��wv'�$";*^1�#�.�**9*d1��'�{�K/.{,�� B�Y�D #a [� �� d-B (p �� 4*�)#$M]r'��R�NJW6��6iD�M��3_�Ohwyb��TX��.�,��A4�?) i m�"6�")+#bU$<�$?�$H5%S~%=�%7&$H&.m&�&��'LU(�(7�(��(a�)*��*B+�I+@-,9n-�.3�/6�/1+0�]1�3��3oB4i�5�6��6�U7h085�8%�8D�8D:9�9D:1K:A}:5�:T�:QJ;��;;'=c>o�>��>��@G�A��B��DD-E�rE�8HIF8I6Io�I&J'?JagJI�J�K��Kc}L�LhaMv�M�ANt�Nk=O��O:P?WP��PQI4Q~Q�Qf�QkRwR�|R�TUIU,eU��U �V�VJ�V7�V*-W8XW�X%�X$�X;�X6Y$UY@zY�Y>�Y�YhZ4xZY�Za[ni[��[z�\I`�Val�a�Ed��d��e�Of�g��g��hE7i�}jDk�dm��m6nn��n�;o��o�jpqpr�r8�r?�r�s��sl9t��t:ZuI�v@�vm w��w�xj�y�z�{%�{Z�{*F|�q|�5~K�~WJ�E��v�k_��˂&o��)��҃9u�I��#��4�@R�'��'��?�H@�7��/��M�:?�Ez�"��8�::�#u�>��H؈?!�-a��L`�7��6�%�:B�*}�Z��2�$6�g[�2Í��9�cP�X�� ؑ,��oؒ{H��ēnk�4ڔ��u��"��ΙI��1��-��ƞ��im��נ�u�#��)��#�F��(�'1�1Y�1��1��%�C5�1y�D��5��&�!�� ٩��ѫ)ޫ��J�7�]�"w� ��(��α5t�5��-�2�+A�;m�1��?۳��m�]�Si�S��K�S]��_[��+T��g��:��9��1��Ҽb�EE�D��о��#��F��*��'#�BK�6��*��"��8�@L� ��/��(��:��8,�Se�a��g��<$��a�cC�a��N ��X��zw�E��Y8��?5��u�n!�B��N��<"�?_�X��d��]�7�;C��5�8��9��U_�e��E�Ba�c��?�H�[]��-��[l�J��8��L�F6��}��}��c��T�J�_c�a��%��2��R��.��wT��Q�[*�K��`��3��6L�*��st��k��<�W�;`��)��g�m�*��u��&.�,U��9>�Cx� �� 7��H��'��6�BQ�8��<�� l`�&OzvR��D�"��Q9D�~��O0 L; !� 7� N� <1Vn��!�! +=M\o$�� %8 ,^ )� <� $� 6 U_q�*�$��V2��`[!�V��5�0�33S-�3�*�!w6�N�5j:��J\��ph*��b�J+�_+ O�!�!�!"-5"$c"T�"}�"H[$�$��$7�&��'GZ(�(P�())*)�:)��)MR*�*{�+),.,=,$D,?i,��,V-r-�-�-�-�.D�."/;7/-s/a�/00/03E0y0�0`�0-1 =1^13{1�1�1 �10�12�*2�2�2�233/3??3/3�3=�3�3 4#4C84|4�4�4�4�49�4$-5R5<e5�5&�5(�566*69a6-�6)�69�6-7I7J_7=�7�7;82<8o8�8�8�8�89B9_9F~9M�9^:r:�:D�:,�: ;*&;!Q;$s;!�;$�;-�;' <s5</�=��@��A�C��C�MDPEjF�G��H��I�|K{SM,�NR�N�OO�Q�Q�Q�R��R!�S$�S+�S=�S11TcTB�T�T �T �T�TU-UCU,_U�U$�U*�U�UV*-VQXV6�V'�V7 W'AW*iW<�W�W�W(X!*X!LX4nX9�Xr�XaPY�Y3�YyZy|Z'�Z+[J[kZ[*�[*�[)\"F\i\-�\�\�\�\$�\$]%?]me] �]�]�]�^�_�`*�`�`�`a6&a]a da�na4b�Mc]1da�dO�dAe`e'meC�e��e/�g�g�g*h09hjhzh�h0�h:�h�iM�i^8j6�k��kXVlD�l��lF�m�m�mn�njocko�o��o-ip-�pS�p�q��q<Kr �r�rb�rJs�Ps�t��t�au��ua�vqwfsw_�wU:xQ�xk�x Ny�oyq{�{R|*^|6�|"�|@�|$}�+}"7$i\�9Ƃ��2�O�$V�,{��05�3f�2��6ͅ� ��/�>�;M�z��#�#(�)L�v�;��2ʇ��\(�/��<�|C�C��S��X�~��}�]'�6��\��]��m�p�-w�0��֔a��p��S��~ۘ)Z��E�*U�N��Eϛ'��=�!ל!��e��x�0P�H��*ʟ+��,!�dN�s��~'��4��s9��w�M/�L}��ʬ[m�.ɯ ��0�q4�N��N��D�+d�\��O��=�*��6 �:W�W��5�6 �DW�0��*Ͷq��/j�!��-��[�-F�?t�'��'ܸ5��:�*�!�$1�.V�i��*�{�*��$��'�(�-7�$e�$��Y4�B��AѾ��j��*�-7��e��H�� )�.;��j�5�P�c�s� ��!��/��!&�H�Hd�?��@��1.�)`�7��:��1��=/�1m��1��<��/��;��W�d�a��4�16�3h��^�Bk�� Qp��ly�8��!��A�J��'��9�'��-�j��9S��**�\U�x��6+�Lb�i��8�1H�iz�]��B�$O�&t��>�K�a�n�u��&�xB� ��'��i��'��%�C�X�ft�� -��6%�r\��A~�V��c�W{�N��-"�P�l�~�'��T��*�B�4U��!�'$�L�3b��<��3%�!Y�({�6��*��"�>�!Q�!s�!��?��t��'l��!��p��G�{a��'��"�8��V��#� +�46�3k��'��w��0W��a��f� ;!\~�)�$�'!.!Pr9��e^4B�*�!@(Y��$20cS�� ,� $� r� �h&*($S x$� �� B4Bw6�*�s-�4�:��.;��_�@%af9��2��g��0��u�.A%pT�-�76Q@��*�!&�Eq. -� � /� �!`�!z"}}"9�"�5#� $��$��% �&.�&��&g�'�)i�)?�)Z<+��+w,��,`J-2�-!�-E.:F.u�.9�.,1/2^/'�/A�/T�/IP0��1e2T}2��2�]4��4��5��7>78iv8��:�;>�;7�;f<�<�<��<Q@=��=�:>N�>s9?_�?j @xx@Z�@ZLAz�A"BB5BnxB�B8�B6CCC]OCf�CD�D�F'�F?�F%G�6G�G&H'*H=RH5�H�H�I$�I(#J4LJ�J�J7�J�J)�J "Kb,K-�KK�KH LRLrhL��L��Oo�P��P��R}bS��S�{T�+U��U�lV$W�)X��X��Zh3[-�[u�[�@\��\�d]��]o�^H_3d_K�_s�__X`g�`� a&�aKc3Wcr�c��c?�def��f�Yg'�gQ h*_h��h�j)�j�kN�lv4mk�m�n%�n �n'�n~ o5�oH�o)p45p@jp'�p'�p�p?qHXq7�q/�qM r:WrE�r"�r�r8s:Rs#�s>�sH�s?9t-yt(NetScaler load balancer only; requires NetScaler version 10.0)****Account****: The account to which you want to assign an IP address range.****Account****: The account to which you want to assign the selected VLAN range.****Domain****: The domain associated with the account.****VLAN Range****: The VLAN range that you want to assign to an account.**ACL List Name**: A name for the ACL list.**ACL**: Controls both ingress and egress traffic on a VPC private gateway. By default, all the traffic is blocked.**Account**: (Optional) The account on which you want to apply the GSLB rule.**Account**: Perform the following:**Account**: The account for which the guest network is being created for. You must specify the domain the account belongs to.**Account**: The account to which you want to assign the IP address range.**Account, Security Group**. (Add by Account only) To accept only traffic from another security group, enter the CloudStack account and name of a security group that has already been defined in that account. To allow traffic between VMs within the security group you are editing now, enter the same name you used in step 7.**Account, Security Group**. (Add by Account only) To allow traffic to be sent to another security group, enter the CloudStack account and name of a security group that has already been defined in that account. To allow traffic between VMs within the security group you are editing now, enter its name.**Action**: What action to be taken. Allow traffic or block.**Add VM**: Click Add VM. Select the name of the instance to which this rule applies, and click Apply.**Add VMs**: Click Add VMs, then select two or more VMs that will divide the load of incoming traffic, and click Apply.**Add by CIDR/Account**. Indicate whether the destination of the traffic will be defined by IP address (CIDR) or an existing security group in a CloudStack account (Account). Choose Account if you want to allow outgoing traffic to all VMs in another security group.**Add by CIDR/Account**. Indicate whether the source of the traffic will be defined by IP address (CIDR) or an existing security group in a CloudStack account (Account). Choose Account if you want to allow incoming traffic from all VMs in another security group**Add**: Click Add to add the condition.**Algorithm**. Choose the load balancing algorithm you want CloudStack to use. CloudStack supports the following well-known algorithms:**Algorithm**: (Optional) The algorithm to use to load balance the traffic across the zones. The options are Round Robin, Least Connection, and Proximity.**Algorithm**: Choose the load balancing algorithm you want CloudStack to use. CloudStack supports a variety of well-known algorithms. If you are not familiar with these choices, you will find plenty of information about them on the Internet.**All**: The guest network is available for all the domains, account, projects within the selected zone.**Apply**: Click Apply to create the AutoScale configuration.**Authoritative DNS**: ADNS (Authoritative Domain Name Server) is a service that provides actual answer to DNS queries, such as web site IP address. In a GSLB environment, an ADNS service responds only to DNS requests for domains for which the GSLB service provider is authoritative. When an ADNS service is configured, the service provider owns that IP address and advertises it. When you create an ADNS service, the NetScaler responds to DNS queries on the configured ADNS service IP and port.**AutoScale**: Click Configure and complete the AutoScale configuration as explained in `Section 15.16.6, “Configuring AutoScale” <#autoscale>`__.**CIDR list**: The guest CIDR list of the remote subnets. Enter a CIDR or a comma-separated list of CIDRs. Ensure that a guest CIDR list is not overlapped with the VPC’s CIDR, or another guest CIDR. The CIDR must be RFC1918-compliant.**CIDR**. (Add by CIDR only) To accept only traffic from IP addresses within a particular address block, enter a CIDR or a comma-separated list of CIDRs. The CIDR is the base IP address of the incoming traffic. For example, 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.**CIDR**. (Add by CIDR only) To send traffic only to IP addresses within a particular address block, enter a CIDR or a comma-separated list of CIDRs. The CIDR is the base IP address of the destination. For example, 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.**CIDR**: (Add by CIDR only) To send traffic only to the IP addresses within a particular address block, enter a CIDR or a comma-separated list of CIDRs. The CIDR is the base IP address of the destination. For example, 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.**CIDR**: The CIDR acts as the Source CIDR for the Ingress rules, and Destination CIDR for the Egress rules. To accept traffic only from or to the IP addresses within a particular address block, enter a CIDR or a comma-separated list of CIDRs. The CIDR is the base IP address of the incoming traffic. For example, 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.**Capacity**: The number of networks the device can handle.**Community VLANs**: The ports within a community VLAN can communicate with each other and with the promiscuous ports, but they cannot communicate with the ports in other communities at the layer-2 level. In a Community mode, direct communication is permitted only with the hosts in the same community and those that are connected to the Primary PVLAN in promiscuous mode. If your customer has two devices that need to be isolated from other customers' devices, but to be able to communicate among themselves, deploy them in community ports.**Compute offering**: A predefined set of virtual hardware attributes, including CPU speed, number of CPUs, and RAM size, that the user can select when creating a new virtual machine instance. Choose one of the compute offerings to be used while provisioning a VM instance as part of scaleup action.**Configuration**: Specify the following:**Conserve mode**: Indicate whether to use conserve mode. In this mode, network resources are allocated only when the first virtual machine starts in the network.**Counter**: The performance counters expose the state of the monitored instances. By default, CloudStack offers four performance counters: Three SNMP counters and one NetScaler counter. The SNMP counters are Linux User CPU, Linux System CPU, and Linux CPU Idle. The NetScaler counter is ResponseTime. The root administrator can add additional counters into CloudStack by using the CloudStack API.**Customer Gateway**: The customer side of a VPN Connection. For more information, see `Section 15.25.5.1, “Creating and Updating a VPN Customer Gateway” <#create-vpn-customer-gateway>`__.**DNS VIPs**: DNS virtual IP represents a load balancing DNS virtual server on the GSLB service provider. The DNS requests for domains for which the GSLB service provider is authoritative can be sent to a DNS VIP.**DNS domain for Guest Networks**: If you want to assign a special domain name, specify the DNS suffix. This parameter is applied to all the tiers within the VPC. That implies, all the tiers you create in the VPC belong to the same DNS domain. If the parameter is not specified, a DNS domain name is generated automatically.**Dead Peer Detection**: A method to detect an unavailable Internet Key Exchange (IKE) peer. Select this option if you want the virtual router to query the liveliness of its IKE peer at regular intervals. It’s recommended to have the same configuration of DPD on both side of VPN connection.**Dedicated**: When marked as dedicated, this device will be dedicated to a single account. When Dedicated is checked, the value in the Capacity field has no significance implicitly, its value is 1.**Description**: (Optional) A short description of the GSLB rule that can be displayed to users.**Description**: A brief description of the VPC.**Description**: A short description of the ACL list that can be displayed to users.**Description**: A short description of the offering that can be displayed to users.**Description**: A short description of the rule that can be displayed to users.**Description**: The short description of the network that can be displayed to users.**Destroy VM Grace Period**: The duration in seconds, after a scaledown action is initiated, to wait before the VM is destroyed as part of scaledown action. This is to ensure graceful close of any pending sessions or transactions being served by the VM marked for destroy. The default is 120 seconds.**Disabling and Enabling an AutoScale Configuration****Disk Offerings**: A predefined set of disk size for primary data storage.**Display Text**: The description of the network. This will be user-visible**Display Text**: The description of the network. This will be user-visible.**Domain**: (Optional) The domain for which you want to create the GSLB rule.**Domain**: Selecting Domain limits the scope of this guest network to the domain you specify. The network will not be available for other domains. If you select Subdomain Access, the guest network is available to all the sub domains within the selected domain.**Domain**: The domain associated with the account.**Duration**: The duration, in seconds, for which the conditions you specify must be true to trigger a scaleup action. The conditions defined should hold true for the entire duration you specify for an AutoScale action to be invoked.**ESP Encryption**: Encapsulating Security Payload (ESP) algorithm within phase-2. The supported encryption algorithms are AES128, AES192, AES256, and 3DES.**ESP Hash**: Encapsulating Security Payload (ESP) hash for phase-2. Supported hash algorithms are SHA1 and MD5.**ESP Lifetime (seconds)**: The phase-2 lifetime of the security association in seconds. Default is 3600 seconds (1 hour). Whenever the value is exceeded, a re-key is initiated to provide a new IPsec encryption and authentication session keys.**End IP****GSLB Domain Name**: A preferred domain name for the service.**GSLB Services**: A GSLB service is typically represented by a load balancing or content switching virtual server. In a GSLB environment, you can have a local as well as remote GSLB services. A local GSLB service represents a local load balancing or content switching virtual server. A remote GSLB service is the one configured at one of the other sites in the GSLB setup. At each site in the GSLB setup, you can create one local GSLB service and any number of remote GSLB services.**GSLB Site**: In CloudStack terminology, GSLB sites are represented by zones that are mapped to data centers, each of which has various network appliances. Each GSLB site is managed by a NetScaler appliance that is local to that site. Each of these appliances treats its own site as the local site and all other sites, managed by other appliances, as remote sites. It is the central entity in a GSLB deployment, and is represented by a name and an IP address.**GSLB Virtual Servers**: A GSLB virtual server refers to one or more GSLB services and balances traffic between traffic across the VMs in multiple zones by using the CloudStack functionality. It evaluates the configured GSLB methods or algorithms to select a GSLB service to which to send the client requests. One or more virtual servers from different zones are bound to the GSLB virtual server. GSLB virtual server does not have a public IP associated with it, instead it will have a FQDN DNS name.**GSLB service Private IP**: The private IP of the GSLB service.**GSLB service Public IP**: The public IP address of the NAT translator for a GSLB service that is on a private network.**GSLB service**: Select this option.**Gateway****Gateway**: The IP address for the remote gateway.**Gateway**: The gateway for the tier you create. Ensure that the gateway is within the Super CIDR range that you specified while creating the VPC, and is not overlapped with the CIDR of any existing tier within the VPC.**Gateway**: The gateway in use for the Portable IP addresses you are configuring.**Gateway**: The gateway that the guests should use.**Gateway**: The gateway through which the traffic is routed to and from the VPC.**Guest Gateway**: The gateway that the guests should use**Guest Gateway**: The gateway that the guests should use.**Guest Netmask**: The netmask in use on the subnet the guests will use**Guest Netmask**: The netmask in use on the subnet the guests will use.**Guest Type**: Choose whether the guest network is isolated or shared.**Health Check**: (Optional; NetScaler load balancers only) Click Configure and fill in the characteristics of the health check policy. See `Section 15.16.5.3, “Health Checks for Load Balancer Rules” <#health-checks-for-lb-rules>`__.**Healthy threshold (Optional)**: Number of consecutive health check successes that are required before declaring an instance healthy. Default: 2.**ICMP Type and ICMP Code**. Used only if Protocol is set to ICMP. Provide the type and code required by the ICMP protocol to fill out the ICMP header. Refer to ICMP documentation for more details if you are not sure what to enter**ICMP Type**, **ICMP Code** (ICMP only): The type of message and error code that will be sent.**ICMP Type, ICMP Code**. (ICMP only) The type of message and error code that will be accepted.**ICMP Type, ICMP Code**. (ICMP only) The type of message and error code that will be sent**ICMP Type, ICMP Code**: (ICMP only) The type of message and error code that are sent.**IKE DH**: A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. The 1536-bit Diffie-Hellman group is used within IKE to establish session keys. The supported options are None, Group-5 (1536-bit) and Group-2 (1024-bit).**IKE Encryption**: The Internet Key Exchange (IKE) policy for phase-1. The supported encryption algorithms are AES128, AES192, AES256, and 3DES. Authentication is accomplished through the Preshared Keys.**IKE Hash**: The IKE hash for phase-1. The supported hash algorithms are SHA1 and MD5.**IKE Lifetime (seconds)**: The phase-1 lifetime of the security association in seconds. Default is 86400 seconds (1 day). Whenever the time expires, a new phase-1 exchange is performed.**IP Address**: The IP address associated with the VPC gateway.**IP Address**: The IP address of the SDX.**IP Range**: A range of IP addresses that are accessible from the Internet and are assigned to the guest VMs.**IPsec Preshared Key**: Preshared keying is a method where the endpoints of the VPN share a secret key. This key value is used to authenticate the customer gateway and the VPC VPN gateway to each other.**IPv6 CIDR**: The network prefix that defines the guest network subnet. This is the CIDR that describes the IPv6 addresses in use in the guest networks in this zone. To allot IP addresses from within a particular address block, enter a CIDR.**Instance Port**: The port of the internal LB VM.**Interval time (Optional)**: Amount of time between health checks (1 second - 5 minutes). Default value is set in the global configuration parameter lbrule\_health check\_time\_interval.**Isolated VLAN ID**: The unique ID of the Secondary Isolated VLAN.**Isolated VLANs**: The ports within an isolated VLAN cannot communicate with each other at the layer-2 level. The hosts that are connected to Isolated ports can directly communicate only with the Promiscuous resources. If your customer device needs to have access only to a gateway router, attach it to an isolated port.**LB Isolation**: Select Dedicated if Netscaler is used as the external LB provider.**Load Balancer Type**: Select Internal LB from the drop-down.**Load Balancer Type**: Select Public LB from the drop-down.**Load Balancing or Content Switching Virtual Servers**: According to Citrix NetScaler terminology, a load balancing or content switching virtual server represents one or many servers on the local network. Clients send their requests to the load balancing or content switching virtual server’s virtual IP (VIP) address, and the virtual server balances the load across the local servers. After a GSLB virtual server selects a GSLB service representing either a local or a remote load balancing or content switching virtual server, the client sends the request to that virtual server’s VIP address.**Max Instance**: Maximum number of active VM instances that **should be assigned to**\ a load balancing rule. This parameter defines the upper limit of active VM instances that can be assigned to a load balancing rule.**Min Instance**: The minimum number of active VM instances that is assigned to a load balancing rule. The active VM instances are the application instances that are up and serving the traffic, and are being load balanced. This parameter ensures that a load balancing rule has at least the configured number of active VM instances are available to serve the traffic.**NAT Instance**: An instance that provides Port Address Translation for instances to access the Internet via the public gateway. For more information, see `Section 15.27.10, “Enabling or Disabling Static NAT on a VPC” <#enable-disable-static-nat-vpc>`__.**Name**. The name of the network. This will be user-visible**Name**: A name for the load balancer rule.**Name**: A short name for the VPC that you are creating.**Name**: A unique name for the VPN customer gateway you create.**Name**: A unique name for the tier you create.**Name**: Any desired name for the network offering.**Name**: Name for the GSLB rule.**Name**: The name of the network. This will be user-visible.**Name**: The name of the network. This will be visible to the user.**Netmask****Netmask**: The netmask associated with the Portable IP range.**Netmask**: The netmask associated with the VPC gateway.**Netmask**: The netmask for the tier you create.**Netmask**: The netmask in use on the subnet the guests will use.**Network ACL**: Network ACL is a group of Network ACL items. Network ACL items are nothing but numbered rules that are evaluated in order, starting with the lowest numbered rule. These rules determine whether traffic is allowed in or out of any tier associated with the network ACL. For more information, see `Section 15.27.4, “Configuring Network Access Control List” <#configure-acl>`__.**Network Domain**: A custom DNS suffix at the level of a network. If you want to assign a special domain name to the guest VM network, specify a DNS suffix.**Network Offering**: If the administrator has configured multiple network offerings, select the one you want to use for this network.**Network Offering**: The following default network offerings are listed: Internal LB, DefaultIsolatedNetworkOfferingForVpcNetworksNoLB, DefaultIsolatedNetworkOfferingForVpcNetworks**Network Rate**: Allowed data transfer rate in MB per second.**Network Tiers**: Each tier acts as an isolated network with its own VLANs and CIDR list, where you can place groups of resources, such as VMs. The tiers are segmented by means of VLANs. The NIC of each tier acts as its gateway.**Network offering**: If the administrator has configured multiple network offerings, select the one you want to use for this network**Network offering**: If the administrator has configured multiple network offerings, select the one you want to use for this network.**Number of Retries**. Number of times to attempt a command on the device before considering the operation failed. Default is 2.**Operator**: The following five relational operators are supported in AutoScale feature: Greater than, Less than, Less than or equal to, Greater than or equal to, and Equal to.**Perfect Forward Secrecy**: Perfect Forward Secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised. This property enforces a new Diffie-Hellman key exchange. It provides the keying material that has greater key material life and thereby greater resistance to cryptographic attacks. The available options are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security of the key exchanges increase as the DH groups grow larger, as does the time of the exchanges.**Persistent**: Indicate whether the guest network is persistent or not. The network that you can provision without having to deploy a VM on it is termed persistent network.**Physical Network**: The physical network you have created in the zone.**Ping path (Optional)**: Sequence of destinations to which to send health check queries. Default: / (all).**Polling interval**: Frequency in which the conditions, combination of counter, operator and threshold, are to be evaluated before taking a scale up or down action. The default polling interval is 30 seconds.**Prerequisites**: Before you configure an AutoScale rule, consider the following:**Private Gateway**: All the traffic to and from a private network routed to the VPC through the private gateway. For more information, see `Section 15.27.5, “Adding a Private Gateway to a VPC” <#add-gateway-vpc>`__.**Private Gateway**: For more information, see `Section 15.27.5, “Adding a Private Gateway to a VPC” <#add-gateway-vpc>`__.**Private Port**. The port on which the instance is listening for forwarded public traffic.**Private Port**: The port on which the instance is listening for forwarded public traffic.**Private Port**: The port that the VMs will use to receive the traffic.**Private interface**: Interface of device that is configured to be part of the private network.**Project**: The project for which the guest network is being created for. You must specify the domain the project belongs to.**Promiscuous**: A promiscuous port can communicate with all the interfaces, including the community and isolated host ports that belong to the secondary VLANs. In Promiscuous mode, hosts are connected to promiscuous ports and are able to communicate directly with resources on both primary and secondary VLAN. Routers, DHCP servers, and other trusted devices are typically attached to promiscuous ports.**Protocol Number**: The protocol number associated with IPv4 or IPv6. For more information, see `Protocol Numbers <http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml>`__.**Protocol**. The communication protocol in use between the two ports**Protocol**. The communication protocol in use on the opened port(s).**Protocol**. The networking protocol that VMs will use to send outgoing traffic. TCP and UDP are typically used for data exchange and end-user communications. ICMP is typically used to send error messages or network monitoring data.**Protocol**. The networking protocol that sources will use to send traffic to the security group. TCP and UDP are typically used for data exchange and end-user communications. ICMP is typically used to send error messages or network monitoring data.**Protocol**: The communication protocol in use between the two ports.**Protocol**: The networking protocol that VMs uses to send outgoing traffic. The TCP and UDP protocols are typically used for data exchange and end-user communications. The ICMP protocol is typically used to send error messages or network monitoring data.**Protocol**: The networking protocol that sources use to send traffic to the tier. The TCP and UDP protocols are typically used for data exchange and end-user communications. The ICMP protocol is typically used to send error messages or network monitoring data. All supports all the traffic. Other option is Protocol Number.**Public Gateway**: The public gateway for a VPC is added to the virtual router when the virtual router is created for VPC. The public gateway is not exposed to the end users. You are not allowed to list it, nor allowed to create any static routes.**Public Gateway**: The traffic to and from the Internet routed to the VPC through the public gateway. In a VPC, the public gateway is not exposed to the end user; therefore, static routes are not support for the public gateway.**Public Load Balancer Provider**: You have two options: VPC Virtual Router and Netscaler.**Public Port**. The port to which public traffic will be addressed on the IP address you acquired in the previous step.**Public Port**: The port receiving incoming traffic to be balanced.**Public Port**: The port that receives the incoming traffic to be balanced.**Public Port**: The port to which public traffic will be addressed on the IP address you acquired in the previous step.**Public interface**: Interface of device that is configured to be part of the public network.**Quiet Time**: This is the cool down period after an AutoScale action is initiated. The time includes the time taken to complete provisioning a VM instance from its template and the time taken by an application to be ready to serve traffic. This quiet time allows the fleet to come up to a stable state before any action can take place. The default is 300 seconds.**Response time (Optional)**: How long to wait for a response from the health check (2 - 60 seconds). Default: 5 seconds.**Road Warrior / Remote Access**. Users want to be able to connect securely from a home or office to a private network in the cloud. Typically, the IP address of the connecting client is dynamic and cannot be preconfigured on the VPN server.**Rule Number**: The order in which the rules are evaluated.**Runtime Considerations****SNMP Community**: The SNMP community string to be used by the NetScaler device to query the configured counter value from the provisioned VM instances. Default is public.**SNMP Port**: The port number on which the SNMP agent that run on the provisioned VMs is listening. Default port is 161.**Scope**: The available scopes are Domain, Account, Project, and All.**Secondary Isolated VLAN ID**: The unique ID of the Secondary Isolated VLAN.**Security Groups**: Security groups provide a way to isolate traffic to the VM instances. A security group is a group of VMs that filter their incoming and outgoing traffic according to a set of rules, called ingress and egress rules. These rules filter network traffic according to the IP address that is attempting to communicate with the VM.**Service Type**: The transport protocol to use for GSLB. The options are TCP and UDP.**Site to Site**. In this scenario, two private subnets are connected over the public Internet with a secure VPN tunnel. The cloud user’s subnet (for example, an office network) is connected through a gateway to the network in the cloud. The address of the user’s gateway must be preconfigured on the VPN server in the cloud. Note that although L2TP-over-IPsec can be used to set up Site-to-Site VPNs, this is not the primary intent of this feature. For more information, see `Section 15.25.5, “Setting Up a Site-to-Site VPN Connection” <#site-to-site-vpn>`__**Site-to-Site VPN Connection**: A hardware-based VPN connection between your VPC and your datacenter, home network, or co-location facility. For more information, see `Section 15.25.5, “Setting Up a Site-to-Site VPN Connection” <#site-to-site-vpn>`__.**Source CIDR**. (Optional) To accept only traffic from IP addresses within a particular address block, enter a CIDR or a comma-separated list of CIDRs. Example: 192.168.0.0/22. Leave empty to allow all CIDRs.**Source IP Address**: (Optional) The source IP from which traffic originates. The IP is acquired from the CIDR of that particular tier on which you want to create the Internal LB rule. If not specified, the IP address is automatically allocated from the network CIDR.**Source NAT**: Select this option to enable the source NAT service on the VPC private gateway.**Source Port**: The port associated with the source IP. Traffic on this port is load balanced.**Specify VLAN**: (Isolated guest networks only) Indicate whether a VLAN should be specified when this offering is used.**Start IP****Start IP/ End IP**: A range of IP addresses that are accessible from the Internet and will be allocated to guest VMs. Enter the first and last IP addresses that define a range that CloudStack can assign to guest VMs .**Start IP/ End IP**: A range of IP addresses that are accessible from the Internet and will be allocated to guest VMs. Enter the first and last IP addresses that define a range that CloudStack can assign to guest VMs.**Start Port and End Port**. The port(s) you want to open on the firewall. If you are opening a single port, use the same number in both fields**Start Port**, **End Port** (TCP, UDP only): A range of listening ports that are the destination for the incoming traffic. If you are opening a single port, use the same number in both fields.**Start Port, End Port**. (TCP, UDP only) A range of listening ports that are the destination for the incoming traffic. If you are opening a single port, use the same number in both fields.**Start Port, End Port**. (TCP, UDP only) A range of listening ports that are the destination for the outgoing traffic. If you are opening a single port, use the same number in both fields.**Start Port, End Port**: (TCP, UDP only) A range of listening ports that are the destination for the outgoing traffic. If you are opening a single port, use the same number in both fields.**Stickiness**. (Optional) Click Configure and choose the algorithm for the stickiness policy. See Sticky Session Policies for Load Balancer Rules.**Stickiness**: (Optional) Click Configure and choose the algorithm for the stickiness policy. See Sticky Session Policies for Load Balancer Rules.**Super CIDR for Guest Networks**: Defines the CIDR range for all the tiers (guest networks) within a VPC. When you create a tier, ensure that its CIDR is within the Super CIDR value you enter. The CIDR must be RFC1918 compliant.**Supported Services**: Select Load Balancer. Select ``InternalLbVM`` from the provider list.**Supported Services**: Select Load Balancer. Use Netscaler or VpcVirtualRouter.**System Offering**: Choose the system service offering that you want virtual routers to use in this network.**Template**: A template consists of a base OS image and application. A template is used to provision the new instance of an application on a scaleup action. When a VM is deployed from a template, the VM can start taking the traffic from the load balancer without any admin intervention. For example, if the VM is deployed for a Web service, it should have the Web server running, the database connected, and so on.**Threshold**: Threshold value to be used for the counter. Once the counter defined above breaches the threshold value, the AutoScale feature initiates a scaleup or scaledown action.**Traffic Type**: The type of network traffic that will be carried on the network.**Traffic Type**: The type of traffic: Incoming or outgoing.**Type**: The type of device that is being added. It could be F5 Big Ip Load Balancer, NetScaler VPX, NetScaler MPX, or NetScaler SDX. For a comparison of the NetScaler types, see the CloudStack Administration Guide.**Unhealthy threshold (Optional)**: Number of consecutive health check failures that are required before declaring an instance unhealthy. Default: 10.**Updating an AutoScale Configuration****User**: This is the user that the NetScaler device use to invoke scaleup and scaledown API calls to the cloud. If no option is specified, the user who configures AutoScaling is applied. Specify another user name to override.**Username/Password**: The authentication credentials to access the device. CloudStack uses these credentials to access the device.**VLAN ID**: The unique ID of the VLAN.**VLAN****VLAN**: The VLAN ID for the tier that the root admin creates.**VLAN**: The VLAN associated with the VPC gateway.**VLAN**: The VLAN that will be used for public traffic.**VLANs and Public Gateway**: For example, an application is deployed in the cloud, and the Web application VMs communicate with the Internet.**VLANs, VPN Gateway, and Public Gateway**: For example, an application is deployed in the cloud; the Web application VMs communicate with the Internet; and the database VMs communicate with the on-premise devices.**VPC**: A VPC acts as a container for multiple isolated networks that can communicate with each other via its virtual router.**VPC**: This option indicate whether the guest network is Virtual Private Cloud-enabled. A Virtual Private Cloud (VPC) is a private, isolated part of CloudStack. A VPC can have its own virtual network topology that resembles a traditional physical network. For more information on VPCs, see `Section 15.27.1, “About Virtual Private Clouds” <#vpc>`__.**VPN Gateway**: For more information, see `Section 15.25.5.2, “Creating a VPN gateway for the VPC” <#create-vpn-gateway-for-vpc>`__.**VPN Gateway**: The VPC side of a VPN connection.**Virtual Router**: A virtual router is automatically created and started when you create a VPC. The virtual router connect the tiers and direct traffic among the public gateway, the VPN gateways, and the NAT instances. For each tier, a corresponding NIC and IP exist in the virtual router. The virtual router provides DNS and DHCP services through its IP.**Zone**. The name of the zone this network applies to. Each zone is a broadcast domain, and therefore each zone has a different IP range for the guest network. The administrator must configure the IP range for each zone.**Zone**: Choose the zone where you want the VPC to be available.**Zone**: The zone in which you are configuring the guest network.0.0.0.0/0110.1.1.0/2410.1.1.0/2610.1.1.64 to 10.1.1.25423A CloudStack user or administrator may create load balancing rules that balance traffic received at a public IP to one or more VMs that belong to a network tier that provides load balancing service in a VPC. A user creates a rule, specifies an algorithm, and assigns the rule to a set of VMs within a tier.A CloudStack user or administrator may create load balancing rules that balance traffic received at a public IP to one or more VMs. A user creates a rule, specifies an algorithm, and assigns the rule to a set of VMs.A Site-to-Site VPN connection helps you establish a secure connection from an enterprise datacenter to the cloud infrastructure. This allows users to access the guest VMs by establishing a VPN connection to the virtual router of the account from a device in the datacenter of the enterprise. You can also establish a secure connection between two VPC setups or high availability zones in your environment. Having this facility eliminates the need to establish VPN connections to individual VMs.A VLAN allocated for an account cannot be shared between multiple accounts.A VM's networks are defined at VM creation time. A VM cannot add or remove networks after it has been created, although the user can go into the guest and remove the IP address from the NIC on a particular network.A VPC can be created in Advance zone only, and can't belong to more than one zone at a time.A VPC is comprised of the following network components:A VPC, by default, is created in the enabled state.A VPN customer gateway can be connected to only one VPN gateway at a time.A firewall filter counter that measures the number of bytes of incoming traffic to the public IP.A firewall filter counter that measures the number of bytes of outgoing traffic for the accountA firewall for management traffic operates in the NAT mode. The network typically is assigned IP addresses in the 192.168.0.0/16 Class B private address space. Each pod is assigned IP addresses in the 192.168.\*.0/24 Class C private address space.A guest VM can be in any number of port forward services. Port forward services can be defined but have no members. If a guest VM is part of more than one network, port forwarding rules will function only if they are defined on the default networkA network can carry guest traffic only between VMs within one zone. Virtual machines in different zones cannot communicate with each other using their IP addresses; they must communicate with each other by routing through a public IP address.A network offering cannot be editable because changing it affects the behavior of the existing networks that were created using this network offering.A new NIC is added for this network. You can view the following details in the NICs page:A new VLAN that matches the account's provisioned Zone VLANA new logical interface to connect to the account's private VLAN. The interface IP is always the first IP of the account's private subnet (e.g. 10.1.1.1).A port forward service is a set of port forwarding rules that define a policy. A port forward service is then applied to one or more guest VMs. The guest VM then has its inbound network access managed according to the policy defined by the port forwarding service. You can optionally specify one or more CIDRs to filter the source IPs. This is useful when you want to allow only incoming requests from certain IP addresses to be forwarded.A private gateway can be added by the root admin only. The VPC private network has 1:1 relationship with the NIC of the physical network. You can configure multiple private gateways to a single VPC. No gateways with duplicated VLAN and IP are allowed in the same data center.A prompt is displayed asking whether you want to keep the existing CIDR. This is to let you know that if you change the network offering, the CIDR will be affected.A public IP can be used for only one purpose at a time. If the IP is a sourceNAT, it cannot be used for StaticNAT or port forwarding.A security policy that allows traffic within the set of protocols and port ranges that are specified.A self IP for the VLAN. This is always the second IP of the account's private subnet (e.g. 10.1.1.2).A source NAT rule that forwards all outgoing traffic from the account's private VLAN to the public Internet, using the account's public IP address as the source addressA static NAT rule maps a public IP address to the private IP address of a VM in a VPC to allow Internet traffic to it. This section tells how to enable or disable static NAT for a particular IP address in a VPC.A static NAT rule maps a public IP address to the private IP address of a VM in order to allow Internet traffic into the VM. The public IP address always remains the same, which is why it is called “static” NAT. This section tells how to enable or disable static NAT for a particular IP address.A static NAT rule that maps the public IP address to the private IP address of a VM.A tier belongs to only one VPC.A typical GSLB environment is comprised of the following components:A user or administrator can change the network offering that is associated with an existing guest network.A user or administrator can define a new security group.A zone shall be considered as GSLB capable only if a GSLB service provider is provisioned in the zone.ACL on Private GatewayAbout Elastic IPAbout Global Server Load BalancingAbout Inter-VLAN Routing (nTier Apps)About Multiple IP RangesAbout Network ACL ListsAbout Portable IPAbout Private VLANAbout Security GroupsAbout Using a NetScaler Load BalancerAbout Virtual Private CloudsAccountAcquiring a New IP AddressAcquiring a New IP Address for a VPCAcquiring a Portable IPActionAdd ACL rules to the ACL list.Add a GSLB rule on both the sites.Add and enable Netscaler VPX in dedicated mode.Add one or more VM instances to CloudStack.Add the username and the corresponding password of the user you wanted to add.Adding Ingress and Egress Rules to a Security GroupAdding Load Balancing Rules on a VPCAdding Multiple Subnets to a Shared NetworkAdding TiersAdding a GSLB RuleAdding a Load Balancer RuleAdding a NetworkAdding a Port Forwarding Rule on a VPCAdding a Private Gateway to a VPCAdding a Security GroupAdding a Virtual Private CloudAdding an Additional Guest NetworkAdditional networks can either be available to all accounts or be assigned to a specific account. Networks that are available to all accounts are zone-wide. Any user with access to the zone can create a VM with access to that network. These zone-wide networks provide little or no isolation between guests.Networks that are assigned to a specific account provide strong isolation.Additional user actions (e.g. setting a port forward) will cause further programming of the firewall and load balancer. A user may request additional public IP addresses and forward traffic received at these IPs to specific VMs. This is accomplished by enabling static NAT for a public IP address, assigning the IP to a VM, and specifying a set of protocols and port ranges to open. When a static NAT rule is created, CloudStack programs the zone's external firewall with the following objects:Additionally, if you want to configure the advanced settings, click Show advanced settings, and specify the following:Advanced Zone Physical Network ConfigurationAfter the CloudStack Management Server is installed, log in to the CloudStack UI as administrator.After you modify the required AutoScale parameters, click Apply. To apply the new AutoScale policies, open the AutoScale configuration page again, then click the Enable AutoScale button.AllAll default network offerings are non-persistent.All network tiers inside the VPC should belong to the same account.All the VPC that you have created for the account is listed in the page.All the VPCs that you create for the account are listed in the page.All the VPCs that you have created for the account is listed in the page.All the VPN connections you created are displayed.All the fields are mandatory.All the layer 2 switches, which are PVLAN-aware, are connected to each other, and one of them is connected to a router. All the ports connected to the host would be configured in trunk mode. Open Management VLAN, Primary VLAN (public) and Secondary Isolated VLAN ports. Configure the switch port connected to the router in PVLAN promiscuous trunk mode, which would translate an isolated VLAN to primary VLAN for the PVLAN-unaware router.AllowAllow the egress traffic from specified source CIDR. The Source CIDR is part of guest network CIDR.Allow the egress traffic with protocol TCP,UDP,ICMP, or ALL.Allow the egress traffic with protocol and destination port range. The port range is specified for TCP, UDP or for ICMP type and code.An IP can be transferred from one network to another only if Static NAT is enabled. However, when a portable IP is associated with a network, you can use it for any service in the network.An administrator should not assign a VM to a load balancing rule which is configured for AutoScale.An existing network can be made non-persistent by changing its network offering to an offering that has the Persistent option disabled. If the network has no running VMs, during the next network garbage collection run the network is shut down.An existing network can be made persistent by changing its network offering to an offering that has the Persistent option enabled. While setting this property, even if the network has no running VMs, the network is provisioned.Any CloudStack user can set up any number of additional security groups. When a new VM is launched, it is assigned to the default security group unless another user-defined security group is specified. A VM can be a member of any number of security groups. Once a VM is assigned to a security group, it remains in that group for its entire lifetime; you can not move a running VM from one security group to another.Any load balancer rule defined in CloudStack can have a stickiness policy. The policy consists of a name, stickiness method, and parameters. The parameters are name-value pairs or flags, which are defined by the load balancer vendor. The stickiness method could be load balancer-generated cookie, application-generated cookie, or source-based. In the source-based method, the source IP address is used to identify the user and locate the user’s stored data. In the other methods, cookies are used. The cookie generated by the load balancer or application is included in request and response URLs to create persistence. The cookie name can be specified by the administrator or automatically generated. A variety of options are provided to control the exact behavior of cookies, such as how they are generated and whether they are cached.Any load balancer rule defined on a NetScaler load balancer in CloudStack can have a health check policy. The policy consists of a ping path, thresholds to define "healthy" and "unhealthy" states, health check frequency, and timeout wait interval.Apply IP Reservation to the guest network as soon as the network state changes to Implemented. If you apply reservation soon after the first guest VM is deployed, lesser conflicts occurs while applying reservation.As a domain administrator/ user perform the following:As always, you can specify an IP from the guest subnet; if not specified, an IP is automatically picked up from the guest VM subnet. You can view the IPs associated with for each guest VM NICs on the UI. You can apply NAT on these additional guest IPs by using network configuration option in the CloudStack UI. You must specify the NIC to which the IP should be associated.As per the example given above, the site names are A.xyztelco.com and B.xyztelco.com.Assign load balancer rules.Assigning Additional IPs to a VMAssigning Load Balancing Rules to GSLBAssigning a Custom ACL List to a TierAssociate the tier with the default ACL rule.AutoScale is supported on NetScaler Release 10 Build 74.4006.e and beyond.AutoScaling allows you to scale your back-end services or application VMs up or down seamlessly and automatically according to the conditions you define. With AutoScaling enabled, you can ensure that the number of VMs you are using seamlessly scale up when demand increases, and automatically decreases when demand subsides. Thus it helps you save compute costs by terminating underused VMs automatically and launching new VMs when you need them, without the need for manual intervention.Based on your selection, the network will have the egress public traffic blocked or allowed.Basic Zone Physical Network ConfigurationBecause multiple IPs can be associated per NIC, you are allowed to select a desired IP for the Port Forwarding and StaticNAT services. The default is the primary IP. To enable this functionality, an extra optional parameter 'vmguestip' is added to the Port forwarding and StaticNAT APIs (enableStaticNat, createIpForwardingRule) to indicate on what IP address NAT need to be configured. If vmguestip is passed, NAT is configured on the specified private IP of the VM. if not passed, NAT is configured on the primary IP of the VM.Before a VM provisioning is completed if NetScaler is shutdown or restarted, the provisioned VM cannot be a part of the load balancing rule though the intent was to assign it to a load balancing rule. To workaround, rename the AutoScale provisioned VMs based on the rule name or ID so at any point of time the VMs can be reconciled to its load balancing rule.Before transferring to another network, ensure that no network rules (Firewall, Static NAT, Port Forwarding, and so on) exist on that portable IP.Before you use PVLAN on XenServer and KVM, enable Open vSwitch (OVS).Best PracticesBind domain name to GSLB virtual server. Domain name is obtained from the domain details.Bind the GSLB services to the GSLB virtual server.Blacklisting RoutesBoth administrators and users can create multiple VPCs. The guest network NIC is plugged to the VPC virtual router when the first VM is deployed in a tier.Both administrators and users can create various possible destinations-gateway combinations. However, only one gateway of each type can be used in a deployment.Both the Internet and your corporate datacenter by using both the public gateway and a VPN gateway.By default, all incoming traffic to the public IP address is rejected by the firewall. To allow external traffic, you can open firewall ports by specifying firewall rules. You can optionally specify one or more CIDRs to filter the source IPs. This is useful when you want to allow only incoming requests from certain IP addresses.By default, all incoming traffic to the public IP address is rejected. All outgoing traffic from the guests is also blocked by default.CIDRCIDR (for IPv6)CaseChanging the Network Offering on a Guest NetworkCheck whether the required range is available and is conforms to account limits.Choose an existing IP address or acquire a new IP address. See `Section 15.19, “Acquiring a New IP Address” <#acquire-new-ip-address>`__. Click the name of the IP address in the list.Choose the Regions that you want to work with.Choose the VM that you want to work with.Choose the zone you want to work with.Cisco ISR with IOS 12.4 or laterCitrix NetScaler is supported as an external network element for load balancing in zones that use isolated networking in advanced zones. Set up an external load balancer when you want to provide load balancing through means other than CloudStack’s provided virtual router.Click Account.Click Acquire New IP, and click Yes in the confirmation dialog.Click Acquire New IP.Click Acquire New Secondary IP, and click Yes in the confirmation dialog.Click Add ACL Lists, and specify the following:Click Add Account |addAccount-icon.png: button to assign an IP range to an account.| button.Click Add GSLB.Click Add IP Range.Click Add Instance.Click Add NetScaler device and provide the following:Click Add Network Offering.Click Add Security Group.Click Add VMs, then select two or more VMs that will divide the load of incoming traffic, and click Apply.Click Add VPC. The Add VPC page is displayed as follows:Click Add VPN Customer Gateway.Click Add guest network.Click Add guest network. Provide the following information:Click Add network to VM.Click Add new gateway:Click Add.Click Add. The ACL rule is added.Click Apply.Click Authentication Settings, and add the user's password under User Authentication and enter the pre-shared IPSec key in the Shared Secret field under Machine Authentication. Click OK.Click Create VPN Connection.Click Create network.Click Create.Click Dedicate VLAN Range.Click NetScaler.Click Networks.Click Next, review the configuration and click Launch.Click OK and the network offering is created.Click OK to confirm.Click OK to confirm. The IPsec key is displayed in a pop-up window.Click OK.Click Physical Network.Click Portable IP Range.Click Remove NIC button. |remove-nic.png: button to remove a NIC|Click Source NAT IP address.Click View IP Addresses.Click View IP Ranges.Click View Portable IP.Click View Secondary IPs.Click Virtual Machines tab of the tier to which you want to add a VM.Click Yes in the confirmation dialog.Click Yes to confirm.Click Yes to confirm. Wait for some time for the tier to be removed.Click assign more load balancing.Click one of the displayed IP address names.Click the Configuration tab and fill in the following values.Click the Configuration tab.Click the Configure button of the VPC for which you want to set up tiers.Click the Configure button of the VPC to which you want to configure load balancing rules.Click the Configure button of the VPC to which you want to deploy the VMs.Click the Configure button of the VPC whose IP you want to release.Click the Configure button of the VPC, for which you want to configure load balancing rules.Click the Configure button of the VPC.Click the Edit button.Click the Enable VPN button. |AttachDiskButton.png: button to attach a volume|Click the Enable VPN button. |vpn-icon.png: button to enable VPN|Click the IP Ranges tab.Click the IP address for which you want to create the rule, then click the Configuration tab.Click the IP address of the Private Gateway you want to work with.Click the IP address you want to release.Click the IP address you want to work with.Click the IP you want to release.Click the IP you want to work with.Click the NICs tab.Click the Network tab.Click the Physical Network tab, then click the name of the physical network.Click the Physical Network tab.Click the Release IP button. |ReleaseIPButton.png: button to release an IP|Click the Replace ACL List icon. |replace-acl-icon.png: button to replace an ACL list|Click the Set default NIC button. |set-default-nic.png: button to set a NIC as default one.|Click the Settings icon.Click the Source NAT IP.Click the Static NAT |EnableNATButton.png: button to enable NAT| button.Click the name of the guest network where the VMs are running.Click the name of the instance you want to work with.Click the name of the network where you want to load balance the traffic.Click the name of the network where you want to work with.Click the name of the network you want to modify.Click the name of the network you want to work with.Click the physical network you want to work with.Click the zone to which you want to add a guest network.Click view assigned load balancing.CloudStack Virtual Private Cloud is a private, isolated part of CloudStack. A VPC can have its own virtual network topology that resembles a traditional physical network. You can launch VMs in the virtual network that can have private addresses in the range of your choice, for example: 10.0.0.0/16. You can define network tiers within your VPC network range, which in turn enables you to group similar kinds of instances based on IP address range.CloudStack account owners can create virtual private networks (VPN) to access their virtual machines. If the guest network is instantiated from a network offering that offers the Remote Access VPN service, the virtual router (based on the System VM) is used to provide the service. CloudStack provides a L2TP-over-IPsec-based remote access VPN service to guest virtual networks. Since each network gets its own virtual router, VPNs are not shared across the networks. VPN clients native to Windows, Mac OS X and iOS can be used to connect to the guest networks. The account owner can create and manage users for their VPN. CloudStack does not use its account database for this purpose but uses a separate table. The VPN user database is shared across all the VPNs created by the account owner. All VPN users get access to all VPNs created by the account owner.CloudStack allows you deploy VMs on a VPC tier and one or more shared networks. With this feature, VMs deployed in a multi-tier application can receive monitoring services via a shared network provided by a service provider.CloudStack enables you to block a list of routes so that they are not assigned to any of the VPC private gateways. Specify the list of routes that you want to blacklist in the ``blacklisted.routes`` global parameter. Note that the parameter update affects only new static route creations. If you block an existing static route, it remains intact and continue functioning. You cannot add a static route if the route is blacklisted for the zone.CloudStack enables you to specify routing for the VPN connection you create. You can enter one or CIDR addresses to indicate which traffic is to be routed back to the gateway.CloudStack is capable of replacing its Virtual Router with an external Juniper SRX device and an optional external NetScaler or F5 load balancer for gateway and load balancing services. In this case, the VMs use the SRX as their gateway.CloudStack provides the ability to use security groups to provide isolation between guests on a single shared, zone-wide network in an advanced zone where KVM is the hypervisor. Using security groups in advanced zones rather than multiple VLANs allows a greater range of options for setting up guest isolation in a cloud.CloudStack provides you the ability to associate multiple private IP addresses per guest VM NIC. In addition to the primary IP, you can assign additional IPs to the guest VM NIC. This feature is supported on all the network configurations—Basic, Advanced, and VPC. Security Groups, Static NAT and Port forwarding services are supported on these additional IPs.CloudStack provides you the ability to move VMs between networks and reconfigure a VM's network. You can remove a VM from a network and add to a new network. You can also change the default network of a virtual machine. With this functionality, hybrid or traditional server loads can be accommodated with ease.CloudStack provides you the ability to reserve a set of public IP addresses and VLANs exclusively for an account. During zone creation, you can continue defining a set of VLANs and multiple public IP ranges. This feature extends the functionality to enable you to dedicate a fixed set of VLANs and guest IP addresses for a tenant.CloudStack provides you with the ability to establish a site-to-site VPN connection between CloudStack virtual routers. To achieve that, add a passive mode Site-to-Site VPN. With this functionality, users can deploy applications in multiple Availability Zones or VPCs, which can communicate with each other by using a secure Site-to-Site VPN Tunnel.CloudStack provides you with the flexibility to add guest IP ranges from different subnets in Basic zones and security groups-enabled Advanced zones. For security groups-enabled Advanced zones, it implies multiple subnets can be added to the same VLAN. With the addition of this feature, you will be able to add IP address ranges from the same subnet or from a different one when IP address are exhausted. This would in turn allows you to employ higher number of subnets and thus reduce the address management overhead. To support this feature, the capability of ``createVlanIpRange`` API is extended to add IP ranges also from a different subnet.CloudStack provides you with the flexibility to add guest IP ranges from different subnets in Basic zones and security groups-enabled Advanced zones. For security groups-enabled Advanced zones, it implies multiple subnets can be added to the same VLAN. With the addition of this feature, you will be able to add IP address ranges from the same subnet or from a different one when IP address are exhausted. This would in turn allows you to employ higher number of subnets and thus reduce the address management overhead. You can delete the IP ranges you have added.CloudStack supports Global Server Load Balancing (GSLB) functionalities to provide business continuity, and enable seamless resource movement within a CloudStack environment. CloudStack achieve this by extending its functionality of integrating with NetScaler Application Delivery Controller (ADC), which also provides various GSLB capabilities, such as disaster recovery and load balancing. The DNS redirection technique is used to achieve GSLB in CloudStack.CloudStack supports creating up to 8 VPN connections.CloudStack supports only one gateway for a subnet; overlapping subnets are not currently supportedCloudStack supports sharing workload across different tiers within your VPC. Assume that multiple tiers are set up in your environment, such as Web tier and Application tier. Traffic to each tier is balanced on the VPC virtual router on the public side, as explained in `Section 15.27.11, “Adding Load Balancing Rules on a VPC” <#add-loadbalancer-rule-vpc>`__. If you want the traffic coming from the Web tier to the Application tier to be balanced, use the internal load balancing feature offered by CloudStack.CloudStack uses the NetScaler load balancer to monitor all aspects of a system's health and work in unison with CloudStack to initiate scale-up or scale-down actions.CloudStack virtual routersCloudStack will dynamically provision, configure, and manage the life cycle of VPX instances on the SDX. Provisioned instances are added into CloudStack automatically – no manual configuration by the administrator is required. Once a VPX instance is added into CloudStack, it is treated the same as a VPX on an ESXi host.Components of GSLBConfigure Authoritative DNS, as explained in `Configuring an Authoritative DNS Service <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-adns-svc-tsk.html>`__.Configure Guest Traffic in an Advanced ZoneConfigure Public Traffic in an Advanced ZoneConfigure a GSLB service for each virtual server.Configure a GSLB site with site name formed from the domain name details.Configure a GSLB site with the site name formed from the domain name.Configure a GSLB virtual server.Configure private VLAN on your physical switches out-of-band.Configuring AutoScaleConfiguring GSLBConfiguring Multiple IP Addresses on a Single NICConfiguring Network Access Control ListConfiguring Portable IPsConfiguring Remote Access VPNConfiguring Remote Access VPN in VPCConfiguring SNMP Community String on a RHEL ServerConfiguring a Shared Guest NetworkConfiguring a Virtual Private CloudConfiguring a standard load balancing setup.Configuring an Egress Firewall RuleConfiguring the Default Egress PolicyConsider the following before you create a VPC:Consider the following before you reserve an IP range for non-CloudStack machines:Consider the following scenarios to apply egress firewall rules:Continue with configuring access control list for the tier.Create VPN connection from the VPC VPN gateway to the customer VPN gateway.Create VPN customer gateway for both the VPCs.Create VPN gateways on both the VPCs you created.Create a VPC with Netscaler as the Public LB provider.Create a VPC.Create a VPN Customer Gateway.Create a VPN gateway for the VPC that you created.Create a Virtual Private Cloud (VPC).Create a custom ACL list.Create a network offering with the Persistent option enabled.Create a network offering with your desirable default egress policy:Create a network offering, as given in `Section 15.27.11.1.2, “Creating a Network Offering for External LB” <#ext-lb-offering>`__.Create a network offering, as given in `Section 15.27.11.2.5, “Creating an Internal LB Rule” <#int-lb-vpc>`__.Create a tier in the VPC.Create a view to allow the groups to have the permission to:Create an external load balancing rule and apply, as given in `Section 15.27.11.1.3, “Creating an External LB Rule” <#ext-lb-vpc>`__.Create an internal load balancing rule and apply, as given in `Section 15.27.11.2.5, “Creating an Internal LB Rule” <#int-lb-vpc>`__.Create an isolated network by using this network offering.Create two VPCs. For example, VPC A and VPC B.Creating ACL ListsCreating VPN connection on both the VPCs initiates a VPN connection. Wait for few seconds. The default is 30 seconds for both the VPN connections to show the Connected state.Creating a Network Offering for External LBCreating a Network Offering for Internal LBCreating a PVLAN-Enabled Guest NetworkCreating a Persistent Guest NetworkCreating a Static RouteCreating a Tier with Custom ACL ListCreating a VPN ConnectionCreating a VPN gateway for the VPCCreating an ACL RuleCreating an External LB RuleCreating an Internal LB RuleCreating and Updating a VPN Customer GatewayCurrently, CloudStack does not support orchestration of services across the zones. The notion of services and service providers in region are to be introduced.DNS and DHCPDedicating IP Address Ranges to an AccountDedicating VLAN Ranges to an AccountDefine Network Access Control List (ACL) on the VPC virtual router to control incoming (ingress) and outgoing (egress) traffic between the VPC tiers, and the tiers and Internet. By default, all incoming traffic to the guest networks is blocked and all outgoing traffic from guest networks is allowed, once you add an ACL rule for outgoing traffic, then only outgoing traffic specified in this ACL rule is allowed, the rest is blocked. To open the ports, you must create a new network ACL. The network ACLs can be created for the tiers only if the NetworkACL service is supported.DenyDeploy the templates you prepared. Ensure that the applications come up on the first boot and is ready to take the traffic. Observe the time requires to deploy the template. Consider this time when you specify the quiet time while configuring AutoScale.Deploying VMs to VPC Tier and Shared NetworksDeploying VMs to the TierDescriptionDescription of Capabilities CloudStack Supported FeaturesDisassociate a VLAN and public IP address range from an accountDomainESP PolicyEach CloudStack account comes with a default security group that denies all inbound traffic and allows all outbound traffic. The default security group can be modified so that all new VMs inherit some other desired set of rules.Each VM has just one default network. The virtual router's DHCP reply will set the guest's default gateway as that for the default network. Multiple non-default networks may be added to a guest in addition to the single, required default network. The administrator can control which networks are available as the default network.Each VM will have its own private IP. When the user VM starts, Static NAT is provisioned on the NetScaler device by using the Inbound Network Address Translation (INAT) and Reverse NAT (RNAT) rules between the public IP and the private IP.Each tier should have an unique CIDR in the VPC. Ensure that the tier's CIDR should be within the VPC CIDR range.Each zone has its own set of public IP addresses. Public IP addresses from different zones do not overlap.Edit the /etc/snmp/snmpd.conf file to allow the SNMP polling from the NetScaler device.Editing, Restarting, and Removing a Virtual Private CloudEgressEgress Firewall Rules in an Advanced ZoneEgress firewall rules are supported on Juniper SRX and virtual router.Elastic IP (EIP) addresses are the IP addresses that are associated with an account, and act as static IP addresses. The account owner has the complete control over the Elastic IP addresses that belong to the account. As an account owner, you can allocate an Elastic IP to a VM of your choice from the EIP pool of your account. Later if required you can reassign the IP address to a different VM. This feature is extremely helpful during VM failure. Instead of replacing the VM which is down, the IP address can be reassigned to a new VM in your account.Enable a VPN connection on VPC A in passive mode.Enable a VPN connection on VPC B.Enabling GSLB in NetScalerEnabling Internal LB on a VPC TierEnabling NetScaler as the LB Provider on a VPC TierEnabling Security GroupsEnabling or Disabling Static NATEnabling or Disabling Static NAT on a VPCEnsure that all the tiers are removed before you remove a VPC.Ensure that the SNMP service is started automatically during the system startup:Ensure that the customer gateway is pointed to VPC A. Because virtual router of VPC A, in this case, is in passive mode and is waiting for the virtual router of VPC B to initiate the connection, VPC B virtual router should not be in passive mode.Ensure that the customer gateway is pointed to VPC B. The VPN connection is shown in the Disconnected state.Ensure that the endpointe.url parameter present in the Global Settings is set to the Management Server API URL. For example, http://10.102.102.22:8080/client/api. In a multi-node Management Server deployment, use the virtual IP address configured in the load balancer for the management server’s cluster. Additionally, ensure that the NetScaler device has access to this IP address to provide AutoScale support.Ensure that the hardware you have allows starting the selected service offering.Ensure that the necessary template is prepared before configuring AutoScale. When a VM is deployed by using a template and when it comes up, the application should be up and running.Ensure that vm-tools are running on guest VMs for adding or removing networks to work on VMware hypervisor.Ensure that you installed SNMP on RedHat. If not, run the following command:Ensure that you manually configure the gateway of the new subnet before adding the IP range. Note that CloudStack supports only one gateway for a subnet; overlapping subnets are not currently supported.Enter the user name and password from step `1 <#source-nat>`__.External Firewalls and Load BalancersFill in the following:Firewall RulesFirewall rules can be created using the Firewall tab in the Management Server UI. This tab is not displayed by default when CloudStack is installed. To display the Firewall tab, the CloudStack administrator must set the global configuration parameter firewall.rule.ui.enabled to "true."First, be sure you've configured the VPN settings in your CloudStack install. This section is only concerned with connecting via Mac OS X to your VPN.Follow the on-screen instruction to add an instance. For information on adding an instance, see the Installation Guide.For NetScaler:For details on how to set a health check policy using the UI, see `Section 15.16.5.1, “Adding a Load Balancer Rule” <#add-load-balancer-rule>`__.For each tier, the following options are displayed.For each tier, the following options are displayed:For every Source IP, a new Internal LB VM is created for load balancing.For example, if a VPC has the private range 10.0.0.0/16, its guest networks can have the network ranges 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, and so on.For example, if the VPC CIDR is 10.0.0.0/16 and the network tier CIDR is 10.0.1.0/24, the gateway of the tier is 10.0.1.1, and the netmask of the tier is 255.255.255.0.For example, the following table describes three scenarios of guest network creation:For example:For further reading:For more information on Portable IP, see `Section 15.12, “Portable IPs” <#portable-ip>`__.For more information on the Associate Public IP option, see the Administration Guide.For more information, see `Binding GSLB Services to a GSLB Virtual Server <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-bind-svc-vsvr-tsk.html>`__.For more information, see `Binding a Domain to a GSLB Virtual Server <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-bind-dom-vsvr-tsk.html>`__.For more information, see `Configuring a Basic GSLB Site <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-basic-site-tsk.html>`__.For more information, see `Configuring a GSLB Service <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-svc-tsk.html>`__.For more information, see `Configuring a GSLB Virtual Server <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-vsvr-tsk.html>`__.For more information, see `Section 15.17.2.2, “Enabling GSLB in NetScaler” <#enable-glsb-ns>`__.For more information, see `Section 15.25.5.1, “Creating and Updating a VPN Customer Gateway” <#create-vpn-customer-gateway>`__.For more information, see `Section 15.25.5.2, “Creating a VPN gateway for the VPC” <#create-vpn-gateway-for-vpc>`__.For more information, see `Section 15.25.5.3, “Creating a VPN Connection” <#create-vpn-connection-vpc>`__.For more information, see `Section 15.27, “Configuring a Virtual Private Cloud” <#configure-vpc>`__.For more information, see `Section 15.27.2, “Adding a Virtual Private Cloud” <#add-vpc>`__.For more information, see the Assigning VLANs to Isolated Networks section in the CloudStack Administration Guide.For the VPC, acquire an IP.For the deployments where public IPs are limited resources, you have the flexibility to choose not to allocate a public IP by default. You can use the Associate Public IP option to turn on or off the automatic public IP assignment in the EIP-enabled Basic zones. If you turn off the automatic public IP assignment while creating a network offering, only a private IP is assigned to a VM when the VM is deployed with that network offering. Later, the user can acquire an IP for the VM and enable static NAT.For the description on Secondary Isolated VLAN, see `Section 15.14.1, “About Private VLAN” <#about-pvlan>`__.For the most up to date list of available stickiness methods, see the CloudStack UI or call listNetworks and check the SupportedStickinessMethods capability.From the Network Offering drop-down, select the persistent network offering you have just created.From the Select Offering drop-down, choose Network Offering.From the Select View drop-down, ensure that VPN Connection is selected.GSLB is added as a new network service.GSLB service provider can be added to a physical network in a zone.GatewayGlobal Server Load Balancing (GSLB) is an extension of load balancing functionality, which is highly efficient in avoiding downtime. Based on the nature of deployment, GSLB represents a set of technologies that is used for various purposes, such as load sharing, disaster recovery, performance, and legal obligations. With GSLB, workloads can be distributed across multiple data centers situated at geographically separated locations. GSLB can also provide an alternate location for accessing a resource in the event of a failure, or to provide a means of shifting traffic easily to simplify maintenance, or both.Global Server Load Balancing SupportGlobal server load balancing is used to manage the traffic flow to a web site hosted on two separate zones that ideally are in different geographic locations. The following is an illustration of how GLSB functionality is provided in CloudStack: An organization, xyztelco, has set up a public cloud that spans two zones, Zone-1 and Zone-2, across geographically separated data centers that are managed by CloudStack. Tenant-A of the cloud launches a highly available solution by using xyztelco cloud. For that purpose, they launch two instances each in both the zones: VM1 and VM2 in Zone-1 and VM5 and VM6 in Zone-2. Tenant-A acquires a public IP, IP-1 in Zone-1, and configures a load balancer rule to load balance the traffic between VM1 and VM2 instances. CloudStack orchestrates setting up a virtual server on the LB service provider in Zone-1. Virtual server 1 that is set up on the LB service provider in Zone-1 represents a publicly accessible virtual server that client reaches at IP-1. The client traffic to virtual server 1 at IP-1 will be load balanced across VM1 and VM2 instances.Go back to the Control Panel and click Network Connections to see the new connection. The connection is not active yet.Grant access with different write permissions to the two groups to the view you created.Guest IP RangesGuest TrafficGuest VM CIDR you specify must be a subset of the network CIDR.GuidelinesHealth Checks for Load Balancer RulesHealth checks are used in load-balanced applications to ensure that requests are forwarded only to running, available services. When creating a load balancer rule, you can specify a health check policy. This is in addition to specifying the stickiness policy, algorithm, and other load balancer rule options. You can configure one health check policy per load balancer rule.Hosting multiple SSL Websites on a single instance. You can install multiple SSL certificates on a single instance, each associated with a distinct IP address.Hosts are also connected to one or more networks carrying guest traffic.Hosts are connected to networks for both management traffic and public traffic.How Does GSLB Works in CloudStack?How Does Internal LB Work in VPC?IDIKE PolicyIP AddressIP Forwarding and FirewallingIP Load BalancingIP Reservation ConsiderationsIP Reservation can be applied only when the network is in Implemented state.IP Reservation configured by the UpdateNetwork API with guestvmcidr=10.1.1.0/26 or enter 10.1.1.0/26 in the CIDR field in the UI.IP Reservation in Isolated Guest NetworksIP Reservation is supported only in Isolated networks.IP association is transferable across networksIP is statically allocatedIP is transferable across VPC, non-VPC isolated and shared networksIP is transferable across both Basic and Advanced zonesIP need not be associated with a networkIPSec Preshared KeyIf a guest VM is part of more than one network, static NAT rules will function only if they are defined on the default network.If an IP address is assigned to a tier:If an application, such as SAP, running on a VM instance is down for some reason, the VM is not counted as part of Max Instance parameter. So there may be scenarios where the number of VMs provisioned for a scaleup action might be more than the configured Max Instance value. Once the application instances in the VMs are up from an earlier down state, the AutoScale feature starts aligning to the configured Max Instance value.If an application, such as SAP, running on a VM instance is down for some reason, the VM is then not counted as part of Min Instance parameter, and the AutoScale feature initiates a scaleup action if the number of active VM instances is below the configured value. Similarly, when an application instance comes up from its earlier down state, this application instance is counted as part of the active instance count and the AutoScale process initiates a scaledown action when the active instance count breaches the Max instance value.If no ingress rules are specified, then no traffic will be allowed in, except for responses to any traffic that has been allowed out through an egress rule.If one NIC is used, these IPs should be in the same CIDR in the case of IPv6.If port forwarding rules are already in effect for an IP address, you cannot enable static NAT to that IP.If the API Key and Secret Key are regenerated for an AutoScale user, ensure that the AutoScale functionality of the load balancers that the user participates in are disabled and then enabled to reflect the configuration changes in the NetScaler.If the application is not running, the NetScaler device considers the VM as ineffective and continues provisioning the VMs unconditionally until the resource limit is exhausted.If you are changing from a network offering that uses the CloudStack virtual router to one that uses external devices as network service providers, you must first stop all the VMs on the network.If you are creating the VPN gateway for the first time, selecting Site-to-Site VPN prompts you to create a VPN gateway.If you are enabling static NAT, a dialog appears as follows:If you are enabling static NAT, a dialog appears where you can choose the destination VM and click Apply.If you create load balancing rules while using a network service offering that includes an external load balancer device such as NetScaler, and later change the network service offering to one that uses the CloudStack virtual router, you must create a firewall rule on the virtual router for each of your existing load balancing rules so that they continue to function.If you have already created tiers, the VPC diagram is displayed. Click Create Tier to add a new tier.If you have not already done so, add a public IP address range to a zone in CloudStack. See Adding a Zone and Pod in the Installation Guide.If you select Allow for a network offering, by default egress traffic is allowed. However, when an egress rule is configured for a guest network, rules are applied to block the specified traffic and rest are allowed. If no egress rules are configured for the network, egress traffic is accepted.If you select Deny for a network offering, by default egress traffic for the guest network is blocked. However, when an egress rules is configured for a guest network, rules are applied to allow the specified traffic. While implementing a guest network, CloudStack adds the firewall egress rule specific to the default egress policy for the guest network.If you stopped any VMs, restart them.If you update the endpointe.url, disable the AutoScale functionality of the load balancer rules in the system, then enable them back to reflect the changes. For more information see `Updating an AutoScale Configuration <#update-autoscale>`__If you upgrade between virtual router as a provider and an external network device as provider, acknowledge the change of CIDR to continue, so choose Yes.If you want Portable IP click Yes in the confirmation dialog. If you want a normal Public IP click No.If you want to establish a connection between two VPC virtual routers, select Passive only on one of the VPC virtual routers, which waits for the other VPC virtual router to initiate the connection. Do not select Passive on the VPC virtual router that initiates the connection.If you want to perform any maintenance operation on the AutoScale VM instances, disable the AutoScale configuration. When the AutoScale configuration is disabled, no scaleup or scaledown action is performed. You can use this downtime for the maintenance activities. To disable the AutoScale configuration, click the Disable AutoScale |EnableDisable.png: button to enable or disable AutoScale.| button.If your preferences are locked, you'll need to click the lock in the bottom left-hand corner to make any changes and provide your administrator credentials.In CIDR, specify the Guest VM CIDR.In CloudStack terminology, Network ACL is a group of Network ACL items. Network ACL items are nothing but numbered rules that are evaluated in order, starting with the lowest numbered rule. These rules determine whether traffic is allowed in or out of any tier associated with the network ACL. You need to add the Network ACL items to the Network ACL, then associate the Network ACL with a tier. Network ACL is associated with a VPC and can be assigned to multiple VPC tiers within a VPC. A Tier is associated with a Network ACL at all the times. Each tier can be associated with only one ACL.In Network Offering, choose the new network offering, then click Apply.In Select Offering, choose Network Offering.In Select view, choose Guest networks, then click the Guest network you want.In Select view, choose Security Groups, then click the security group you want .In Select view, choose Security Groups.In Type of VPN, choose L2TP IPsec VPN, then click IPsec settings. Select Use preshared key. Enter the preshared key from step `1 <#source-nat>`__.In Zones, click View All.In Zones, click View More.In a Basic zone, load balancing service is supported only if Elastic IP or Elastic LB services are enabled.In a Basic zone, you can also create a load balancing rule without acquiring or selecting an IP address. CloudStack internally assign an IP when you create the load balancing rule, which is listed in the IP Addresses page when the rule is created.In a CloudStack, guest VMs can communicate with each other using shared infrastructure with the security and user perception that the guests have a private LAN. The CloudStack virtual router is the main component providing networking features for guest traffic.In a VPC, identify the Private Gateway you want to work with.In a VPC, only one tier can be created by using LB-enabled network offering.In a VPC, the following four basic options of network architectures are present:In a VPC, you can configure two types of load balancing—external LB and internal LB. External LB is nothing but a LB rule created to redirect the traffic received at a public IP of the VPC virtual router. The traffic is load balanced within a tier based on your configuration. Citrix NetScaler and VPC virtual router are supported for external LB. When you use internal LB service, traffic received at a tier is load balanced across different VMs within that tier. For example, traffic reached at Web tier is redirected to another VM in that tier. External load balancing devices are not supported for internal LB. The service is provided by a internal LB VM configured on the target tier.In a basic network, configuring the physical network is fairly straightforward. You only need to configure one guest network to carry traffic that is generated by guest VMs. When you first add a zone to CloudStack, you set up the guest network through the Add Zone screens.In a zone that uses advanced networking, you can instead define multiple guest networks to isolate traffic to VMs.In a zone that uses advanced networking, you need to configure at least one range of IP addresses for Internet traffic.In addition to the custom ACL lists you have created, the following default rules are displayed in the Network ACLs page: default\_allow, default\_deny.In addition to the specific Cisco and Juniper devices listed above, the expectation is that any Cisco or Juniper device running on the supported operating systems are able to establish VPN connections.In advanced zones, load balancer functionality fully supported without limitation. In basic zones, static NAT, elastic IP (EIP), and elastic load balancing (ELB) are also provided.In an Advanced zone, an IP address range or a CIDR is assigned to a network when the network is defined. The CloudStack virtual router acts as the DHCP server and uses CIDR for assigning IP addresses to the guest VMs. If you decide to reserve CIDR for non-CloudStack purposes, you can specify a part of the IP address range or the CIDR that should only be allocated by the DHCP service of the virtual router to the guest VMs created in CloudStack. The remaining IPs in that network are called Reserved IP Range. When IP reservation is configured, the administrator can add additional VMs or physical servers that are not part of CloudStack to the same network and assign them the Reserved IP addresses. CloudStack guest VMs cannot acquire IPs from the Reserved IP Range.In an Ethernet switch, a VLAN is a broadcast domain where hosts can establish direct communication with each another at Layer 2. Private VLAN is designed as an extension of VLAN standard to add further segmentation of the logical broadcast domain. A regular VLAN is a single broadcast domain, whereas a private VLAN partitions a larger VLAN broadcast domain into smaller sub-domains. A sub-domain is represented by a pair of VLANs: a Primary VLAN and a Secondary VLAN. The original VLAN that is being divided into smaller groups is called Primary, which implies that all VLAN pairs in a private VLAN share the same Primary VLAN. All the secondary VLANs exist only inside the Primary. Each Secondary VLAN has a specific VLAN ID associated to it, which differentiates one sub-domain from another.In an advanced Zone, ensure that at least one VM should be present before configuring a load balancer rule with AutoScale. Having one VM in the network ensures that the network is in implemented state for configuring AutoScale.In an advanced zone, you can also create egress firewall rules by using the virtual router. For more information, see `Section 15.22.2, “Egress Firewall Rules in an Advanced Zone” <#egress-firewall-rule>`__.In each zone that are participating in GSLB, add GSLB-enabled NetScaler device.In each zone, add GSLB-enabled NetScaler device for load balancing.In isolated guest networks, a part of the guest IP address space can be reserved for non-CloudStack VMs or physical servers. To do so, you configure a range of Reserved IP addresses by specifying the CIDR when a guest network is in Implemented state. If your customers wish to have non-CloudStack controlled VMs or physical servers on the same network, they can share a part of the IP address space that is primarily provided to the guest network.In order for security groups to function in a zone, the security groups feature must first be enabled for the zone. The administrator can do this when creating a new zone, by selecting a network offering that includes security groups. The procedure is described in Basic Zone Configuration in the Advanced Installation Guide. The administrator can not enable security groups for an existing zone, only when creating a new zone.In order to support this functionality, region level services and service provider are introduced. A new service 'GSLB' is introduced as a region level service. The GSLB service provider is introduced that will provider the GSLB service. Currently, NetScaler is the supported GSLB provider in CloudStack. GSLB functionality works in an Active-Active data center environment.In shared networks in Basic zone and Security Group-enabled Advanced networks, you will have the flexibility to add multiple guest IP ranges from different subnets. You can add or remove one IP range at a time. For more information, see `Section 15.10, “About Multiple IP Ranges” <#multiple-ip-range>`__.In the Default egress policy field, specify the behaviour.In the Detail tab, click the Replace ACL button. |replace-acl-icon.png: button to replace the default ACL behaviour.|In the Details tab, click Edit. |EditButton.png: button to edit a network|In the Details tab, click Edit. |edit-icon.png: button to edit a network|In the Details tab, click NICs.In the Details tab, click View GSLB.In the Details tab, click the Release IP button |release-ip-icon.png: button to release an IP.|In the Details tab, click the Remove VPC button |remove-vpc.png: button to remove a VPC|In the Details tab,click the Static NAT button. |enable-disable.png: button to enable Static NAT.| The button toggles between Enable and Disable, depending on whether static NAT is currently enabled for the IP address.In the Guest node of the diagram, click Configure.In the Internal LB page, click Add Internal LB.In the Load Balancing node of the diagram, click View All.In the Network Details tab, click the Delete Network button. |del-tier.png: button to remove a tier|In the Network Service Providers node of the diagram, click Configure.In the Port Forwarding node of the diagram, click View All.In the Private Gateway page, click the IP address of the Private Gateway you want to work with.In the Private Gateway page, do either of the following:In the Public node of the diagram, click Configure.In the Quickview of the selected Private Gateway, click Replace ACL, select the ACL rule, then click OKIn the Router node, select Public IP Addresses.In the Select view, select VPC.In the Select view, select VPN Customer Gateway.In the cloud.dns.name global parameter, specify the DNS name of your tenant's cloud that make use of the GSLB service.In the confirmation dialog, click Yes to confirm.In the dialog, make necessary choices, including firewall provider.In the dialog, make the following choices:In the dialog, specify the following:In the drop-down list, select the network that you would like to add this VM to.In the illustration, a NetScaler appliance is the default entry or exit point for the CloudStack instances, and firewall is the default entry or exit point for the rest of the data center. Netscaler provides LB services and staticNAT service to the guest networks. The guest traffic in the pods and the Management Server are on different subnets / VLANs. The policy-based routing in the data center core switch sends the public traffic through the NetScaler, whereas the rest of the data center goes through the firewall.In the left navigation bar, click Infrastructure.In the left navigation bar, click Instances.In the left navigation bar, click Network.In the left navigation bar, click Service Offerings.In the left navigation pane, click Region.In the left navigation, choose Infrastructure.In the left navigation, choose Infrastructure. On Zones, click View More, then click the zone to which you want to add a network.In the left navigation, choose Instances.In the left navigation, choose NetworkIn the left navigation, choose Network.In the left navigation, click Global Settings.In the left navigation, click Instances.In the left navigation, click Network.In the left navigation, click Regions.In the next dialog, enter the source NAT IP from step `1 <#source-nat>`__ and give the connection a name. Check Don't connect now.In the next dialog, enter the user name and password selected in step `1 <#source-nat>`__.In the next dialog, select No, create a new connection.In the next dialog, select Use my Internet Connection (VPN).In this figure, a public LB rule is created for the public IP 72.52.125.10 with public port 80 and private port 81. The LB rule, created on the VPC virtual router, is applied on the traffic coming from the Internet to the VMs on the Web tier. On the Application tier two internal load balancing rules are created. An internal LB rule for the guest IP 10.10.10.4 with load balancer port 23 and instance port 25 is configured on the VM, InternalLBVM1. Another internal LB rule for the guest IP 10.10.10.4 with load balancer port 45 and instance port 46 is configured on the VM, InternalLBVM1. Another internal LB rule for the guest IP 10.10.10.6, with load balancer port 23 and instance port 25 is configured on the VM, InternalLBVM2.In zones that use advanced networking, additional networks for guest traffic may be added at any time after the initial installation. You can also customize the domain name associated with the network by specifying a DNS suffix for each network.Inbound NAT (INAT) is a type of NAT supported by NetScaler, in which the destination IP address is replaced in the packets from the public network, such as the Internet, with the private IP address of a VM in the private network. Reverse NAT (RNAT) is a type of NAT supported by NetScaler, in which the source IP address is replaced in the packets generated by a VM in the private network with the public IP address.IngressInitial Setup of External Firewalls and Load BalancersInter-VLAN Routing (nTier Apps) is the capability to route network traffic between VLANs. This feature enables you to build Virtual Private Clouds (VPC), an isolated segment of your cloud, that can hold multi-tier applications. These tiers are deployed on different VLANs that can communicate with each other. You provision VLANs to the tiers your create, and VMs can be deployed on different tiers. The VLANs are connected to a virtual router, which facilitates communication between the VMs. In effect, you can segment VMs by means of VLANs into different networks that can host multi-tier applications, such as Web, Application, or Database. Such segmentation by means of VLANs logically separate application VMs for higher security and lower broadcasts, while remaining physically connected to the same device.Internal LBInternal LB and Public LB are mutually exclusive on a tier. If the tier has LB on the public side, then it can't have the Internal LB.Internal LB is supported just on VPC networks in CloudStack 4.2 release.Is defaultIsolate VMs in a shared networks by using Private VLANs.Isolation in Advanced Zone Using Private VLANIsolation of guest traffic in shared networks can be achieved by using Private VLANs (PVLAN). PVLANs provide Layer 2 isolation between ports within the same VLAN. In a PVLAN-enabled shared network, a user VM cannot reach other user VM though they can reach the DHCP server and gateway, this would in turn allow users to control traffic within a network and help them deploy multiple applications without communication between application as well as prevent communication with other users’ VMs.Juniper J-Series routers with JunOS 9.5 or laterKnown LimitationLeast connectionLeast connectionsLimitationsLimitations: The following are not supported for this feature:Load Balancer RulesLoad Balancing Across TiersLoad Balancing Within a Tier (External LB)Locate the IP range you want to work with.Locate the NIC you want to remove.Locate the NIC you want to work with.Locate the Tier for which you want to configure an internal LB rule, click Internal LB.Locate the VPC for which you want to configure internal LB, then click Configure.Log in as a user or administrator to the CloudStack UI.Log in as administrator to the CloudStack UI.Log in to the CloudStack UI and click on the source NAT IP for the account. The VPN tab should display the IPsec preshared key. Make a note of this and the source NAT IP. The UI also lists one or more users and their passwords. Choose one of these users, or, if none exists, add a user and password.Log in to the CloudStack UI as a domain administrator or user.Log in to the CloudStack UI as a user or admin.Log in to the CloudStack UI as administrator.Log in to the CloudStack UI as an administrator or end user.Log in to the CloudStack UI as an administrator.Log in to the CloudStack UI.Log in with admin privileges to the CloudStack UI.MPXMake sure Send all traffic over VPN connection is not checked.Make sure that not all traffic goes through the VPN. That is, the route installed by the VPN should be only for the guest network and not for all traffic.Making API calls outside the context of AutoScale, such as destroyVM, on an autoscaled VM leaves the load balancing configuration in an inconsistent state. Though VM is destroyed from the load balancer rule, NetScaler continues to show the VM as a service assigned to a rule.Managing Networks and TrafficManually configure the gateway of the new subnet before adding the IP range.Map the community name into a security name (local and mynetwork, depending on where the request is coming from):Map the security names into group names:Moving private IP addresses between interfaces or instances. Applications that are bound to specific IP addresses can be moved between instances.Multiple Subnets in Shared NetworkMultiple VLAN ranges in account-specific shared networks.Multiple VLAN ranges in security group-enabled shared network.Multiple tiers can have internal LB support in a VPC.NetScaler ADC TypeNetScaler AutoScaling is designed to seamlessly launch or terminate VMs based on user-defined conditions. Conditions for triggering a scaleup or scaledown action can vary from a simple use case like monitoring the CPU usage of a server to a complex use case of monitoring a combination of server's responsiveness and its CPU usage. For example, you can configure AutoScaling to launch an additional VM whenever CPU usage exceeds 80 percent for 15 minutes, or to remove a VM whenever CPU usage is less than 20 percent for 30 minutes.NetmaskNetscaler can be used in a VPC environment only if it is in dedicated mode.Network ACL ListsNetwork CIDRNetwork NameNetwork devices, such as firewalls and load balancers, generally work best when they have access to multiple IP addresses on the network interface.Network upgrade is not supported from the network offering with Internal LB to the network offering with Public LB.Networking in a PodNetworking in a ZoneNew deployments which use the default shared network offering with EIP and ELB services to create a shared network in the Basic zone will continue allocating public IPs to each user VM.No IP Reservation is done by default.No IP Reservation.NoneNote that if an account has consumed all the VLANs and IPs dedicated to it, the account can acquire two more resources from the system. CloudStack provides the root admin with two configuration parameter to modify this default behavior—use.system.public.ips and use.system.guest.vlans. These global parameters enable the root admin to disallow an account from acquiring public IPs and guest VLANs from the system, if the account has dedicated resources and these dedicated resources have all been consumed. Both these configurations are configurable at the account level.Note that only Cisco Catalyst 4500 has the PVLAN promiscuous trunk mode to connect both normal VLAN and PVLAN to a PVLAN-unaware switch. For the other Catalyst PVLAN support switch, connect the switch to upper switch by using cables, one each for a PVLAN pair.Note, these instructions were written on Mac OS X 10.7.5. They may differ slightly in older or newer releases of Mac OS X.Now click "Connect" and you will be connected to the CloudStack VPN.Now, you need to add the VPN users.OVS on XenServer and KVM does not support PVLAN natively. Therefore, CloudStack managed to simulate PVLAN on OVS for XenServer and KVM by modifying the flow table.On Zones, click View More, then click the zone to which you want to work with..On Zones, click View More.On enabling Remote Access VPN on a VPC, any VPN client present outside the VPC can access VMs present in the VPC by using the Remote VPN connection. The VPN client can be present anywhere except inside the VPC on which the user enabled the Remote Access VPN service.On the Guest node of the diagram, click Configure.On the NetScaler side, configure GSLB as given in `Configuring Global Server Load Balancing (GSLB) <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-con.html>`__:On the Windows box, go to Control Panel, then select Network and Sharing center. Click Setup a connection or network.On your Mac, open System Preferences and click Network.One of the advantages of having a persistent network is that you can create a VPC with a tier consisting of only physical devices. For example, you might create a VPC for a three-tier application, deploy VMs for Web and Application tier, and use physical machines for the Database tier. Another use case is that if you are providing services by using physical hardware, you can define the network as persistent and therefore even if all its VMs are destroyed the services will not be discontinued.Ongoing Configuration of External Firewalls and Load BalancersOnly Internal LB VM can act as the Internal LB provider in CloudStack 4.2 release.Only new networks can be added to a VPC. The maximum number of networks per VPC is limited by the value you specify in the vpc.max.networks parameter. The default value is three.Only one tier can have Public LB support in a VPC.PVLAN-enabled shared network can be a part of multiple networks of a guest VM.Perform the following as a cloud administrator. As per the example given above, the administrator of xyztelco is the one who sets up GSLB:Persistent Network ConsiderationsPersistent NetworksPersistent network is designed for isolated networks.Physical appliance. Can create multiple fully isolated VPX instances on a single appliance to support multi-tenant usagePhysical appliance. Capable of deep packet inspection. Can act as application firewall and load balancer.Port ForwardingPort Forwarding and StaticNAT Services ChangesPortable IP transfer is available only for static NAT.Portable IPsPortable IPs in CloudStack are region-level pool of IPs, which are elastic in nature, that can be transferred across geographically separated zones. As an administrator, you can provision a pool of portable public IPs at region level and are available for user consumption. The users can acquire portable IPs if admin has provisioned portable IPs at the region level they are part of. These IPs can be use for any service within an advanced zone. You can also use portable IPs for EIP services in basic zones.PrerequisitesPrerequisites and GuidelinesPrivate GatewaysProtocolProvide a name and description.Provide the following information:Public IP AddressesPublic LB IPReconfiguring Networks in VMsReleasing an IP AddressReleasing an IP Address Allocated to a VPCRemote Access VPNRemote access VPN is not supported in VPC networks.Removing IP Reservation by the UpdateNetwork API with guestvmcidr=10.1.1.0/24 or enter 10.1.1.0/24 in the CIDR field in the UI.Removing TiersRemoving a NetworkRepeat the same steps to add the VPN users.Replace the UUID with appropriate UUID. For example, if you want to transfer a portable IP to network X and VM Y in a network, execute the following:Reserve a VLAN range and public IP address range from an Advanced zone and assign it to an accountReserved IP Range for Non-CloudStack VMsReserving Public IP Addresses and VLANs for AccountsReserving an IP RangeRestarting and Removing a VPN ConnectionRight-click the new connection and select Properties. In the Properties dialog, select the Networking tab.Round-robinRuleSDXSecurity GroupsSecurity Groups in Advanced Zones (KVM Only)Security groups must be enabled in the zone in order for this feature to be used.Security groups provide a way to isolate traffic to VMs. A security group is a group of VMs that filter their incoming and outgoing traffic according to a set of rules, called ingress and egress rules. These rules filter network traffic according to the IP address that is attempting to communicate with the VM. Security groups are particularly useful in zones that use basic networking, because there is a single guest network for all guest VMs. In advanced zones, security groups are supported only on the KVM hypervisor.See `Private VLAN Catalyst Switch Support Matrix <http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml>`__\ for more information.See `Section 15.17.2.3, “Adding a GSLB Rule” <#gslb-add>`__.See `Section 15.17.2.4, “Assigning Load Balancing Rules to GSLB” <#assign-lb-gslb>`__.See `Section 15.27, “Configuring a Virtual Private Cloud” <#configure-vpc>`__.See `Section 15.27.5.1, “Source NAT on Private Gateway” <#sourcenat-private-gateway>`__.See `Section 15.27.5.2, “ACL on Private Gateway” <#acl-private-gateway>`__.See a typical guest traffic setup given below:See the Administration Guide.Select IP Addresses.Select Network ACL Lists.Select Network from the left navigation pane.Select Passive if you want to establish a connection between two VPC virtual routers.Select Private Gateways.Select Public IP Addresses.Select Site-to-Site VPN.Select a template or ISO, then follow the steps in the wizard.Select a zone.Select the ACL List Rules tab.Select the Dedicated VLAN Ranges tab.Select the Static Routes tab.Select the VPC you want to work with.Select the VPN connection you want to work with.Select the VPN customer gateway you want to work with.Select the VPN tab.Select the desired ACL list while creating a tier.Select the desired ACL list.Select the desired GSLB.Select the desired customer gateway.Select the guest network that you want to offer this network service to.Select the load balancing rule you have created for the zone.Select the networks you want to work with.Select the region for which you want to create a GSLB rule.Select the tier and the destination VM, then click Apply.Select the tier for which you want to assign the custom ACL.Select the tier to which you want to apply the rule.Select the tier you want to remove.Selecting the Default NetworkServers are connected as follows:Set the following global configuration parameters.Setting Up a Site-to-Site VPN ConnectionSetting to 0.0.0.0 allows all IPs to poll the NetScaler server.Similar to the public IP address, Elastic IP addresses are mapped to their associated private IP addresses by using StaticNAT. The EIP service is equipped with StaticNAT (1:1) service in an EIP-enabled basic zone. The default network offering, DefaultSharedNetscalerEIPandELBNetworkOffering, provides your network with EIP and ELB network services if a NetScaler device is deployed in your zone. Consider the following illustration for more details.Site-to-Site VPN Connection Between VPC NetworksSite-to-Site VPNsSome of the use cases are described below:SourceSource IPSource NAT is automatically configured in the virtual router to forward outbound traffic for all guest VMsSource NAT on Private GatewaySpecify a valid Guest VM CIDR. IP Reservation is applied only if no active IPs exist outside the Guest VM CIDR.Specify the CIDR of destination network.Specify the following scale-up and scale-down policies:Specify the following:Specify whether you want cross-zone IP or not.Specifying a large value for the maximum instance parameter might result in provisioning large number of VM instances, which in turn leads to a single load balancing rule exhausting the VM instances limit specified at the account or domain level.Start the SNMP service:StateStatic NATStatistics is collected from each GSLB virtual server.Sticky Session Policies for Load Balancer RulesSticky sessions are used in Web-based applications to ensure continued availability of information across the multiple requests in a user's session. For example, if a shopper is filling a cart, you need to remember what has been purchased so far. The concept of "stickiness" is also referred to as persistence or maintaining state.Storage devices are connected to only the network that carries management traffic.Supported on ESXi and XenServer. Same functional support as for MPX. CloudStack will treat VPX and MPX as the same device type.Supported on KVM, XenServer, and VMware hypervisorsTCPTenant-A acquires another public IP, IP-2 in Zone-2 and sets up a load balancer rule to load balance the traffic between VM5 and VM6 instances. Similarly in Zone-2, CloudStack orchestrates setting up a virtual server on the LB service provider. Virtual server 2 that is setup on the LB service provider in Zone-2 represents a publicly accessible virtual server that client reaches at IP-2. The client traffic that reaches virtual server 2 at IP-2 is load balanced across VM5 and VM6 instances. At this point Tenant-A has the service enabled in both the zones, but has no means to set up a disaster recovery plan if one of the zone fails. Additionally, there is no way for Tenant-A to load balance the traffic intelligently to one of the zones based on load, proximity and so on. The cloud administrator of xyztelco provisions a GSLB service provider to both the zones. A GSLB provider is typically an ADC that has the ability to act as an ADNS (Authoritative Domain Name Server) and has the mechanism to monitor health of virtual servers both at local and remote sites. The cloud admin enables GSLB as a service to the tenants that use zones 1 and 2.Tenant-A wishes to leverage the GSLB service provided by the xyztelco cloud. Tenant-A configures a GSLB rule to load balance traffic across virtual server 1 at Zone-1 and virtual server 2 at Zone-2. The domain name is provided as A.xyztelco.com. CloudStack orchestrates setting up GSLB virtual server 1 on the GSLB service provider at Zone-1. CloudStack binds virtual server 1 of Zone-1 and virtual server 2 of Zone-2 to GLSB virtual server 1. GSLB virtual server 1 is configured to start monitoring the health of virtual server 1 and 2 in Zone-1. CloudStack will also orchestrate setting up GSLB virtual server 2 on GSLB service provider at Zone-2. CloudStack will bind virtual server 1 of Zone-1 and virtual server 2 of Zone-2 to GLSB virtual server 2. GSLB virtual server 2 is configured to start monitoring the health of virtual server 1 and 2. CloudStack will bind the domain A.xyztelco.com to both the GSLB virtual server 1 and 2. At this point, Tenant-A service will be globally reachable at A.xyztelco.com. The private DNS server for the domain xyztelcom.com is configured by the admin out-of-band to resolve the domain A.xyztelco.com to the GSLB providers at both the zones, which are configured as ADNS for the domain A.xyztelco.com. A client when sends a DNS request to resolve A.xyztelcom.com, will eventually get DNS delegation to the address of GSLB providers at zone 1 and 2. A client DNS request will be received by the GSLB provider. The GSLB provider, depending on the domain for which it needs to resolve, will pick up the GSLB virtual server associated with the domain. Depending on the health of the virtual servers being load balanced, DNS request for the domain will be resolved to the public IP associated with the selected virtual server.That IP can't be used by more than one tier at a time in the VPC. For example, if you have tiers A and B, and a public IP1, you can create a port forwarding rule by using the IP either for A or B, but not for both.That IP can't be used for StaticNAT, load balancing, or port forwarding rules for another guest network inside the VPC.The Acquire New IP window is displayed.The Add Account dialog is displayed.The Add Account page is displayed.The Add GSLB page is displayed as follows:The Add IP Range dialog is displayed, as follows:The Add Instance page is displayed.The Add Portable IP Range window is displayed.The Add guest network window is displayed.The Add guest network window is displayed:The Add network to VM dialog is displayed.The Add new tier dialog is displayed, as follows:The Associate Public IP feature is designed only for use with user VMs. The System VMs continue to get both public IP and private by default, irrespective of the network offering configuration.The AutoScale feature supports the SNMP counters that can be used to define conditions for taking scale up or scale down actions. To monitor the SNMP-based counter, ensure that the SNMP agent is installed in the template used for creating the AutoScale VMs, and the SNMP operations work with the configured SNMP community and port by using standard SNMP managers. For example, see `Section 15.16.2, “Configuring SNMP Community String on a RHEL Server” <#configure-snmp-rhel>`__ to configure SNMP on a RHEL machine.The CIDR field changes to editable one.The Citrix NetScaler comes in three varieties. The following table summarizes how these variants are treated in CloudStack.The Configure VPC page is displayed. Locate the tier you want to work with.The Create VPN Connection dialog is displayed:The Dedicate VLAN Range dialog is displayed.The Details tab is displayed.The EIP work flow is as follows:The GSLB functionality is supported both Basic and Advanced zones.The GSLB functionality shall support session persistence, where series of client requests for particular domain name is sent to a virtual server on the same zone.The Gateways page is displayed.The IKE peers (VPN end points) authenticate each other by computing and sending a keyed hash of data that includes the Preshared key. If the receiving peer is able to create the same hash independently by using its Preshared key, it knows that both peers must share the same secret, thus authenticating the customer gateway.The IP Addresses page is displayed.The IP Reservation is not supported if active IPs that are found outside the Guest VM CIDR.The IP address is a limited resource. If you no longer need a particular IP, you can disassociate it from its VPC and return it to the pool of available addresses. An IP address can be released from its tier, only when all the networking ( port forwarding, load balancing, or StaticNAT ) rules are removed for this IP address. The released IP address will still belongs to the same VPC.The IP ranges for guest network traffic are set on a per-account basis by the user. This allows the users to configure their network in a fashion that will enable VPN linking between their guest network and their clients.The IPsec key is displayed in a popup window.The Internet through the public gateway.The NetScaler can be set up in direct (outside the firewall) mode. It must be added before any load balancing rules are deployed on guest VMs in the zone.The NetScaler device uses SNMP to communicate with the VMs. You must install SNMP and configure SNMP Community string for a secure communication between the NetScaler device and the RHEL machine.The Public IP Addresses page is displayed.The Replace ACL List dialog is displayed.The Replace ACL dialog is displayed.The SNMP Community string is similar to a user id or password that provides access to a network device, such as router. This string is sent along with all SNMP requests. If the community string is correct, the device responds with the requested information. If the community string is incorrect, the device discards the request and does not respond.The Site-to-Site VPN page is displayed.The Source NAT service on a private gateway can be enabled while adding the private gateway. On deletion of a private gateway, source NAT rules specific to the private gateway are deleted.The VPC page is displayed where all the tiers you created are listed in a diagram.The VPC page is displayed where all the tiers you created listed in a diagram.The VPC page is displayed where all the tiers you have created are listed.The VPN connection is shown in the Disconnected state.The Virtual Router provides DNS and DHCP services to the guests. It proxies DNS requests to the DNS server configured on the Availability Zone.The admin can configure DNS name for the entire cloud.The admin is allowed to configure a zone as GSLB capable or enabled.The admin is allowed to enable or disable GSLB functionality at region level.The administrator can allow users create their own VPC and deploy the application. In this scenario, the VMs that belong to the account are deployed on the VLANs allotted to that account.The administrator can create the following gateways to send to or receive traffic from the VMs:The administrator can define Network Access Control List (ACL) on the virtual router to filter the traffic among the VLANs or between the Internet and a VLAN. You can define ACL based on CIDR, port range, protocol, type code (if ICMP protocol is selected) and Ingress/Egress type.The administrator can deploy a set of VLANs and allow users to deploy VMs on these VLANs. A guest VLAN is randomly alloted to an account from a pre-specified set of guest VLANs. All the VMs of a certain tier of an account reside on the guest VLAN allotted to that account.The button toggles between Enable and Disable, depending on whether static NAT is currently enabled for the IP address.The button toggles between enable and disable, depending on whether AutoScale is currently enabled or not. After the maintenance operations are done, you can enable the AutoScale configuration back. To enable, open the AutoScale configuration page again, then click the Enable AutoScale |EnableDisable.png: button to enable or disable AutoScale.| button.The connection is ready for activation. Go back to Control Panel -> Network Connections and double-click the created connection.The corporate datacenter by using a site-to-site VPN connection through the VPN gateway.The default Network ACL is used when no ACL is associated. Default behavior is all the incoming traffic is blocked and outgoing traffic is allowed from the tiers. Default network ACL cannot be removed or modified. Contents of the default Network ACL is:The default egress policy for Isolated guest network is configured by using Network offering. Use the create network offering option to determine whether the default policy should be block or allow all the traffic to the public network from a guest network. Use this network offering to create the network. If no policy is specified, by default all the traffic is allowed from the guest network that you create by using this network offering.The default number of VPCs an account can create is 20. However, you can change it by using the max.account.vpcs global parameter, which controls the maximum number of VPCs an account is allowed to create.The default number of tiers an account can create within a VPC is 3. You can configure this number by using the vpc.max.networks parameter.The default policy is Allow for the new network offerings, whereas on upgrade existing network offerings with firewall service providers will have the default egress policy Deny.The difference from Remote VPN is that Site-to-site VPNs connects entire networks to each other, for example, connecting a branch office network to a company headquarters network. In a site-to-site VPN, hosts do not have VPN client software; they send and receive normal TCP/IP traffic through a VPN gateway.The egress firewall rules are not supported on shared networks.The egress traffic originates from a private network to a public network, such as the Internet. By default, the egress traffic is blocked in default network offerings, so no outgoing traffic is allowed from a guest network to the Internet. However, you can control the egress traffic in an Advanced zone by creating egress firewall rules. When an egress firewall rule is applied, the traffic specific to the rule is allowed and the remaining traffic is blocked. When all the firewall rules are removed the default policy, Block, is applied.The end users can see their own VPCs, while root and domain admin can see any VPC they are authorized to see.The feature can only be implemented on IPv4 addresses.The figure below illustrates network setup within a single pod. The hosts are connected to a pod-level switch. At a minimum, the hosts should have one physical uplink to each switch. Bonded NICs are supported as well. The pod-level switch is a pair of redundant gigabit switches with 10 G uplinks.The following default rules are displayed in the Network ACLs page: default\_allow, default\_deny.The following details are displayed in the VPN Gateway page:The following example allows inbound HTTP access from anywhere:The following figure illustrates the network setup within a single zone.The following figure shows the possible deployment scenarios of a Inter-VLAN setup:The following information on the VPN connection is displayed:The following objects are created on the load balancer:The following options are displayed.The following router information is displayed:The functional behavior of the NetScaler with CloudStack is the same as described in the CloudStack documentation for using an F5 external load balancer. The only exception is that the F5 supports routing domains, and NetScaler does not. NetScaler can not yet be used as a firewall.The instances can only have a private IP address that you provision. To communicate with the Internet, enable NAT to an instance that you launch in your VPC.The load balancing service can be supported by only one tier inside the VPC.The major advantages are:The maximum IPs per account limit cannot be superseded.The network that you can provision without having to deploy any VMs on it is called a persistent network. A persistent network can be part of a VPC or a non-VPC environment.The new gateway appears in the list. You can repeat these steps to add more gateway for this VPC.The new load balancer rule appears in the list. You can repeat these steps to add more load balancer rules for this IP address.The new load balancing rule appears in the list. You can repeat these steps to add more load balancing rules for this IP address.The new security group appears in the Security Groups Details tab.The number of incoming and outgoing bytes through source NAT, static NAT, and load balancing rules is measured and saved on each external element. This data is collected on a regular basis and stored in the CloudStack database.The phase-1 is the first phase in the IKE process. In this initial negotiation phase, the two VPN endpoints agree on the methods to be used to provide security for the underlying IP traffic. The phase-1 authenticates the two VPN gateways to each other, by confirming that the remote gateway has a matching Preshared Key.The phase-2 is the second phase in the IKE process. The purpose of IKE phase-2 is to negotiate IPSec security associations (SA) to set up the IPSec tunnel. In phase-2, new keying material is extracted from the Diffie-Hellman key exchange in phase-1, to provide session keys to use in protecting the VPN data flow.The procedure to use VPN varies by Windows version. Generally, the user must edit the VPN properties and make sure that the default route is not the VPN. The following steps are for Windows L2TP clients on Windows Vista. The commands should be similar for other Windows versions.The salient features of Portable IP are as follows:The supported endpoints on the remote datacenters are:The traffic on the VPC private gateway is controlled by creating both ingress and egress network ACL rules. The ACLs contains both allow and deny rules. As per the rule, all the ingress traffic to the private gateway interface and all the egress traffic out from the private gateway interface are blocked.The user acquires a public IP (Elastic IP). This public IP is associated with the account, but will not be mapped to any private IP. However, the user can enable Static NAT to associate this IP to the private IP of a VM in the account. The Static NAT rule for the public IP can be disabled at any time. When Static NAT is disabled, a new public IP is allocated from the pool, which is not necessarily be the same one allocated initially.The user may choose to associate the same public IP for multiple guests. CloudStack implements a TCP-level load balancer with the following policies.The user shall be able to set weight to zone-level virtual server. Weight shall be considered by the load balancing method for distributing the traffic.The user-provided name along with the admin-provided DNS name is used to produce a globally resolvable FQDN for the globally load balanced service of the user. For example, if the admin has configured xyztelco.com as the DNS name for the cloud, and user specifies 'foo' for the GSLB virtual service, then the FQDN name of the GSLB virtual service is foo.xyztelco.com.The users can load balance traffic across the availability zones in the same region or different regions.The users can specify an unique name across the cloud for a globally load balanced service. The provided name is used as the domain name under the DNS name associated with the cloud.The users can use GSLB to load balance across the VMs across zones in a region only if the admin has enabled GSLB in that region.The virtual router provides DHCP and will automatically assign an IP address for each guest VM within the IP range assigned for the network. The user can manually reconfigure guest VMs to assume different IP addresses.These steps assume you have already logged in to the CloudStack UI. To configure the base guest network:This default public IP will be released in two cases:This feature can only be implemented:This feature is supported on KVM, xenServer, and VMware hypervisors.This feature is supported on XenServer, KVM, and VMware hypervisors.This feature is supported on XenServer, KVM, and VMware hypervisors. Note that Basic zone security groups are not supported on VMware.This feature is supported on XenServer, VMware, and KVM hypervisors.This feature is supported on all the hypervisors.This feature is supported only on virtual router and Juniper SRX.This feature provides you the following capabilities:This is similar to port forwarding but the destination may be multiple IP addresses.This option is only visible if the network offering you selected is VLAN-enabled.Three types of ports exist in a private VLAN domain, which essentially determine the behaviour of the participating hosts. Each ports will have its own unique set of rules, which regulate a connected host's ability to communicate with other connected host within the same private VLAN domain. Configure each host that is part of a PVLAN pair can be by using one of these three port designation:Tiers are distinct locations within a VPC that act as isolated networks, which do not have access to other tiers by default. Tiers are set up on different VLANs that can communicate with each other by using a virtual router. Tiers provide inexpensive, low latency network connectivity to other tiers within the VPC.To add a VPN Customer Gateway:To add an ACL rule, fill in the following fields to specify what kind of network traffic is allowed in the VPC.To add an egress rule, click the Egress Rules tab and fill out the following fields to specify what type of traffic is allowed to be sent out of VM instances in this security group. If no egress rules are specified, then all traffic will be allowed out. Once egress rules are specified, the following types of traffic are allowed out: traffic specified in egress rules; queries to DNS and DHCP servers; and responses to any traffic that has been allowed in through an ingress ruleTo add an egress rule, click the Egress rules tab and fill out the following fields to specify what type of traffic is allowed to be sent out of VM instances in this guest network:To add an ingress rule, click the Ingress Rules tab and fill out the following fields to specify what network traffic is allowed into VM instances in this security group. If no ingress rules are specified, then no traffic will be allowed in, except for responses to any traffic that has been allowed out through an egress rule.To allow incoming traffic, users may set up firewall rules and/or port forwarding rules. For example, you can use a firewall rule to open a range of ports on the public IP address, such as 33 through 44. Then use port forwarding rules to direct traffic from individual ports within that range to specific ports on user VMs. For example, one port forwarding rule could route incoming traffic on the public IP's port 33 to port 100 on one user VM's private IP.To allow outgoing traffic, follow the procedure in `Section 15.22.2, “Egress Firewall Rules in an Advanced Zone” <#egress-firewall-rule>`__.To assign an existing IP range to an account, perform the following:To configure a GSLB deployment, you must first configure a standard load balancing setup for each zone. This enables you to balance load across the different servers in each zone in the region. Then on the NetScaler side, configure both NetScaler appliances that you plan to add to each zone as authoritative DNS (ADNS) servers. Next, create a GSLB site for each zone, configure GSLB virtual servers for each site, create GLSB services, and bind the GSLB services to the GSLB virtual servers. Finally, bind the domain to the GSLB virtual servers. The GSLB configurations on the two appliances at the two different zones are identical, although each sites load-balancing configuration is specific to that site.To configure how often the health check is performed by default, use the global configuration setting healthcheck.update.interval (default value is 600 seconds). You can override this value for an individual health check policy.To create a firewall rule:To create a new IP range and assign an account, perform the following:To create a persistent network, perform the following:To do that, select the name of the network, then click Add Load Balancer tab. Continue with `7 <#config-lb>`__.To enable VPN for a VPC:To enable VPN for a particular network:To enable source NAT on existing private gateways, delete them and create afresh with source NAT.To have external LB support on VPC, create a network offering as follows:To have internal LB support on VPC, either use the default offering, DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB, or create a network offering as follows:To install and enable an external load balancer for CloudStack management, see `Section 13.5.4, “External Guest Load Balancer Integration (Optional)” <#external-guest-lb-integration>`__.To make the security group useful, continue to Adding Ingress and Egress Rules to a Security Group.To modify the required parameters, click the Edit VPN Customer Gateway button |edit.png: button to edit a VPN customer gateway|To prevent IP conflict, configure different subnets when multiple networks are connected to the same VM.To remove a VPN connection, click the Delete VPN connection button |remove-vpn.png: button to remove a VPN connection|To remove the VPN customer gateway, click the Delete VPN Customer Gateway button |delete.png: button to remove a VPN customer gateway|To reset an existing IP Reservation, apply IP reservation by specifying the value of network CIDR in the CIDR field.To restart a VPC, select the VPC, then click the Restart button. |restart-vpc.png: button to restart a VPC|To restart a VPN connection, click the Reset VPN connection button present in the Details tab. |reset-vpn.png: button to reset a VPN connection|To set up VPN for the cloud:To set up a Site-to-Site VPN connection, perform the following:To set up a multi-tier Inter-VLAN deployment, see `Section 15.27, “Configuring a Virtual Private Cloud” <#configure-vpc>`__.To set up port forwarding:To transfer a portable IP across the networks, execute the following API:Traffic typeTransferring Portable IPTwo IP ranges with the same VLAN and different gateway or netmask in account-specific shared networks.Two IP ranges with the same VLAN and different gateway or netmask in security group-enabled shared network.TypeTypically, the Management Server automatically creates a virtual router for each network. A virtual router is a special virtual machine that runs on the hosts. Each virtual router in an isolated network has three network interfaces. If multiple public VLAN is used, the router will have multiple public interfaces. Its eth0 interface serves as the gateway for the guest traffic and has the IP address of 10.1.1.1. Its eth1 interface is used by the system to configure the virtual router. Its eth2 interface is assigned a public IP address for public traffic. If multiple public VLAN is used, the router will have multiple public interfaces.UDPUnblock SNMP in iptables.Under Networks, select the desired networks for the VM you are launching.Updating and Removing a VPN Customer GatewayUpgrading network offering which causes a change in CIDR (such as upgrading an offering with no external devices to one with external devices) IP Reservation becomes void if any. Reconfigure IP Reservation in the new re-implemeted network.Use CasesUse a PVLAN supported switch.Use a strong password instead of public when you edit the following table.Use the Details tab. See `4 <#details-tab>`__ through .Use the Quickview. See `3 <#quickview>`__.Use the ``deleteVlanRange`` API to delete IP ranges. This operation fails if an IP from the remove range is in use. If the remove range contains the IP address on which the DHCP server is running, CloudStack acquires a new IP from the same subnet. If no IP is available in the subnet, the remove operation fails.Using Multiple Guest NetworksUsing Remote Access VPN with Mac OS XUsing Remote Access VPN with WindowsVPC with a private gateway only and site-to-site VPN accessVPC with a public gateway onlyVPC with public and private gatewaysVPC with public and private gateways and site-to-site VPN accessVPXView the number of public IP addresses allocated to an accountVirtual MachinesVirtual appliance. Can run as VM on XenServer, ESXi, and Hyper-V hypervisors. Same functionality as MPX.Wait for few seconds until the new route is created.Wait for few seconds. You can see that the new ACL rule is displayed in the Details page.Wait for the update to complete. Don’t try to restart VMs until the network change is complete.Wait for the update to complete. The Network CIDR and the Reserved IP Range are displayed on the Details page.We recommend the use of multiple physical Ethernet cards to implement each network interface as well as redundant switch fabric in order to maximize throughput and improve reliability.When NetScaler load balancer is used to provide EIP or ELB services in a Basic zone, ensure that all guest VM traffic must enter and exit through the NetScaler device. When inbound traffic goes through the NetScaler device, traffic is routed by using the NAT protocol depending on the EIP/ELB configured on the public IP to the private IP. The traffic that is originated from the guest VMs usually goes through the layer 3 router. To ensure that outbound traffic goes through NetScaler device providing EIP/ELB, layer 3 router must have a policy-based routing. A policy-based route must be set up so that all traffic originated from the guest VM's are directed to NetScaler device. This is required to ensure that the outbound traffic from the guest VM's is routed to a public IP by using NAT.For more information on Elastic IP, see `Section 15.11, “About Elastic IP” <#elastic-ip>`__.When PFS is turned on, for every negotiation of a new phase-2 SA the two gateways must generate a new set of phase-1 keys. This adds an extra layer of protection that PFS adds, which ensures if the phase-2 SA’s have expired, the keys used for new phase-2 SA’s have not been generated from the current phase-1 keying material.When a VPC is created, by default, a SourceNAT IP is allocated to it. The Source NAT IP is released only when the VPC is removed.When a health check policy is in effect, the load balancer will stop forwarding requests to any resources that are found to be unhealthy. If the resource later becomes available again, the periodic health check will discover it, and the resource will once again be added to the pool of resources that can receive requests from the load balancer. At any given time, the most recent result of the health check is displayed in the UI. For any VM that is attached to a load balancer rule with a health check configured, the state will be shown as UP or DOWN in the UI depending on the result of the most recent health check.When a user VM is deployed, a public IP is automatically acquired from the pool of public IPs configured in the zone. This IP is owned by the VM's account.When creating the VPC, you simply provide the zone and a set of IP addresses for the VPC network address space. You specify this set of addresses in the form of a Classless Inter-Domain Routing (CIDR) block.When the VM is stopped. When the VM starts, it again receives a new public IP, not necessarily the same one allocated initially, from the pool of Public IPs.When the first VM is created for a new account, CloudStack programs the external firewall and load balancer to work with the VM. The following objects are created on the firewall:When the last VM on a network is destroyed, the network garbage collector checks if the network offering associated with the network is persistent, and shuts down the network only if it is non-persistent.When the last rule for an IP address is removed, you can release that IP address. The IP address still belongs to the VPC; however, it can be picked up for any guest network again.When users have VMs deployed in multiple availability zones which are GSLB enabled, they can use the GSLB functionality to load balance traffic across the VMs in multiple zones.When you acquire an IP address, all IP addresses are allocated to VPC, not to the guest networks within the VPC. The IPs are associated to the guest network only when the first port-forwarding, load balancing, or Static NAT rule is created for the IP or the network. IP can't be associated to more than one network at a time.When you create a guest network, the network offering that you select defines the network persistence. This in turn depends on whether persistent network is enabled in the selected network offering.When you create other types of network, a network is only a database entry until the first VM is created on that network. When the first VM is created, a VLAN ID is assigned and the network is provisioned. Also, when the last VM is destroyed, the VLAN ID is released and the network is no longer available. With the addition of persistent network, you will have the ability to create a network in CloudStack in which physical devices can be deployed without having to run any VMs. Additionally, you can deploy physical devices on that network.When you create the Internal LB rule and applies to a VM, an Internal LB VM, which is responsible for load balancing, is created.While setting up GSLB, users can select a load balancing method, such as round robin, for using across the zones that are part of GSLB.Within a few moments, the VPN Connection is displayed.Within a few moments, the VPN gateway is created. You will be prompted to view the details of the VPN gateway you have created. Click Yes to confirm.Within a few moments, the new IP address should appear with the state Allocated. You can now use the IP address in Port Forwarding or StaticNAT rules.Within a few moments, the new IP address should appear with the state Allocated. You can now use the IP address in port forwarding or static NAT rules.Within a zone that uses advanced networking, you need to tell the Management Server how the physical network is set up to carry different kinds of traffic in isolation.You are prompted for confirmation because, typically, IP addresses are a limited resource. Within a few moments, the new IP address should appear with the state Allocated. You can now use the IP address in port forwarding, load balancing, and static NAT rules.You can change this default behaviour while creating a private gateway. Alternatively, you can do the following:You can connect your VPC to:You can delete or modify existing health check policies.You can deploy a VM to a VPC tier and multiple shared networks.You can edit the name and description of a VPC. To do that, select the VPC, then click the Edit button. |edit-icon.png: button to edit a VPC|You can edit the tags assigned to the ACL rules and delete the ACL rules you have created. Click the appropriate button in the Details tab.You can either assign an existing IP range to an account, or create a new IP range and assign to an account.You can modify a security group by deleting or adding any number of ingress and egress rules. When you do, the new rules apply to all VMs in the group, whether running or stopped.You can remove a tier from a VPC. A removed tier cannot be revoked. When a tier is removed, only the resources of the tier are expunged. All the network rules (port forwarding, load balancing and staticNAT) and the IP addresses associated to the tier are removed. The IP address still be belonging to the same VPC.You can remove the VPC by also using the remove button in the Quick View.You can test the rule by opening an SSH session to the instance.You can update a customer gateway either with no VPN connection, or related VPN connection is in error state.You can update the various parameters and add or delete the conditions in a scaleup or scaledown rule. Before you update an AutoScale configuration, ensure that you disable the AutoScale load balancer rule by clicking the Disable AutoScale button.You can view the created Internal LB VM in the Instances page if you navigate to **Infrastructure** > **Zones** > <zone\_ name> > <physical\_network\_name> > **Network Service Providers** > **Internal LB VM**. You can manage the Internal LB VMs as and when required from the location.You cannot apply IP Reservation if any VM is alloted with an IP address that is outside the Guest VM CIDR.You cannot use firewall rules to open ports for an elastic IP address. When elastic IP is used, outside access is instead controlled through the use of security groups. See `Section 15.15.2, “Adding a Security Group” <#add-security-group>`__.You cannot use port forwarding to open ports for an elastic IP address. When elastic IP is used, outside access is instead controlled through the use of security groups. See Security Groups.You have two options: Allow and Deny.You may also want to click the "Show VPN status in menu bar" but that's entirely optional.You might have to scroll down to see this.You might want to deploy multiple VPCs with the same super CIDR and guest tier CIDR. Therefore, multiple guest VMs from different VPCs can have the same IPs to reach a enterprise data center through the private gateway. In such cases, a NAT service need to be configured on the private gateway to avoid IP conflicts. If Source NAT is enabled, the guest VMs in VPC reaches the enterprise network via private gateway IP address by using the NAT service.You need to configure the IP on the guest VM NIC manually. CloudStack will not automatically configure the acquired IP address on the VM. Ensure that the IP address configuration persist on VM reboot.You will need to create a new network entry. Click the plus icon on the bottom left-hand side and you'll see a dialog that says "Select the interface and enter a name for the new service." Select VPN from the Interface drop-down menu, and "L2TP over IPSec" for the VPN Type. Enter whatever you like within the "Service Name" field.You'll now have a new network interface with the name of whatever you put in the "Service Name" field. For the purposes of this example, we'll assume you've named it "CloudStack." Click on that interface and provide the IP address of the interface for your VPN under the Server Address field, and the user name for your VPN under Account Name.Your VM will be deployed to the selected VPC tier and shared network.`Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment <http://tools.ietf.org/html/rfc5517>`__`Private VLAN (PVLAN) on vNetwork Distributed Switch - Concept Overview (1010691) <http://kb.vmware.com>`__`Understanding Private VLANs <http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swpvlan.html#wp1038379>`__if virtual router is the DHCP provideron IPv4 addresseson KVM, xenServer, and VMware hypervisorsremote.access.vpn.client.ip.range – The range of IP addresses to be allocated to remote access VPN clients. The first IP in the range is used by the VPN server.remote.access.vpn.psk.length – Length of the IPSec key.remote.access.vpn.user.limit – Maximum number of VPN users per account.select the ACL rule, then click OK.|add-ip-range.png: adding an IP range to a network.||add-new-gateway-vpc.png: adding a private gateway for the VPC.||add-tier.png: adding a tier to a vpc.||add-vm-vpc.png: adding a VM to a vpc.||add-vpc.png: adding a vpc.||addguestnetwork.png: Add guest network setup in a single zone||addvm-tier-sharednw.png: adding a VM to a VPC tier and shared network.||addvpncustomergateway.png: adding a customer gateway.||autoscaleateconfig.png: Configuring AutoScale||createvpnconnection.png: creating a VPN connection to the customer gateway.||egress-firewall-rule.png: adding an egress firewall rule||eip-ns-basiczone.png: Elastic IP in a NetScaler-enabled Basic Zone.||gslb-add.png: adding a gslb rule||gslb.png: GSLB architecture||guest-traffic-setup.png: Depicts a guest traffic setup||httpaccess.png: allows inbound HTTP access from anywhere||mutltier.png: a multi-tier setup.||networksetupzone.png: Depicts network setup in a single zone||networksinglepod.png: diagram showing logical view of network in a pod||select-vmstatic-nat.png: selecting a tier to apply staticNAT.||vpc-lb.png: Configuring internal LB for VPC|Project-Id-Version: Apache CloudStack Installation RTD Report-Msgid-Bugs-To: POT-Creation-Date: 2014-03-31 14:02-0400 PO-Revision-Date: 2014-06-30 10:24+0000 Last-Translator: FULL NAME <EMAIL@ADDRESS> Language-Team: Chinese (China) (http://www.transifex.com/projects/p/apache-cloudstack-installation-rtd/language/zh_CN/) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Language: zh_CN Plural-Forms: nplurals=1; plural=0; （仅对NetScaler负载均衡设备，需要NetScaler版本10.0以上。）****帐户****: 即需要指定IP地址范围的帐户****帐户****: 即需要指定选定的VLAN的帐户****域****: 域账号关联的域。****VLAN范围****: 即需要指定给帐户的VLAN范围**ACL列表名称**: 为ACL列表命名。**ACL**: 控制VPC私有网关的进出流量，默认情况下，所有流量被阻止。**账户**: (可选) 应用GSLB规则的账户。**帐户**: 按以下操作进行：**Account**: 这里的帐户是为建立客户网络所指定的。必须指定域中所属的帐户。**帐户**: 即需要指定IP地址范围的帐户**帐户，安全组**. (仅通过帐户添加)。为接受来自另一安全组的流量，输入一个CloudStack帐户和在此帐户中已经定义的安全组的名字。为允许你正在编辑的安全组内虚拟机之间的流量，输入你在第7步使用的相同的名字。**帐户，安全组**. (仅通过帐户添加) 。为接受来自另一安全组的流量，输入一个CloudStack帐户和在此帐户中已经定义的安全组的名字。为允许你正在编辑的安全组内虚拟机之间的流量，输入名字。**操作**: 定义要进行的操作，允许或阻止。**Add VM**: 点击增加虚拟机，选择你想将此规则应用上的虚拟机，点击应用。点击添加VM，选择两个或更多的VM分担流入的流量，然后点击应用。**通过CIDR帐户添加**. 表明流量目的地是否已通过IP地址(CIDR)定义或是CloudStack帐户(Account)内存在的安全组。选择帐户，以允许流量到其安全组内所有虚拟机**通过CIDR帐户添加**. 表明在CloudStack帐户中是否有CIDR定义的流量来源或是已存在的安全组。如果允许来自另一安全组的所有虚拟机的流量进入，则添加此帐户。**添加**:：点击添加来添加条件。**算法**。选择您希望CloudStack 使用的负载均衡算法。CloudStack 支持下列知名的算法：**算法**: (可选) 用于跨区域流量负载均衡的算法。可选项为 Round Robin, Least Connection, 和Proximity.**算法**: 选择让CloudStack使用的负载均衡算法。CloudStack各类已知的算法，如果不熟悉那些选项，通过goole搜索会发现大量信息。**All**: 选择它，会让客户网络对这个区域（Zone）中的所有域，帐户和项目都可用。**应用**：点击应用创建自动扩展配置。**权威DNS**：ADNS(权威域名称服务器)是一个为DNS请求提供真实响应的服务，比如web站点IP地址。在GSLB环境中，一个ADNS服务只响应权威的GSLB服务提供者所在域的DNS请求。当配置了一个ADNS服务，该服务的提供者即拥有该服务IP并且广播它。当你创建一个ADNS服务的时候，NetScaler通过配置的ADNS服务IP和端口响应DNS请求。**自动缩放**: 点击配置完成自动缩放配置，在 `章节15.16.6, “配置 AutoScale” <#autoscale>`__.**CIDR列表**: 远端客户子网的CIDR。输入一个CIDR或是以逗号分隔的多个CIDR。在确认客户的CIDR和VPC的CIDR或是另一个客户的CIDR不重叠冲突。CIDR的格式必须符合 RFC1918标准。**CIDR**. (仅通过CIDR添加)。为接受来来自特殊地址块的流量，输入一个CIDR，多个时用逗号隔开。CIDR是进入流量的基础IP地址。例如：192.168.0.0/22，为允许所有CIDR，请设为0.0.0.0/0**CIDR**. (仅通过CIDR添加) 。为接受来来自特殊地址块的流量，输入一个CIDR，多个时用逗号隔开。CIDR是进入流量的基础IP地址。例如：192.168.0.0/22，为允许所有CIDR，请设为0.0.0.0/0**CIDR**:(仅通过CIDR添加)为接受来来自特殊地址块的流量，输入一个CIDR，多个时用逗号隔开。CIDR是进入流量的基础IP地址。例如：192.168.0.0/22，为允许所有CIDR，请设为0.0.0.0/0**CIDR**: 对于进入的规则，CIDR对源地址起作用，对于外出的规则，CIDR对目标地址起作用。如果要定义多个可接受进出流量的特定地址段，需要以逗号分隔各个CIDR。CIDR是进入流量的基IP地址。比如， 192.168.0.0/22. 如要对所有CIDR允许流量, 设置为 0.0.0.0/0.**容量**：该设备能处理的网络数量。**Community VLANs**：中的端口能与其他端口和混杂模式下的端口通讯，但是他们不能与二层网络中的其他community VLAN中的端口通讯。在Community模式下，主机能与同一community中的主机和连接到混杂模式中的主VLAN的主机可以通讯。如果你的客户有两个设备需要与其他客户的设备隔离，但是他们之间又要通讯，请将他们部署至 community 端口。**计算方案**: 一个预定义的虚拟硬件资源集，包括CPU速度，CPU数量，RAM，用户在创建虚拟时可以选择这些。选择一个计算方案作为提供虚拟机实例中自缩放行为的一部分。**配置**: 说明如下：**保护模式**: 表明是否使用保护模式。在这个模式中，只有网络中第一个虚拟机启动时才分配网络资源。**计数器**：性能计数器直接体现了被监视实例的状态。默认情况下，CloudStack提供了4个性能计数器：3个SNMP计数器和1个NetScaler计数器。SNMP计数器是Linux User CPU、Linux System CPU和Linux CPU Idle。NetScaler计数器是ResponseTime。root管理员能够使用CloudStack API给CloudStack添加额外的计数器。**客户网关**: 客户这边的VPN连接。更多信息，参看 `章节 15.25.5.1, “创建和更新VPN客户网关” <#create-vpn-customer-gateway>`__.**DNS VIPs**：DNS虚拟IP是一个在GSLB服务供应者上的DNS负载均衡虚拟服务器。在有GSLB服务提供者的域中的DNS请求会被发送至一个DNS VIP。**客户网络的DNS域名**: 如果你需要一个域名，则需要在此指定域名后缀。这个参数会应用到VPC中所有的层中。这表示，VPC中所有的层都属于同一个域。如果没有指定域名，则域名会由系统随机产生。**死亡匹配点检测**:这是一种检测不可用IKE节点的方法。如果你希望虚拟路由器随时测试IKE节点的存活情况，选择了这个选项。一般来说，最好在VPN连接的两端都同时配置DPD(Dead Peer Detectio).**专用**: 当标记为专用后，这个设备只对单个帐号专用。该选项被勾选后，容量选项就没有了实际意义且值会被置为1。**描述**: (可选)为用户提供一个简短的GSLB规则描述。 **描述**: 关于此VPC的简短描述.**描述**: ACL列表的简短描述。**描述**: 提供一个简短的方案描述。 **描述**: 提供一个简短的规则描述。 **描述**: 提供一个简短的方案描述。 **VM销毁宽限期**：此宽限期以秒计算，在一个缩减动作运行之后，在VMs被视为缩减动作的一部分从而销毁之前的等待时间。它保证了能够彻底关闭任何服务于被标记为销毁的VM的挂起中的进程或者事务。默认值是120秒。**禁止和启用自动扩展配置****磁盘方案**：一组预定义的主数据存储磁盘大小。**Display Text**：网络的描述。用户可见**Display Text**:网络的描述信息。对于最终用户可见。**域**: (可选) 你想要创建GSLB规则的域。**Domain**: 域，指定客户网络范围的域。指定域中的网络相对其他域是隔离不可见的。如果指定子域访问，域中的客户网络将在所有的子域中可用。**域**: 与帐户关联的域名**持续**：持续，以秒为单位，你必须指定条件为true以触发一个扩展动作。这个条件定义的是为了触发一个自动扩展动作，你指定的全部持续值应保持为true。**ESP 加密**: 封装安全有效负荷（Encapsulating Security Payload,ESP）算法是发生在第二阶段(phase-2)。其支持的加密算法包括 AES128, AES192, AES256, 和 3DES。**ESP哈希散列**:phase-2支持的封装安全有效负荷(Encapsulating Security Payload,ESP)哈希算法包括：SHA1 和MD5.**ESP存活期 (秒)**:SA的 phase-2存活期。默认为 3600 秒(1 小时). 当过了这个时间之后，会有一个新的KEY初始化，用来加密和认证 IPsec的会话KEY。**结束IP****GSLB 域名**: 首选的域名服务。**GSLB服务**：GSLB服务表现为典型的负载均衡或者内容交换虚拟服务器。在一个GSLB环境中，你可以有本地及远程GSLB服务。本地GSLB服务表现为一个本地负载均衡或者内容交换虚拟服务器。远程GSLB服务是配置在GSLB设置中的其他站点。在每个站点中的GSLB设置里，你可以创建一个本地GSLB服务和任意数量的远程GSLB服务。**GSLB站点**：在CloudStack专业术语中，GSLB站点表现为映射至数据中心的zones，每个GSLB有多个网络设备。每个GSLB站点由一个位于站点中的NetScaler设备管理。每个NetScaler设备将他管理的站点视为本地站点，并且由其他NetScaler设备管理的站点视为远程站点。在GSLB部署中它是一个中央实体，具体表现为一个名称和一个IP地址。**GSLB虚拟服务器**：GSLB虚拟服务器指的是一个或多个GSLB服务和平衡跨越多个使用CloudStack功能的zones之间VMs的流量。它通过评估配置的GSLB方法或者算法来选择一个GSLB服务发送客户端请求。来自不同zone的一个或多个虚拟服务器被绑定到GSLB虚拟服务器上。GSLB虚拟服务器没有对应的公共IP，只有一个FQDN DNS名称。**GSLB 服务专用IP**: GSLB服务的专用IP地址。**GSLB 服务公共IP**:在专用网络中，为GSLB服务提供NAT转换的公共IP地址。**GSLB 服务**:选择该选项。**网关****IP地址**: 远端网关的IP地址。**网关**：你创建网络层的网关。确保网关在你创建VPC时指定的超级CIDR范围内，并且不能与已存在VPC的任何网络层的CIDR重叠。**网关**: 配置端口IP地址所使用的网关。**Guest gateway**: 虚拟机需要使用的网关。**网关**: 定义进出VPC流量的网关。**Guest gateway**：虚拟机需要使用的网关**Guest Gateway**: 来宾网络的网关。**Guest Netmask**：客户虚拟机会使用的子网掩码**Guest Netmask**: 来宾网络的子网掩码。**来宾类型**: 选择来宾网络为隔离或共享网络。**健康检查**: (可选，只针对NetScaler的负载均衡设备) 点击配置并填写健康检查特性，参见 `章节 15.16.5.3, “负载均衡规则的健康检查” <#health-checks-for-lb-rules>`__.**健康阀值(可选)**: 在声明一个实例健康之前，连续健康检查成功的次数。默认为2.**ICMP 类型和代码**.只有在设置ICMP协议时才会用到。提供需要填写的ICMP协议，ICMP包头的类型和代码。如果你不知道如何填写请参看ICMP文档。（这里推荐一个 http://wenku.baidu.com/view/e235e8ecaeaad1f346933fed.html）**ICMP类型**, **ICMP代码** (ICMP only): 信息类型及发送错误的代码。**ICMP类型，ICMP编码**. (仅对ICMP)。接受的信息及错误码的类型。**ICMP类型，ICMP编码**. (仅对ICMP) 。信息及错误码的类型。**ICMP类型**, **ICMP代码** (ICMP only): 信息类型及发送错误的代码。**IKE DH（Diffie-Hellman组）**: IKE的DH加密协议，可以在不安全的连接上确保共享KEY的安全。1536位的DH组用在IKE中用来建立会话KEYS。在这里，支持的选项是 None, Group-5 (1536-bit) 和 Group-2 (1024-bit).**IKE 加密**: Internet密钥交换协议(IKE)第一阶段（phase-1）策略。支持的加密算法包括 AES128, AES192, AES256和3DES.。认证通过预共享密钥完成。**IKE 哈希**: IKE第一阶段（ phase-1）哈希散列使用的算法。支持SHA1 和 MD5.**IKE 存活期(秒)**: SA的phase-1的存活期。默认是86400 秒 (1 天).当这个时间过了之后，会发生一次新的 phase-1 KEY交换。**IP地址**: 关联VPC网关的IP地址。**IP地址**: SDX的IP地址。**IP Range**: 定义公网IP范围，这些IP用来访问公网或是从公网访问客户虚拟机。**IPsec预共享密钥**: 预共享密钥在两个端点之间共享同一个密钥。这个密钥用来在客户网关和VPN的VPN网关之间相互认证。**IPv6 CIDR**: 用于定义网络子网的网络前缀。**实例端口**: 内部负载均衡虚拟机的端口。**间隔时间(可选)**: 健康检查的间隔时间(1秒-5分)）。默认值在全局参数 lbrule\_health check\_time\_interval**Isolated VLAN ID**: 二级独立 VLAN 的 ID。**隔离(Isolated)VLANs**: 隔离模式VLAN中的端口不能与其他二层网络中的端口通讯。连接隔离模式端口上的主机只能直接与混杂模式下的资源通讯。如果你的客户设备只访问网关路由器，请将其附加至隔离端口。**负载均衡隔离**: 如果使用Netscale作为外部负载均衡，选择此项进行隔离。**负载均衡类型**: 从下拉列表里选择内部负载均衡。**负载均衡类型**:从下拉列表里选择公用负载均衡。**负载均衡或内容交换虚拟服务器**：依照Citrix NetScaler的专业术语，一个负载均衡或者内容交换虚拟服务器表现为本地网络上的一个或多个服务器。客户端发送他们的请求至负载均衡或内容交换虚拟服务器IP（VIP）地址，并且由虚拟服务器平衡本地服务器之间的负载。在GSLB虚拟服务器选择了一个基于本地或者远程负载均衡或者内容交换虚拟服务器的GSLB服务之后，客户端发送请求至虚拟服务器的VIP地址。**最大实例数**：最大数量的**应该被指派到**\ 一条负载均衡策略的活动VM实例。这个参数定义了能被指派到一条负载均衡策略的活动VM实例的上限。**最小实例**: 指定给负载均衡规则活动的虚拟机实例的最小数量，活动的虚拟机实例是开启的应用实例，并服务于流量和负载均衡。这个参数确保负载均衡规则拥有至少一个配置的活动虚拟机实例，并且能够服务于流量。**NAT实例**:在用户虚机通过公网网关访问公网时，提供端口地址转换的实例。关于更多信息，请查阅 `章节 15.27.10, “在VPC中开启或禁用静态NAT” <#enable-disable-static-nat-vpc>`__.**Name**. 要建立的网络结构的名字。这个是用户可见的**名称**: 负载均衡规则的名称。**名称**: 要创建的VPC的名称。**名称**: 你添加的VPN客户网关的一个唯一的名称。**名称**: 你添加的层的一个唯一的层名。**名称**: 任何网络方案的名称。**名称**: GSLB规则的名称。**Name**：网络的名称。对于最终用户可见。**Name**: 要建立的网络的名字。这个是用户可见的**掩码****掩码**: 与端口IP范围关联的掩码。**Netmask**: VPC网关的子网掩码。**子网掩码**：你创建的网络层的子网掩码。**Netmask**: 虚拟机子网要使用的网络掩码。**网络ACL**: 网络ACL是一组网络访问控制列表。这些列表就是一个按顺序编号的规则，执行的时候，从最小的编号开始。这些规则决定了与此ACL关联的各个层的进出流量会被允许或阻止。更多信息，参看 `章节 15.27.4, “配置网络访问控制列表” <#configure-acl>`__.**网络域**: 如果你想为客户虚机网络定义一个域名，在此处输入后缀名。**网络提议**: 如果管理员已经配置了多个网络方案，可以选择你需要的那个。**网络方案**: 默认有以下几种网络方案: Internal LB, DefaultIsolatedNetworkOfferingForVpcNetworksNoLB, DefaultIsolatedNetworkOfferingForVpcNetworks**网络速度**: 允许的数据传输速度（MB/秒）。**网络层**：每个层是一个拥有各自VLAN和CIDR的隔离网络。您可以在层内放置VM等各种资源组。层与层之间通过VLAN方式隔离。VPC虚拟路由器在每个层中的网卡是该层的网关。**网络提议**: 如果管理员已经配置了多个网络方案，可以选择你需要的那个**Network offering**: 如果管理员已经配置了多个网络，选择一个你想使用的。**重试次数** 尝试控制设备失败时重试的次数，默认为2次。**运算符**：自动扩展功能支持下列5种关系型运算符：大于、小于、小于或等于、大于或等于和等于。**Perfect forward secrecy(完全正向保密,PFS) **: PFS的性质是确保来自一组的长期的公共密钥和私人密钥之间的会话密钥不会妥协失效。PFS会促使一组新的DH KEY发生交换。这组新KEY具有更长的生命周期因此可以抵制更强大的功击。DH的可用选项是 None, Group-5 (1536-bit)和 Group-2 (1024-bit). 当新KEY交换之后，DH组会变得更大。**持续性**: 表明来宾网络是否支持持续性。无需提供任何VM部署的网络，称之为持续性网络。**物理网络**: 此处为你已在区域内建好的物理网络。**ping 路径(可选)**: 需要发送健康检查的目的地顺序。默认：/ (all)。**轮询间隔**：组合计数器，运算和阈值这几个条件的频率在触发扩展和缩减动作之前都要被评估。默认的轮询间隔是30秒。预需求：在配置自缩放前，需要考虑以下几点：**私有网关**：VPC进出某个私有网络的流量通过私有网关。更多信息，请查阅 `章节 15.27.5, “为VPC添加专用网关” <#add-gateway-vpc>`__.**私网网关**: 更多信息，参看 `章节 15.27.5, “为VPC添加专用网关” <#add-gateway-vpc>`__.**专用端口**: 虚拟机监听转发的公网流量的端口。**私有端口**: 虚拟机实例将被转发到公共流量的监听端口。**私有端口**: 虚拟机会使用此端口接收流量。**专用接口**: 配置为专用网络部分的设备接口。**Project**: 项目是客户网络所建立的项目。必须为这个项目指定域。**混杂模式（Promiscuous）**：混杂模式的端口能与所有的接口通讯，包括可通讯与隔离属于辅助VLANs的主机端口。在混杂模式中，主机被连接到混在模式端口并且能够直接与主VLAN和辅助VLAN中的资源。典型的连接到混杂模式端口的是路由器，DHCP服务器和其他受信任的设备。**协议编号**: 协议编号是与IPV4或IPV6相关联的。更多信息，请参阅 `协议号 <http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml>`__.**Protocol**:两个端口之间使用的通信协议。**Protocol**: 已打开的端口所使用的通信协议。**协议**. 虚拟机发送流量需要的协议。TCP和UDP是典型的二种用来数据交换和终端用户交流的协议。ICMP则用来发送错误信息或网络监控数据**协议**. 发送源会使用网络协议来发送流量到安全组。TCP和UDP是典型的二种用来数据交换和终端用户交流的协议。ICMP则用来发送错误信息或网络监控数据**Protocol**: 两个端口之间所用的互联协议。**协议**: 虚拟机发送流量所使用的网络协议。TCP和UDP通常用于数据交换和用户通讯。ICMP通常用于发送出错信息和网络监控数据。**协议**: 发送到层的源地址的网络协议。最终用户的访问和数据交换通常是用TCP和UDP协议。ICMP协议通常用来发送错误信息或网络监控。ALL表示支持所有协议流量，其它选项是协议编号。**公网网关**：当为vpc创建一个虚拟路由器时，这个vpc的公共网关就添加到虚拟路由器当中。公共网关还没有暴露到最终用户。你不允许其列出，也不允许建立任何静态路由。**公网网关**：VPC进出互联网的流量会走公网网关。VPC中的公网网关不暴露给最终用户，因此公网网关上不支持静态路由。**公共负载均衡提供者**: 有两个选项：VPC虚拟路由器和 Netscaler。**公用端口**:你在之前操作时所获取的供公共流量使用的公用IP地址的端口。 **公共端口**: 这个端口接受到负载均衡的进入流量。**公网端口**: 接收待负载均衡的流入流量的端口。**公用端口**: 你在前面操作所获取的供公共流量使用的公用IP地址的端口。 **公共接口**: 配置为公共网络部分的设备接口。**平静期**：这是自动扩展动作被触发之后的冷静期。这个时间包括完成从模板分发一个VM实例的时间和一个应用程序准备好提供服务的时间。平静期允许机群在发生任何动作之前进入稳定状态。默认值是300秒。**响应时间(可选)**: 从健康检查返回的响应时间(2-60秒)，默认为5秒。**公路勇士/远程访问**. .用户希望可以安全地从家里或者办公室连接到云里的一个私有网络。特别是连接的客户端的IP地址是动态决定的，不能预先配置到VPN 服务器上。**规则序号**: 规则被执行的顺序。**运行时注意事项****SNMP 联系**：SNMP 联系字符串被用于NetScaler设备从分发的VM实例中查询已配置的计数器的值。默认是public。**SNMP端口**：运行在已分发的VMs上的SNMP代理端口号。默认的端口是161.**Scope**: 可用的范围，包括域，帐户，项目和其他所以。**辅助隔离VLAN ID**：辅助隔离VLAN的唯一ID。**安全组**：安全组提供一种方法来隔离VMs流量。一个安全组是一组依照设置名为入口规则和出口规则来过滤他们进出流量的VMs，这些规则依靠与VM通讯的IP地址来过滤网络流量。**服务类型**: GSLB使用的传输协议。可选项为TCP和UDP。**站点到站点**.在这个场景中，两个私有子网通过公共互联网上的一个安全VPN隧道互联。云用户的子网 (例如：办公室的网络)通过一个网关连接到云中的网络。用户的网关地址必须被预先配置到云的VPN服务器上。注意：通过 L2TP-over-IPsec 协议可以用来配置站点到站点的 VPN，虽然这不是该特性的最初目标。欲了解更多信息，请参阅 `章节 15.25.5, “设置站点到站点VPN连接” <#site-to-site-vpn>`__**点对点VPN连接**：您的VPC和您的数据中心、家庭网络、主机托管设施之间基于硬件的VPN连接。更多信息，请查阅 `章节 15.25.5, “设置站点-到-站点 VPN连接” <#site-to-site-vpn>`__.**源 CIDR**.(可选)只允许在某个特定地址块的IP流量的话，输入一个CIDR或者一个逗号隔开的CIDR列表。例如：192.168.0.0/22或者192.168.0.0/24,192.168.1.0/24,192.168.2.0/24。留空则为允许所有的CIDR。**源IP地址**: (可选) 是指产生流量的源IP地址。这个地址是从你创建内部负载均衡的层中的CIDR中获取的。如果没有指定，则系统会自动从CIDR中分配。**Source NAT**: 这个选项会启用VPC私有网关的source NAT服务。**源端口**: 与源IP地址关联的端口，此端口上的流量是基于负载均衡的。**指定**: (仅隔离的来宾网络) 表明在使用这个网络方案时，是否指定VLAN。**起始IP****起始/结束IP**：从互联网获得的和将被分配给来宾VMsIP地址范围。输入第一个和最后一个IP地址，该地址范围定义的是CloudStack能分配给来宾VMs的范围。**起始IP/结束IP**: 从Internet可以访问的一个IP地址范围，将会分配给客户虚拟机。输入起始IP以及结束IP，定义CloudStack指定给客户虚拟机的IP范围。**起始端口和结束端口**. 你想要在防火墙上开放的端口。如果你只打开单个端口，在两个空格中填入相同的端口号。**起始端口**, **结束端口** (TCP, UDP only):对进入流量，这些端口是指需要监听的目标地址的端口范围。如果你只开放一个端口，则在起始和结束端口里填写同一个端口。**开始端口，结束端口**. (仅对TCP，UDP)。目的地为进入流量而设的监听端口范围。如果仅开放了单个端口，则在两者的区域中用同一端口。**开始端口，结束端口**. (仅对TCP，UDP) 。目的地为进入流量而设的监听端口范围。如果仅开放了单个端口，则在两者的区域中用同一端口。**开始端口，结束端口**: (仅对TCP，UDP)。目的地为进入流量而设的监听端口范围。如果仅开放了单个端口，则在两者的区域中用同一端口。**粘性**. (可选)点击配置，选择粘性策略使用的算法。参见负载均衡规则的粘性会话策略。**粘性**: (可选) 点击配置，为粘性策略选择一个算法。可参见为负载均衡规则制定的粘性会话策略。**客户网络超级CIDR**: 定义一个VPC内所有层（客户网络）的CIDR范围。当你新创建一个层时，这个层的CIDR必须在这个超级CIDR范围之内。CIDR的格式定义必须符合RFC1918。**支持服务**: 选择负载均衡，从待提供的下拉列表里选择`InternalLbVM。**支持服务**:选择负载均衡，使用Netscaler 或 VpcVirtualRouter.**系统方案**: 选择你想在这个网络中使用的虚拟路由器的系统服务方案。**模板**: 模板由基本的操作系统镜像和应用组成。在自缩放动作中，模板用来提供一个应用的新的实例。当从模板部署虚拟机时，虚拟机在管理员不干预的情形下开始从负载均衡器那里接管流量。例如，如果虚拟机部署为WEB服务应用，则虚拟机上的WEB服务器应该在运行，并且连接了数据库，等等。**阈值**：阈值用于计数器。一旦上面计数器中定义的值超出阈值，自动扩展功能会启动扩展或者缩减动作。**流量类型**: 允许承载的网络流量类型。**流量类型**: 进出流量的类型。**类型**：添加设备的类型。可以是F5 BigIP负载均衡器、NetScaler VPX、NetScaler MPX或 NetScaler SDX等设备。关于NetScaler的类型比较，请参阅CloudStack管理指南。**不健康阀值(可选)**: 在声音一个实例不健康之前连续健康检查失败的次数。默认为10。**更新自动扩展配置****用户**：在云中NetScaler设备中用于发起扩展和缩减API调用的用户。如果没有指定选项，那么该用户被配置为自动扩展。指定其他用户名可以覆盖此配置。**用户名/密码.** 访问此设备的认证许可。CloudStack使用这些认证信息访问此设备。**VLAN ID**: VLAN 的ID。**VLAN****VLAN**: 指定系统管理员创建的层的VLAN ID号。**VLAN**: VPC网关的VLAN。**VLAN**: 公共流量拟使用的VLAN。**VLAN和公网网关**: 比如，在云中部署了一个应用，并且这个web应用所在的虚拟机要和因特网通信。**VLANs, VPN网关和公网网关**: 比如, 云中部署了一个应用;部署这个web应用的虚拟机要和因特网通信; 并且数据库虚拟要个先前提到的设备通信**VPC**：一个VPC是多个隔离网络的容器，隔离网络间可以通过VPC的虚拟路由器互通。**VPC**: 此选项表明是否在来宾网络中启用VPC。 CloudStack中的虚拟专用云(VPC)是专用、隔离的。一个VPC可以有一个类似于传统物理网络的虚拟网络拓扑结构。有关的VPC的详细信息，请参阅 `章节 15.27.1, “关于私有专用云” <#vpc>`__.**VPN网关**: 更多信息，参看 `章节 15.25.5.2, “为VPC创建VPN网关” <#create-vpn-gateway-for-vpc>`__.**VPN 网关**：VPN连接的VPC端。**虚拟路由器**：创建VPC时会自动创建并启动一个虚拟路由器。该虚拟路由器连接了各层，并负责各层与公网网关、VPN网关和NAT实例间的网络流量。对于每个层，该虚拟路由器都会有对应的网卡和IP，并通过该IP提供DNS和DHCP服务。**Zone**：此网络所应用到zone的名称。每个zone都是一个广播域，因此每个zone中的来宾网络都有不同的IP范围。管理员必须为每个zone配置IP范围。**区域**: 你希望将此VPN应用在哪个区域中。**Zone**: 这里的区域是指你要配置客户网络的区域。0.0.0.0/0110.1.1.0/2410.1.1.0/2610.1.1.64-10.1.1.25423 CloudStack用户或管理员可以创建负载均衡规则。负载均衡规则用于将一个公网IP的流量分担到在VPC提供负载均衡服务的网络层内的一个或多个VM中。用户可以创建规则，指定算法，然后将规则指定到VPC的一套VM中。一个CloudStack的用户或管理员可以创建负载均衡规则以平衡一个公共IP地址收到的针对一个或多个虚拟机的外部流量。一个用户可以创建一条规则，说明一个算法，并将其指定给一部分虚拟机。一个站点到站点的VPN连接可以帮助你建立从云基础架构到企业内部数据中心的安全连接.这就允许一个账户从企业内部数据中心的设备连接到此账户启用VPN连接的虚拟路由器上, 从而通过VPN连接到该账户的虚拟机.你也可以在两个VPC之间或是高可用区域之间建立VPC以加强安全。这样一来，就不需要在虚拟机之间建立VPN连接的必要了。一个租户分配到的vlan不能被多个租户共享一个虚机的网络在其创建时定义. 当一个虚机创建以后, 就不能对其网络添加删除, 即便用户可以进入客户虚机删除指定网卡的IP地址.只能在高级区域中创建VPC，并且VPC只能属于一个区域。VPC主要由以下网络组件构成：在创建好VPC之后，其默认处于启用状态。一个VPN客户网关在同一时间只能连接一个VPN网关。防火墙过滤计数器计量到达此公共IP的流量防火墙过滤计数器计量帐户出口流量的字节数用于管理通信的防火墙工作在NAT模式。通常是分配给网络中的IP地址192.168.0.0/16 B类私有地址空间。每个机柜（POD）分配的IP地址是192.168.*.0/24 C类私有地址空间。一个客户VM可以在任意数量的端口转发服务中。端口转发服务可以不包含客户VM。如果客户VM在多个网络中，则端口转发仅在默认网络中定义时才生效。在同一个区域内，客户虚拟机之间可以互访，但在不同的区域内，客户虚拟机之间不可以通过（内网）IP地址互访，而只能通过公网IP路由才可以互连。网络方案的持久化选项不可编辑。因为修改该选项会影响使用该网络方案创建的已有网络的行为。这样就为这个网络添加了一个新网卡。你可以在网卡页面查看下列信息：匹配帐户区域VLAN的私有VLAN。一个新的逻辑接口，用以连接帐户的私有VLAN。接口的IP通常是私有帐户私有子网的第一个IP。一个端口转发服务是一系列转发转发规则的集合。一个端口转发服务随后可以应用于一个或多个来宾虚拟机。来宾虚拟机会根据端口转发规则作相关进入端口的管理。你可以定义一个或多个CIDR来过滤源IP地址。当你只希望特定的IP流量进入时是相当有用的。私有网关只能被系统管理员添加。VPC私有网络和物理网络之间是1：1的对应关系。你可以在一个VPC里定义多个私有网关。在同一个数据中心，不允许复制VLAN和IP的网关。这时会有一个提示问你是否保持已存在的CIDR不变。这是让你了解如果你改变网络了方案，那么CIDR会受到影响。一个公网IP只能用一个用途。如果此IP用于SourceNAT作用的话，就不能同时再用作StaticNAT 或端口转发。一个安全策略可以允许说明的协议和端口范围内的流量通过。一个VLAN的自有IP。经常是帐户私有子网的第二个IP。一个源NAT规则转发帐户从私有VLAN到公共网络的的出口流量，使用帐户的公共IP地址作为源地址。静态NAT规则是将公网IP映射到VPC中虚机的私网IP，以便允许互联网流量访问该虚机。本节描述如何在VPC中启用或禁用某个公网IP地址的静态NAT。一条静态 NAT 规则映射一个公网 IP 地址到一台虚拟机的私网 IP 地址，目的是允许互联网的流量到该虚拟机。公网 IP 地址总是保持为同一地址，这就是为什么被称为 "静态" NAT。本节描述如何将一个特定的IP地址设为或取消静态NAT。一条静态NAT规则将虚拟机的私有IP地址映射到公共IP地址。每一层只能属于一个VPC。一个典型的GSLB环境由以下服务组件组成：用户或者管理员可以更改与之相关的来宾网络的网络方案。一个用户或者管理员能定义一个新的安全组。只有在GSLB服务提供者提供的区域中，该区域才被视为有GSLB能力。私有网关的ACL关于弹性IP关于全局服务器负载均衡关于vlan间路由(多层应用)关于多IP范围关于ACL列表关于端口IP关于Private VLAN关于安全组关于使用NetScaler负载均衡器关于虚拟私有云（VPC）帐号获得一个新的IP地址VPC获取新的IP地址。获取端口IP。动作将ACL规则加入ACL列表。在两个站点中添加GSLB规则。添加并启用 Netscaler VPX独立模块。在 CloudStack中创建1台或更多VM。为你要创建的用户添加用户名和对应的密码。对安全组添加入口出口规则VPC中添加负载均衡规则给共享网络添加多子网添加层添加 GSLB规则增加一条负载均衡规则添加网络在VPC里添加一个端口转发规则。在一个VPC里加入私有网关。添加一个安全组添加一个VPC增添一个虚拟机的网络附加的网络可以给所有账户使用或者分配给特定的账户. 对所有账户都可用的网络在整个资源域有效. 任何可以访问这个资源域的用户都可以使用这个网络创建虚机. 这些资源域一级的网络基本不提供客户之间的隔离. 分配给特定帐户的网络提供强制隔离的功能.增加的用户行为(如设置端口转发)会引起防火墙和负载均衡的程序化。一个用户可以请求增加公共IP地址以及转发使用此公共IP地址的虚拟机接受到的流量。这是通过静态NAT功能完成的，静态NAT将一个公共IP地址映射给一个虚拟机，并指定一组特定协议，开放一组特定端口。当静态NAT建立好之后，CLOUDSTACK会在区域的外部防火墙上通过程序定制如下对象：另外，如果你想配置高级设置，点击显示高级设置，接着指定下列参数：高级区域物理网络的配置安装好CloudStack管理端后，使用管理员帐号登录CloudStack用户界面。在你修改了所需的自动扩展参数之后，点击应用。要应新的自动扩展策略，再次打开自动扩展配置页面，然后点击启用自动扩展按钮。所有所有默认网络方案都不是持久化的。VPC中所有网络层都应属于同一个帐号。此帐号创建的所有VPC将显示在页面中。页面上列出了该账号下所有的VPC。此帐号创建的所有VPC将显示在页面中。系统会显示创建VPN连接对话框：所有的区域必须填写的。将所有能识别PVLAN的二层交换机之间互连，并且其中一个要连至一个路由器。主机连接到的所有端口需配置为trunk模式。打开VLAN管理，主VLAN（公共网络）和隔离的辅助VLAN端口。配置交换机连接到路由器的端口为PVLAN混杂trunk，这样可以为不识别PVLAN的路由器转换一个隔离的VLAN到主VLAN。允许允许特定源CIDR的出口流量。源CIDR是来宾网络CIDR的一部分。允许出口流量的协议为TCP，UDP,ICMP或ALL。允许出口流量协议和目标端口范围。端口范围需要指定TCP，UDP或ICMP类型和代码。IP要从一个网络转换至另一网络的话，只需启用静态NAT。但是，当一个portable IP对应一个网络的时候，你可以在网络中为任何服务使用它。管理员不应该分配VM到配置为AutoScale的负载均衡规则中。通过修改使用的网络方案为禁用持久化的方案，现有网络可以变为非持久化。如果网络中没有运行的VM，在下次网络垃圾回收运行时，该网络会被关闭。通过修改使用的网络方案为启用持久化的方案，现有网络可以变为持久化。在设置该属性时，即便网络中没有运行的VM，该网络也会初始化。任何CloudStack用户可以增加任意数量的安全组。当一个新的VM运行起来的时候，它会被添加到默认安全组除非其他用户指定了其他安全组。一个VM可以是任何安全组的成员。一旦VM被添加到一个安全组，它会继承这个组的生命周期；你不能移动一台正在运行的VM到其他安全组。在CloudStack中定义的任何负载均衡规则，都可以具有粘性策略。策略有名字，粘性方法以及参数组成。参数是成对的值-名或标志，这些由负载均衡提供商进行定义。粘发现方法可以加载负载均衡设备产生的cookie，应用生产的cookie，或基于源产生的cookie。在基于源的方法中，源IP地址被用来区分用户和定位用户存储的数据。在其他方法中，则使用cookie。由负载均衡或应用产生的cookie，包含在请求或响应的url中，以产生持久性。cookie的名称可以有管理员指定或自动产生。提供了多种选择来准确控制cookie行为。诸如如何产生的以及是否进行缓存。在CloudStackk中的NetScaler负载均衡设备定义的任一负载均衡规则都可以有一条健康检查策略。该策略有ping路径，定义健康或非健康状态的阀值，健康检查频率以及等待超时间隔。一旦网络状态变为实施，应尽快应用IP预留到客户网络。如果在第一台客户虚拟机部署后应用IP预留，则会在应用IP会有较少的冲突发生。以域管理员/用户执行以下操作：当然，你也可以从来宾子网中指定一个IP，如果没有指定，将会从来宾虚拟机子网中自动选择一个。可以从UI中查看每一个与来宾虚拟机网卡关联的IP地址。也可以在CloudStack界面中通过网络配置选项在那些额外的来宾虚拟机上应用NAT。但必须指明网卡与哪一个IP关联。按照上面给出的例子，站点名称为 A.xyztelco.com 和 B.xyztelco.com分配负载均衡规则。指定额外的IP给虚拟机为GSLB分配负载均衡规则将一个自定义的ACL关联到一个层。将默认的ACL规则关联到层。自缩放在NetScaler发布的10版本以上适用。（Build 74.4006.e 及以上）自缩放允许你能够根据定义的条件进行无缝且自动的增加或减少后端服务或应用虚拟机。当开启自缩放时，可以确保在需求增加时，无缝的增加正在使用虚拟机的数量。因此他会通过关闭未使用的虚拟机或者需要时开启新的虚拟机，从而节省你的计算成本。这些操作，都不需要手动干预。根据你的选择，网络的出口公共流量将被拒绝或允许。基本区域物理网络配置因为每一个网卡都可关联至多IP，CloudStack可以允许为端口转发及静态NAT服务选择一个目标IP。默认为主IP。为开启此功能，另一个可选的配置参数虚拟机来宾IP 需要被加至端口转发及静态NAT 的API中去（开启静态NAT，创建IP端口转发），以示IP地址NAT需要配置。如果虚拟机来宾IP 没有设置，NAT会配置在虚拟机的私有IP上，如果设置了，NAT会配置在虚拟机的主IP上。在分配虚拟机到一个负载均衡的规则配置完成前如果NetScaler被关闭或重启，则配置的虚拟机不能成为负载均衡规则的一部分。要解决此问题，重命名基于AutoScale配置的虚拟机名称或ID，以便在任何时间点负载平衡规则可以调节该虚拟机。在转发至另一网络前，确保没有网络规则（如防火墙，静态NAT，端口转发等等）不存在于端口IP。在XenServer和KVM上使用PVALN之前，请启用Open vSwitch (OVS)。最佳实践绑定GSLB域名到GSLB虚拟服务器。从域的详细信息中获得域名。绑定GSLB服务到GSLB虚拟服务器。路由黑名单管理员和用户都可以创建多个vpcs.当第一个虚拟机被部署到该层时候，一个来宾网络nic插入到这个vpc虚拟路由器上管理员和用户可以创建各种可能的目的地的网关组合。但是，在部署中每种类型只能有一个网关。通过公有和私有VPN网关同时连接到Internet和相邻数据中心。默认情况下，防火墙拒绝所有流入公共IP的流量。要允许外部流量，你需要制定防火墙规则打开防火墙端口。你可以选择性的制定一个或多个CIDR来过滤来源IP。这在当你只需要允许特定IP请求时会很有用。默认情况下, 所有从公共IP进来的流量都会被拒绝. 所有在来宾网络出去的流量默认也被阻挡。CIDRCIDR（IPv6）案例在来宾网络上更改网络方案检查需要的范围是否可用并且要符合帐户限制。选择一个已有的IP或者获取一个新的IP地址。参阅 `章节 15.19, “获取新的IP地址” <#acquire-new-ip-address>`__. 点击列表中IP地址的名称。选择拟修改的地域。选择你要处理的VM。选择你要设置的区域。Cisco ISR IOS 12.4或更新在区域中，或高级区域使用隔离网络时，CloudStack支持思杰的NetScaler作为外部网络设备元素作为负责均衡。拟通过其他方案提供负载均衡而不是CloudStack的虚拟路由器时，就可以建立一个外部负载均衡器点击帐户点击获得一个新IP, 并且在确认的对话框中点击确定.点击获取新IP。点击获取新二级IP，在确认对话框点击确定。点击添加ACL列表，指定以下配置：点击添加帐户 |addAccount-icon.png: button to assign an IP range to an account.| 按钮，点击添加GSLB。点击添加IP范围。点击添加实例。点击添加NetScaler设备并提供如下信息：点击添加网络方案。点击添加安全组。点击添加虚拟机，选择拟分散进入流量的二个或多个虚拟机，点击应用。点击添加VPC按钮。页面呈现以下：点击添加 VPN 客户网关。点击添加来宾网络。地阿基添加来宾网络。提供以下信息：将网络添加到 VM点击添加新网关：点击添加点击添加。这个ACL规则就添加好了。点击应用点击身份验证设置，在机器验证中，用户身份验证下输入用户名和密码，在共享密钥下输入预共享IPsec密钥。点击OK。选择创建vpn连接按钮点击新建网络。点击创建。点击分配VLAN范围点击NetScaler.点击网络。点击下一步，审看已配置信息，然后点击启动。点击OK按钮，网络方案就创建好了。点击确定。点击OK确认。IPsec密钥将显示在弹出的窗口中。点击确定。点击物理网络。点击端口IP范围点击移除网卡按钮。|remove-nic.png: button to remove a NIC|点击源NAT IP地址。点击查看IP地址。点击查看IP范围。点击查看端口IP点击查看二级地址指向你想添加虚拟机的层，点击虚拟机栏。在确认对话框中点击确定。点击Yes确认。点击YES按钮。稍等片片刻，层就会被删除了。点击分配更多负载平衡点击一个显示的IP地址名称。点击设置选项卡填入以下值：点击配置选项卡。在你希望设置层的VPC里，点击配置按钮。在你想配置负载均衡的VPC上点击配置按钮。点击要部署虚机的VPC的配置按钮。点击要释放IP的VPC的配置按钮。点击要配置负载均衡规则的VPC的配置按钮。点击VPC的配置按钮。点击编辑按钮。点击启用VPN按钮。 |AttachDiskButton.png: button to attach a volume|点击启用VPN按钮。 |vpn-icon.png: button to enable VPN|点击IP范围页签。点击你希望创建规则的IP地址，然后点击配置点击你需要操作的私有网关的IP地址。点击要释放的IP地址。点击你要修改的IP地址点击要释放的IP地址。点击您要操作的IP。点击网络适配器标签。点击网络选项卡。点击物理网络选项卡，然后点击物理网络的名称。点击物理网络标签卡。点击释放IP按钮， |ReleaseIPButton.png: button to release an IP|点击替换ACL图标。|replace-acl-icon.png: button to replace an ACL list|点击设置为默认网卡按钮。|set-default-nic.png: button to set a NIC as default one.|点击设置图标。点击源NAT IP。点击静态NAT按钮 |EnableNATButton.png: button to enable NAT|。点击需要操作VM所在的网络名称。点击拟配置的实例点击拟进行负载均衡的网络名称点击拟修改的网络名称。点击你要修改的网络名称。选择你要操作的网络名称选择您要操作的物理网络。选择要添加客户网络的那个区域。点击已分配的负载均衡视图。CloudStackVPC是CloudStack云中私有并隔离的部分。一个VPC可以使用自己的虚拟网络拓扑来组建传统物理网络。在这个虚拟网络中，您创建的虚机的私网地址可以由您自主选择IP范围，例如10.0.0.0/16。您可以在VPC网络范围内定义多个网络层，这些层可以让你将类似的虚机按IP地址范围分组。CloudStack中的账户拥有者可以建立虚拟专用网(VPN)以便访问他们的虚拟机。如果通过网络方案对来宾网络提供远程VPN访问服务的实例化，虚拟路由(基于System VM)将被用于提供服务。CloudStack为来宾虚拟网络提供了一个基于L2TP-over-IPsec-based协议的远程VPN访问服务。因为每个网络有它自己的虚拟路由器，VPNs不能跨网络共享。Windows, Mac OS X和iOS自带的VPN客户端可以用于访问来宾网络。账户拥有者可以建立并管理他们的VPN用户。CloudStack并不为此使用自己的账户数据库，而是使用一个独立的表。VPN用户数据库在同一个账户拥有者建立的VPN网络中被共享。也就是说，同一个账户拥有者创建的所有VPN可以被它的所有VPN用户访问。CloudStack允许你在VPC层中部署虚拟机和共享网络。有了这个功能，分布在多层当中的虚拟机可以通过共享网络接收到监控服务。CloudStack允许你定义一个路由黑名单，这样它们就不能关联到任何VPC私有网关。你需要在全局参数blacklisted.routes里定义。要注意，此参数只在新路由创建时才会生效。如果你在黑名单里加入了已存在的静态路由，则此静态路由还是会继续起作用。你不能把在路由黑名单里的路由加入到静态路由当中去。CloudStack可以让你指定你创建的VPN链接的路由。你可以输入一个或CIDR地址来指定路由返回到网关的具体流量。CloudStack允许通过外部的Jniper SRX 设备和外部NetScaler设备或网关负载均衡设备和负载均衡服务。在此情形下，虚拟机使用SRX作为网关。以KVM作为虚拟机时，在单共享广域的网络内，CloudStack可以通过安全组来隔离客户。通过使用安全组而不是多VLAN，可以在云中隔离客户时具有更高的灵活性CloudStack能够让你给每个客户虚拟机网卡配置多个私有IP地址，除主IP地址外，你可以指定额外的IP地址到客户虚拟机网卡。在所有的网络配置中，如基础配置，高级配置，VPC，均支持这一功能。安全组，静态NAT及端口转发服务在额外的IP地址上也都被支持。CloudStack能让你在不同网络间移动VMs和重新配置VM的网络。你可以从一个网络中移除一个VM，再将其移动到另一个网络。你同样可以修改虚拟机的默认我拿过来，使用这个功能，混合和传统的服务器负载可以被轻松缓解。CloudStack可以让你能够独立的为账户预留一部分公共IP地址和VLANS。在创建区域阶段，你可以继续定义一部分VLANS以及多个公共IP范围。这种功能扩展特性可以让你能够为客户预留固定的一部分VLAN和客户IP地址CloudStack可以在虚拟路由器之间部署站点到站点的VPN连接，这需要添加一个被动模式的站点到站点VPN。有了这个功能之后，用户就可以在多个区域或VPC之间通过安全的VPN通道互联。在基础区域以及高级区域的开启安全组，CloudStack能够让你从不同的子网添加来宾IP范围。对于高级区域的开启安全组，多个子网可被加至同一个VLAN。随着此功能的增加，当IP地址耗尽时，你能够从同一个子网或从不同的子网添加IP范围。这会允许你添加更多的子网，因此减少了了地址管理的问题。为支持这一特性，创建VLANIP范围的API被加以扩展，这样就能从不同的子网添加IP范围CloudStack为你提供了在基本zones和启用了安全组的高级zones不同的子网中灵活的添加来宾IP段功能。在启用了安全组的高级zones中，这意味着多子网可以被添加到同一个VLAN。这个特性还意味着，当IP地址用尽的时候，你可以从同一个子网或从不同的子网添加IP地址范围。这将允许你使用更多的子网，降低地址管理工作量。你也可以删除已经添加的IP地址范围。CLOUDSTACK支持全局服务器负载均衡 (GSLB) 功能以提供可持续的商业运营。GSLB可以在CLOUDSTACK环境中实现资源的无缝迁移。CLOUDSTACK通过集成NetScaler应用交付控制器 (ADC)来提供GSLB功能，ADC可以提供各种各样的GSLB能力，比如灾难恢复，负载均衡。CLOUDSTACK在实现GSLB功能进，使用了DNS重定向技术。CloudStack最多支持建立8个VPN连接。CloudStack只支持一个子网对应一个网关；交叉子网目前不支持。CloudStack支持在VPC内不同层之间共享工作负载。这需要先在你的环境里设置好多个层，比如WEB层，应用层。每一个层的流量通过VPC虚拟路由机进行负载均衡。关于这方面的内容，参看 `章节 15.27.11, “在VPC上添加负载均衡规则” <#add-loadbalancer-rule-vpc>`__. 如果你想将WEB层发向应用层的流量进行负载均衡，需要使用Cloudstack的内部负载均衡功能。CloudStack使用NetScaler负载均衡器来监控系统健康的各方面，并与CloudStack共同工作以初始化扩大或缩小的行为。CloudStack虚拟路由器。CloudStack会动态分配，配置，管理在SDX上的虚拟机实例的生命周期。分配的实例会自动加入到CloudStack，不需要管理员进行手动配置。一旦一个VPX实例加入到CloudStack，将会认为是ESXi主机上的一个VPX。GSLB服务组件配置权威DNS，如下解释 `配置权威的DNS服务 <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-adns-svc-tsk.html>`__.在高级域中设置客户通信在高级区域中配置公共通信为每个虚拟服务器配置GSLB服务。由域名详细信息配置一个GSLB站点和站点名称。由域名配置一个GSLB站点和站点名称。配置GSLB虚拟服务器。在你的物理交换机上使用带外管理配置private VLAN。配置自缩放配置GSLB在单网卡配置多个IP地址配置网络访问控制列表配置端口IP配置远程访问VPN为VPC配置远程访问VPN在RHEL服务器上配置SNMP社区字符串配置共享的客户网络配置一个虚拟私有云（VPC）配置一个标准的负载均衡设置。配置出口防火墙规则配置默认出口策略在创建VPC之前，确认以下事项：在给非cloudstack内的机器预留IP地址时，要考虑以下几个方面：应用出口防火墙规则时请思考如下方案：继续为层配置访问控制列表。从VPC的VPN网关到客户的VPN网关建立VPN连接.在VPC两边都创建VPN客户网关。在创建的VPC两边都添加VPN网关。在VPC中创建一个基于Netscaler的公用负载均衡。创建一个VPC。创建一个VPN客户网关.为你创建的VPC设定一个VPN网关.创建一个虚拟私有云(VPC).创建一个自定义ACL列表。创建一个Persistent选项启用的网络方案。为合适的默认出口策略创建一个网络方案：创建一个网络方案。参看 `章节 15.27.11.1.2, “为外部LB创建网络方案” <#ext-lb-offering>`__.创建一个网络方案。参看 `章节 15.27.11.2.5, “创建内部LB规则 <#int-lb-vpc>`__.在VPC里创建一个层。创建一个视图，以允许组有权限执行：创建并应用一个外部负载均衡规则。参看 `章节 15.27.11.1.3, “创建外部LB规则” <#ext-lb-vpc>`__.创建并应用一个外部负载均衡规则。参看 `章节 15.27.11.2.5, “创建内部LB规则” <#int-lb-vpc>`__.使用网络方案创建隔离网络。创建两个VPC。比如，VPC A和VPC B。创建ACL列表VPC两边的VPN会进行初始化连接。默认为30秒之后，两边VPN都会显示为已连接状态。创建一个外部负载均衡网络方案创建一个内部负载均衡网络方案配置一个启用了PVLAN的来宾网络创建一个Persistent客户网络创建一个静态静由。创建一个具有自定义ACL列表的层。新建vpn连接为VPC创建一个VPN网关创建一个ACL规则创建一个外部负载均衡规则创建一个内部负载均衡规则创建和更新一个VPN客户网关.目前，CloudStack并不支持跨区域的服务编排。将引入服务的概念和地域服务提供者。DNS和DHCP分配IP地址给一个账户确定需要分配的IP范围定义网络访问控制列表（ACL），用以在VPC的层之间，或是层与互联网之间控制进出流量。默认情况下，客户网络的所有进入流量被阻止，所有外出流量被允许。一旦在外出流量方向添加了ACL，则只有ACL规则允许的流量可以被允许，其余的外出流量会被阻止。如果要开放其它端口，则需要在新的ACL中明确定义。只有在支持NetworkACL服务的条件下，只能创建层的ACL。拒绝部署准备好的模板。确保应用在第一次启动时能够开启并准备好接管流量。观察部署模板需要的时间。在配置自缩放时，要考虑这段时间。在VPC层中部署虚拟，共享网络。将虚拟机部署到层。描述CloudStack支持特性的描述将一个VLAN和IP地址从一个账户解除联系。域名ESP策略每个CloudStack账号匹配一个拒绝所有入站流量和允许所有出口流量的默认安全组。可以编辑默认的安全组以便所有新VMs的策略继承一些的想要的设置。每一个虚机只有一个默认的网络. 在这个默认网络里, 虚拟路由器的DHCP响应将设置客户的默认网关. 除了单一,必须的默认网络, 多个非默认的网络也可以添加到客户虚机里. 管理员可以控制哪个网络作为默认的网络.每一个虚拟机都有自己的私有IP。当来客户虚拟机启动时，通过使用在公共IP和私有IP之间的入口网络地址转换（INAT）以及预留地址转换（RNAT），NetScaler设备可以提供静态NATVPC中每一层都需要是唯一的CIDR，并且这个CIDR是在VPC的CIDR的范围之内。每个区域都有自己的一套公网IP地址。来自不同区域的公网IP地址不重叠。编辑/etc/snmp/snmpd.conf 文件，以允许来自NetScaler设备的SNMP查询编辑，重启，删除VPC。外出流量高级区域中的出口防火墙规则出口防火墙规则在Jniper SRX和虚拟路由器中均支持。弹性IP（EIP）地址是指与帐户关联的IP地址，能起到静态IP地址的作用。帐户所有者能完全控制隶属于此账户的弹性IP。作为帐户拥有者，你可以从你帐户的EIP池中选择一个IP分配给虚拟机。如果后续需要，你可以继续分配此IP地址给另一个虚拟机。在VM宕机时，此功能特别有用。此IP地址可以重新指定给一个新的虚拟机，而不是取代已经宕机的虚拟机。在VPC A这边启用VPN的被动连接模式。在VPC B上启用VPN连接。开启NetScaler的GSLB在VPC层上启用内部负载均衡功能在VPC层中启用基于NetScaler的负载均衡开启安全组启用或禁用静态NATVPC中启用或禁用静态NAT在删除VPC前，需要先删除所有的层。确保在系统启动时，SNMP服务能够自动启动。确保客户网关指向VPC A。在这个示例里，因为VPC A的虚拟路由器是处于被动模式且等待着VPC B进行初始化连接，所以VPC B的虚拟路由器不要设置为被动模式。确保客户网关指向VPC B。这个VPN当前显示的是未连接状态。确保在全局配置中的结束点地址参数已设置为管理服务器的API地址。例如：http://10.102.102.22:8080/client/api. 在多管理节点的部署中，使用配置在负载均衡器上的虚拟IP地址作为管理服务器集群的IP地址。此外，确保NetScaler设备有读取为提供自缩放而配置的IP地址的权限。请确认你的硬件支持所选择的服务方案。确保在配置自缩放时有必需的模板。当使用模板部署虚拟机并使虚拟机启动时，应用能够起动并运行。确保虚拟机上安装了vm-tools以便通过VMware hypervisor添加或移除网络。确保在RedHat上安装了SNMP，如果没有，执行以下命令:确实在添加IP范围前，手动配置了子网的网关。注意，CloudStack仅支持一个子网有一个网关。不支持重叠的子网。输入此步骤 `1 <#source-nat>`__ 中提供的用户名和密码。外部防火墙及负载均衡填写以下内容：防火墙规则防火墙规则能在管理服务器的UI中防火墙选项卡里创建，CloudStac安装好以后，这个规则选项卡默认不显示，你需要以管理员身份修改全局变量 firewall.rule.ui.enabled为 "true"才能显示。首先，确保在你的CloudStack中已经设置好VPN。本章节仅涉及通过Mac OS X 连接至VPN。按照屏幕所指示的操作加入实例。至于如何添加实例，参照安装指南文档。对于NetScaler:如何通过UI进行健康检查策略的设置，参阅 `章节 15.16.5.1, “添加负载均衡规则” <#add-load-balancer-rule>`__.对于每一个层，会显示以下选项。对于每一个层，会显示以下选项。对于每一个源IP地址，都可以建立一个针对它的内部负载均衡。例如：一个VPC的私有地址范围是10.0.0.0/16，其中的用户网络的地址范围可以分别是10.0.1.0/24、10.0.2.0/24、10.0.3.0/24等等。比如，如果VPC CIDR是10.0.0.0/16并且该网络层CIDR是10.0.1.0/24，那么这个网络层的网关是10.0.1.1，子网掩码是255.255.255.0.例如，下表描述了客户网络创建的三种情形：例如：延伸阅读：更多关于 Portable IP的信息，请参阅 `章节 15.12, “Portable IPs” <#portable-ip>`__.要了解更多关于关联公共IP的选项，请参考管理员向导。更多信息，请参阅 `绑定GSLB服务到GSLB虚拟服务器 <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-bind-svc-vsvr-tsk.html>`__.更多信息，请参阅 `绑定GSLB域名到GSLB虚拟服务器 <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-bind-dom-vsvr-tsk.html>`__.更多信息，请参阅 `配置基本的GSLB站点 <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-basic-site-tsk.html>`__.更多信息，请参阅 `配置GSLB服务 <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-svc-tsk.html>`__.更多信息，请参阅 `配置GSLB虚拟服务器 <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-vsvr-tsk.html>`__.更多信息，请参阅 `章节 15.17.2.2, “在NetScaler中启用GSLB” <#enable-glsb-ns>`__.更多信息，参看 `章节 15.25.5.1, “创建或更新 VPN客户网关” <#create-vpn-customer-gateway>`__.更多信息，参看 `章节 15.25.5.2, “为VPC创建VPN网关” <#create-vpn-gateway-for-vpc>`__.更多信息，参看 `章节 15.25.5.3, “创建VPN连接” <#create-vpn-connection-vpc>`__.更多信息，参看 `章节 15.27, “配置虚拟专用云” <#configure-vpc>`__.更多信息，参阅 `章节 15.27.2, “添加虚拟专用云” <#add-vpc>`__.如需要更多信息，请查看CloudStack管理文档里the Assigning VLANs to Isolated Networks章节。在VPC中获取一个IP地址。对部署而言，公共IP会受限于资源，可以灵活的选择默认不分配公共IP。可以在开启了EIP的基础区域中，通过关联公共IP选项来打开或关闭自动公共IP指定。如果在创建网络方案时，你关闭了自动公共IP指定，则在使用此网络方案部署时，仅会分配一个私有IP给虚拟机。此后，用户虚拟机可以获取一个IP，并可以开启静态NAT。更多关于辅助隔离VLAN的描述，请参考 `Section 15.14.1, “关于 Private VLAN” <#about-pvlan>`__.对于多数粘性方法变量列表，可以参看CloudStack UI或者调用网络列表，并检查粘性方法支持能力。在网络方案下拉列表里，选择你刚才创建的persistent网络方案。下拉选择方案，选择网络方案：在选择视图下拉框，请确保选择VPN连接。GSLB是新添加的网络服务。GSLB服务提供者可以被添加至区域中的物理网络。网关全局服务器负载均衡(GSLB)是负载均衡功能的扩展，为了高效的避免停机时间。基于部署的性质，GSLB代表一组技术的集合，用于各种用途，如负载均衡，灾难恢复，性能，和法定义务。使用GSLB，工作负载可以分布在位于不同地理位置的多个数据中心。 GSLB也可以用于在发生故障时访问资源的另一个备用位置，或对流量提供了简易的维护方式，或两者兼得。全局服务器负载均衡支持全局服务器负载均衡-GSLB-用于在不同地域的不同独立区域之间管理WEB服务器的访问流量。以下是CLOUDSTACK中提供的GSLB功能图示：EXZTELCO这个组织用CLOUDSTACK在不同的数据中心部署一个公有云，此云环境包括两个区域，Zone-1 和Zone-2。XYZTELCO里有租户A需要部署一个高可用方案。为了达到此目标，他们分别在两个区域里部署了两个虚拟机实例：Zone-1中有VM1和VM2，Zone-2中有VM5和VM6。租户A在Zone-1中得到一个公网IP-IP-1，并且在VM1和VM2之间配置了负载均衡规则。CLOUDSTACK 编排系统在 Zone-1中LB服务上设置了一个虚拟服务器-Virtual server 1 。客户端对-IP-1的访问会到达Virtual server 1，此虚拟服务器再将流量转发到VM1和VM2上进行流量负载均衡。返回控制面板并点击网络连接查看这个新的连接。但当前连接并不是活动状态。授权不同的写权限给二个组及你创建的视图来宾IP范围来宾流量指定客户的CIDR必须是网络CIDR的子网。指南负载均衡规则的健康检查。负载均衡应用中的健康检查，能够确保转发需求运行，服务可用。当创建一个负载均衡规则里，你可以指定一个健康检查策略。这是对粘性策略，算法，其他负载均衡设备规则的附加说明。可以为每一条负载均衡设备进行配置。在单个实例上开启多个SSL网站。可以在单个实例上安装多个SSL认证，每一个认证都关联一个单独的IP地址。主机也与一个或多个来宾网络连接。主机同时与管理网络和公共网络连接。在CloudStack中，GSLB的工作原理是什么？在VPC中，内部负载均衡是如何工作的呢？IDIKE策略IP地址IP转发及防火墙IP负载均衡IP预留事项仅当网络在实施状态时，IP预留才能被应用。在界面的CIDR框内输入10.1.1.0/26或通过UpdateNetwork的API配置为guestvmcidr=10.1.1.0/26，进行IP预留配置隔离的来宾网络中的预留IPIP预留仅在隔离网络内支持IP关联是可以通过网络转发的。IP是静态分配的。IP可通过VPC，非VPC隔离和共享网络进行转发。IP可以在基础区域和高级区域中转发。IP与网络无关。IPSec 预共享密钥如果用户VM存在多个网络，则静态NAT规则仅在默认网络上定义时生效。如果一个IP地址被赋予一个网络层：如果一个应用程序，比如SAP，它运行在一个VM实例上，但是VM因为某些原因宕机了，那么这个VM没有被算成是Max实例的一部分。所以这个情况中为扩展动作分发的VMs数量可能会超过配置的MAX实例数值。一旦这个VMs中的应用程序实例从先前的宕机中恢复的时候，自动扩展功能就会校正Max实例的数值。如果一个应用程序，比如SAP，它运行在一个VM实例上，但是VM因为某些原因宕机了，那么这个VM没有被算成是Min实例的一部分，并且如果这些活动的VM实例是下面配置的数值，那么自动扩展功能启动一个扩展的动作。同样的，当应用程序实例从宕机的状态恢复了以后，这个应用程序实例会被算为活动实例计数的一部分，并且当活动实例计数超出Max实例数值的时候，自动扩展启动一个缩减动作。如果没有指定入口规则，那么流量会被禁止，除了已经允许通过一个出口规则响应任何流量。如果使用了网卡，这些IP应该在相同的IPv6的CIDR中。如果该公网IP上已经有端口转发规则，则不允许再启用静态NAT。如果为自缩放用户生成了API值和秘钥，确保用户参与的负载均衡器的自缩放功能先关闭，再开启，以应用NetScaler配置的变化。如果应用没有运行，NetScaler设备会认为虚拟机无效并持续无条件的创建虚拟机，直到资源耗尽。如果你将使用CloudStack虚拟路由的一个网络方案改成使用公共网络设备作为网络服务商，那么你必须先关掉该网络中的所有虚机。如果您是第一次创建VPN网关，选择点对点VPN会提示您创建一个VPN网关。如果是启用静态NAT，会显示如下对话框：如果是启用静态NAT，会出现一个对话框让您选择目标VM然后点击应用。如果你创建了一个负载均衡规则且使用包括外部负载均衡设备的网络服务方案，如包括NetScaler，但随后将网络方案改成使用CloudStack的虚拟路由器，则你必须在虚拟路由器上创建一个防火墙规则，这些防火墙规则与已经设置的负载均衡规则一一对应，只有这样，才能使那些负载均衡规则继续起作用。如果你已添加层，VPC界面就会出现。点击添加层可以增加一个新的层。如果还没有，请在 CloudStack中为Zone添加公网IP段。参阅安装指南中的添加Zone和Pod。如果你选择网络方案为允许，则默认出口流量被允许。无论如何，当配置了来宾网络的出口规则，规则被应用于阻止特定的流量和允许其他的。如果网络中没有配置出口规则，则出口流量会被放行。如果你选择网络方案为拒绝，则来宾网络中的默认出口流量将被阻挡。无论如何，当配置了来宾网络的出口规则，规则被应用于允许特定的流量。当实施来宾网络时，CloudStack为来宾网络添加防火墙出口规则指定默认的出口策略。如果你停止了任何VMs，请重启他们。如果更新了endpointe.url，在系统自动负载均衡器规则里，先关闭自缩放功能随后再开启，以应用此更新。。更多信息，参见 `更新 AutoScale Configuration <#update-autoscale>`__如果你将虚拟路由升级到外网设备，在看到变更CIDR以继续时，请选择Yes。如果你想作为 Portable IP则在确认窗口中点击Yes，如果你想作为正常的公共IP则点击No。如果你希望在两个VPC虚拟路由器之间建立连接，需要等待另一个虚拟路由器来初始化连接，则只有其中一个虚拟器上选择被动模式。在这种情况下，不要在初始化连接的虚拟路由器上选择被动模式。如果你想对一个自动扩展VM实例执行任何维护操作，请禁用自动扩展配置。当自动扩展配置被禁用，扩展和缩减动作不会执行。你可以利用停机时间进行维护活动。要禁用自动扩展配置，点击禁用自动扩展 |EnableDisable.png: button to enable or disable AutoScale.| 按钮。如果你的首选项框被锁住，你如果要做些改动需要点击底部左侧的锁按钮，并提供管理员认证。在CIDR框，说明客户虚拟机的CIDR在CloudStack术语中，ACL指的是一组针对网络条目。其按条目规则顺序执行，从最小值开始。这些规则决定了与此ACL关联的层的进出流量是被允许还是阻止。操作的方法是添加一个ACL，然后将这个ACL与层关联。ACL在整个VPC中使用，它可以被关系到一个VPC当中多个层中。一个层能及只能关联到一个ACL中。在网络方案中，选择新的网络方案，然后点击应用。在选择方案中，选择网络方案。在选择视图中，选择来宾网络，然后点击需要的来宾网络。在选择视图中，选择安全组，然后点击需要的安全组在选择视图中，选择安全组。在VPN类型中，选择L2TP IPsec VPN,然后点击IPsec设置，选择用户预共享密钥。并输入此步骤`1 <#source-nat>`__中提供的密钥。在区域中，点击查看全部点击区域中的查看更多。在基础区域中，仅在弹性IP或弹性负载均衡服务开启时，才支持负载均衡服务在基础区域中，在不需要或不选择IP的条件下，你可以创建一条负载均衡规则。当你创建负载均衡规则时，CloudStack会内部指定一个IP地址。当规则创建完成时，IP地址会在IP地址页列出来。在CLOUDSTACK中，客户虚拟机之间可以在共享构架下相互通讯，并且可以在一个私有LAN中实现安全和用户互通。CLOUDSTACK的虚拟路由器是实现客户网络功能的主要组件。在VPC中，验证你想操作的私有网关。在一个VPC中，用LB-enabled network offering只能创建一个层。VPC有以下四个基本的网络架构：在VPC中，你可以配置外部或内部负载均衡。外部负载均衡就是将VPC虚拟路由器接收到的公网流量进行转发的规则。这个流量如何在层里进行均衡取决于你的配置。Citrix NetScaler 和 VPC virtual router都支持外部负载均衡。内部均衡是在层内的虚拟之间进行均衡。比如，到达WEB层请求的流量可以转发到此层另外的虚拟机。外部负载均衡设备不支持内部均衡。内部负载均衡的服务是由目标层的内部虚拟机配置后提供支持服务的。在一个基本的网络中，物理网络的配置非常直接明了。你只需要配置一个客户网络（虚拟）以承载由客户虚拟机产生的流量。当你首次增加一个区域（Zone）到 CloudStack 中，你通过添加域（Add Zone）页面来设置客户网络（虚拟）。在一个使用高级网络的zone中，你可以改为定义多个来宾网络隔离流量至VMs。在一个使用高级网络配置的区域中，你需要配置至少一个用于Internet通信的IP地址范围。除了创建的你自定义的ACL列表之后，以下默认ACL规则也会显示在页面中：default\_allow, default\_deny.除了上述指定的Cisco和Juniper设备, 所期望的是任何Cisco或Juniper的设备在支持的操作系统上都可以建立VPN连接.在高级区域中，完全支持负载均衡功能，没有限制。在基础区域中，也提供静态NAT，EIP，ELB功能。在高级域中，定义一个网络时要给其赋予一个IP地址范围或CIDR。CloudStack虚拟路由器起着DHCP的作用，并通过CIDR来给客户虚拟机分配IP地址。如果为了预留CIDR不用于cloudstack，应当进行说明，即部分IP地址范围或CIDR仅能被DHCP服务分配给在cloudstack中创建的虚拟机。剩下的IP地址被称作预留IP地址范围。当预留的IP被配置时，管理员可以增加额外的虚拟机或并不属于cloudstack的物理服务器到同一个网络，可以将预留的IP地址指定给他们。cloudstack的客户虚拟机不能够从预留的IP地址中获得地址。在以太网交换机中，VLAN是二层网络中的一个主机之间主机能建立直接通讯的广播域。Private VLAN被设计成一个标准的VLAN的延伸，为了进一步细分逻辑广播域。一个规则的VLAN是单一广播域，但是一个 private VLAN将一个较大的VLAN广播域划分为较小的多个子域。子域表现为一对VLANs：一个主VLAN和一个辅助VLAN。被划分为较小组的原始VLAN叫主，这意味着所有的在private VLAN中的VLAN对共享着同一个主VLAN。所有的辅助VLANs存在与主VLAN中。每个辅助VLAN有一个特定的区别于其他子域VLAN ID。在高级区域中，在配置带自缩放的负载均衡规则时，确保至少要有一个虚拟机。在网络中存在一个虚拟机，可保证在配置自缩放时，网络处于使用状态。在高级Zone中，您也可以用虚拟路由器来创建外出的防火墙规则。参阅 `章节 15.22.2, “高级区域中的出口防火墙规则” <#egress-firewall-rule>`__.在每个参与GSLB的区域内，添加启用GSLB功能的NetScaler设备。在每个区域中，添加启用GSLB的NetScaler设备提供负载均衡。在隔离的来宾网络中，来宾IP地址空间中的一部分可以被保留下来以供非CloudStack VMs或者物理服务器使用。要真么做，你应该在来宾网络应用状态时依靠指定CIDR来配置一个预留IP地址范围。如果你的客户希望在同一个网络中有非CloudStack控制的VMs或者物理服务器，它们可以共享一部分主要为来宾网络提供的IP地址空间。使用安全组功能之前，必须先在Zone中启用安全组功能。系统管理员可以在创建一个新的Zone时，通过选择带‘安全组’功能的网络方案进行启用。在高级安装指南的基本Zone配置中有该过程的详细描述。系统管理员不能对现有Zone启用安全组，只能在新建Zone时启用。为了支持这个功能，引进了地域级别的服务和服务提供者。引进了一项新服务“GSLB”作为地域级别的服务。该GSLB服务提供者介绍将提供GSLB服务。目前，CloudStack中NetScaler可作为GSLB提供者。 GSLB功能工作在Active-Active数据中心环境。存在基本网络和启用安全组的高级网络中的共享网络，你可以灵活的在不同子网中添加多个来宾IP范围。你可以同时添加或移除IP范围。更多信息，请参阅 `章节 15.10, “关于多IP范围” <#multiple-ip-range>`__.在默认出口策略选项中，指定行为。在详细查看栏。点击替换ACL按钮。|replace-acl-icon.png: button to replace the default ACL behaviour.|在详细标签页，点击编辑。|EditButton.png: button to edit a network|在详细页签，点击编辑 |edit-icon.png: button to edit a network|在详细页签，点击网卡在详细选项卡中，点击查看GSLB。在详细查看栏，点击释放IP按钮。 |release-ip-icon.png: button to release an IP.|在详细栏，点击删除VPC按钮。|remove-vpc.png: button to remove a VPC|在“详细信息”页，点击静态NAT按钮 |enable-disable.png: button to enable Static NAT.| 该按钮会根据公网IP的静态NAT当前状态，在启用和禁用间切换。在图中的来宾节点上，点击配置在 Internal LB页面里，点击添加 Internal LB。在图的负载均衡节点点上，点击查看全部。在网络详细栏，点击删除网络按钮。|del-tier.png: button to remove a tier|点击示意图'网络服务提供程序'中的配置在图表的端口转发节点，点击查看所有。在私有网关页面，点击你需要的私有网关的IP地址。在私有网关页面，按如下步骤操作：在图的公共节点上，点击配置。在所选择的私有网关的快速查看视图里，点击替换ACL，选中ACL规则，然后点击OK按钮。在路由器节点中，选择公共IP地址。在选择视图中，选择VPC。在选择视图里，选择VPN客户网关。在全局变量 cloud.dns.name中，为您租户云定义DNS名称并供GSLB服务使用。在信息确认对话框，点击“是”。在对话框中，填写必选项，包括防火墙提供者。在对话框中，选择如下操作：在对话框里，定义以下内容：在下拉列表里选择你要添加给VM的网络。在图中，NetScaler设备对CloudStack的实例而言是一个默认的入口或出口，防火墙是剩余数据中心的出口或入口。Netscaler对来宾网络提供负载均衡以及静态NAT的服务。在机架和管理服务器上，来宾流量是不同的子网或VLAN。在数据中心的核心交换机的基础路由策略是通过NetScaler转发公共流量，其他数据中心的流量则通过防火墙。在左侧导航栏中，点击基础架构在左侧导航栏，点击实例在左边导航栏，点击网络。在左侧导航栏中，点击服务方案。在左边的导航栏里，点击区域（为文档翻译中地域的概念，英文为region，下同）在左边的导航，选择基础架构。在左边的导航栏，选择基础架构。在区域界面点击查看全部，然后点击你要添加网络的区域。在左边的导航栏里，选择实例。在左侧的导航栏，选择网络在左侧的导航栏，选择网络。在左侧导航栏，点击全局设置在左侧的导航菜单中，点击实例。在左边导航栏，点击网络。在左侧导航栏中，点击地域在下一个对话框中，输入此步骤 `1 <#source-nat>`__ 中的源NAT IP地址并填写连接名称。勾选现在不连接。在下一个对话框中，输入此步骤 `1 <#source-nat>`__中的用户名和密码。在下一个对话框中，选择否，创建一个新的连接。在下一个对话框中，选择使用我的Internet连接(VPN).在这个图中，公网负载均衡规则是这样创建的：公网IP为IP 72.52.125.10，外网端口为80，内网端口为81。VPC的虚拟路由机创建的负载均衡规则将互联网的流量分配到WEB层的各个虚拟机上。在应用层创建了两个内部负载均衡规则。其中一个规则是：客户IP为10.10.10.4的将端口23进行负载分发，实例VM和InternalLBVM1的端口25进行了负载。另一条规则是：客户IP为10.10.10.4的将端口45进行负载分发，实例VM和InternalLBVM1的端口46进行了负载。另一条规则是：客户IP为10.10.10.6的将端口23进行负载分发，实例VM和InternalLBVM1的端口25进行了负载。（两条规则还是三条规则？原文如此，希望图示能明解）在使用高级网络的资源域里, 额外的来宾网络可以在初始安装后任何时间添加. 你还可以通过指定DNS后缀为每个网络自定义关联的域名.入口网络地址转换（INAT）是NetScaler支持的一类NAT类型，在此类型中，来自公共网络（如Internet)的数据包中的目标IP地址被私有网络中虚拟机的私有地址取代。预留地址转换（RNAT）也是NetScaler支持的一类NAT类型，私有网络中虚拟机产生的数据包中的源IP地址被公共IP地址取代。进入流量初始化安装外部防火墙和负载均衡vlan间路由(多层应用)提供了在vlan间通过流量路由的功能。这个特性使你能够j建立私有云(vpc)，独立分割的云，可容纳多层应用程序。这些层被部署在不同的VLAN，可以互相沟通。您提供的VLAN层的创建和部署虚拟机可以在不同的层上。VLAN连接到一个虚拟路由器，这有利于虚拟机之间的通信。实际上，你可以通过不同定义的vlan来分割你的虚拟机到不同网络，以便承担多层应用，如Web，应用程序或数据库的虚拟机。通过VLAN的逻辑上独立的应用程序的虚拟具有较高的安全性和较低的广播，同时任然物理连接到同一设备。内部LB内部和公网负载均衡在一个层里往往是互斥的。如果一个层已应用了公网负载均衡之后，此层就不能再应用内部负载均衡。在 CloudStack 4.2版本中，只有VPC网络支持内部负载均衡。默认的使用PVLAN在共享网络中隔离VMs。使用Private VLAN隔离高级Zone中的网络在共享网络中的隔离来宾流量能被Private VLAN（PVLAN）获取。PVLANs提供同一个VLAN里端口间的2层网络隔离。在启用了PVLAN的共享网络，一个用户VM不能到达其他用户VM，但是他们能与DHCP服务器和网关通讯，反过来这样能允许用户去控制网络内部的流量，并且帮助他们像阻止与其他用户VMs通讯一样的去部署无需通讯的多个应用程序。Juniper J-系统路由器 JunOS 9.5 或更新版本已知的局限性最少连接数最少连接局限性限制：下列不支持此功能负载均衡规则跨越层的负载均衡在层内进行负载均衡(外部负载均衡)确定需要分配的IP范围找到你要移除的网卡上。找到你想要的网卡。指向你想配置内部负载均衡的层，点击内部负载均衡。点击要配置内部负载均衡规则的VPC的配置按钮。使用用户或管理员身份登录到CloudStack用户界面。使用管理员登录到CloudStack管理界面。登录到CloudStack用户界面并点击账户下的源NAT IP。VPN选项卡应该会显示IPsec预共享密钥。记录该密钥和源NAT IP。用户界面同样也列出了一个多或多个用户他们的密码。选择一个用户，或者如果不存在任何用户，则创建一个用户。使用管理员或者用户账号登录CloudStack UI。使用用户或管理员登录到CloudStack用户界面。作为管理员登录到CloudStack用户界面。使用管理员或者终端用户账号登录CloudStack UI。用系统管理员登陆到CloudStack UI界面。登录到CloudStack的界面以管理员权限登录CloudStack用户界面。MPX确保Send all traffic over VPN connection没有被选定。确保不是所有的网络流量走VPN。也就是说，用于配置VPN的route不是唯一用于该guest network，也不承担全部的网络流量。在自动扩展上下文之外使用API调用，如destroyVM，那么自动扩展下的VM会处于负载均衡配置冲突状态中。虽然VM被负载均衡策略所销毁，但NetScaler仍然会把VM作为一个设备分配一条策略。网络和流量管理在添加IP范围之前，手动配置新子网的网关。映射社区名到一个安全的名字（本地，我的网络，依赖于其来源）映射一个安全名到组名在接口和实例中迁移IP地址。绑定到特定IP地址的应用可以在实例中迁移。共享网络中的多子网在共享网络的特殊帐户内，多个VLAN范围在开启了安全组共享网络的多VLAN范围在VPC中，多层可以应用内部负载均衡。NetScaler ADC TypeNetScaler的自缩放定义为基于用户定义的条件，无缝的开启或关闭虚拟机。触发扩大或缩小行为的条件从监控服务器cpu的使用率的单一用例到监控服务器响应及cpu使用率的组合用例，各不相同。例如，你可以一个自缩放，能够在CPU使用超过80%持续15分钟时启动一个新的虚拟机，或CPU使用率低于20%持续30分钟时，移除一个虚拟机。子网掩码Netscaler只能在独立模块的形式下应用于VPC环境中。网络 ACL列表网络CIDR网络名称网络设备，如防火墙或负责均衡设备，一般来讲，当他们在网络接口上接入更多的IP地址时，他们能够更好的工作。将网络方案由内部负载均衡更改为公网负载均衡是不可行的。一个提供点里的网络一个区域里的网络在基础区域中，使用默认具有EIP和ELB服务的网络方案来创建共享网络时，仍然会给每一个用户虚拟机分配公共IP。默认不做IP预留。无无注意，如果一个账户使用了所有分配给他的VLAN和IP，这个账户可以从系统获得二个以上的资源。CloudStack为根管理员提供了二个参数可以进行控制，分别是use.system.public.ips和use.system.guest.vlans。当一个账户分配了资源并且这些资源已经被消耗掉时，这二个全局参数可以使根管理员拒绝此账户从公共IP和来宾VLAN获取资源。二个配置都能在帐户级别进行配置。注意只有Cisco Catalyst 4500有PVLAN混杂trunk模式，可以连接所有普通VLAN和PVLAN到不能识别PVLAN的交换机。其他支持PVLAN的Catalyst交换机，在PVALN对中的每个交换机上使用级联线连接到上联交换机。请注意，此指南只基于Mac OS X 10.7.5 。在旧版或新版本的Mac OS X中可能会略有不同。现在点击"连接" 你将会连接到CloudStack VPN。现在，需要添加VPN用户。XenServer和KVM中的OVS不支持原生的PVLAN。因此，靠修改flow table，CloudStack为XenServer和KVM模拟OVS中的PVLAN。在Zones上，点击查看更多，然后点击你要进行操作的zone..在区域页面，点击查看全部。在VPC中启用远程访问VPN，任何VPC以外的VPN客户端都可以使用远程VPN连接访问VPC中的VM。VPN客户端可以在除了用户启用了远程访问VPN服务的VPC中的任何位置。在客户节点界面，点击配置。在NetScaler方面，给出GSLB配置 `配置全局服务器负载均衡 (GSLB) <http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-gslb-config-con.html>`__:在Windows中，进入控制面板，然后选择网络和共享中心，点击设置一个网络连接。在Mac中，打开系统偏好设置然后点击网络。使用持久化网络的一个优点是您可以创建具有一个只包含物理设备的层的VPC。例如，您可以为一个三层应用创建一个VPC，在Web层和应用层部署VM，在数据库层使用物理机器。另一个使用场景为如果您使用物理硬件提供网络服务，您可以定义网络为持久化的。这样即便网络中所有VM都销毁了，服务还可以继续提供。继续配置外部防火墙和负载均衡在CloudStack 4.2 版本中，只有Internal LB VM才能作内部负载均衡的提供方。只有新的网络才能加入VPC。每一个VPC的最大网络数量由参数vpc.max.networks指定。其默认值为3.在VPC中，只有一层只支持公网负载均衡。启用了PVLAN的共享网络可以是来宾VM的多个网络的一部分。作为云管理员执行以下操作。按照上面给出的例子中，由管理员xyztelco设置GSLB：持久化网络的考虑事项持久化网络Persistent网络是为隔离网络而设计的。物理应用。可以在单个应用上创建多个完全隔离的VPX实例，以支持多客户使用。物理应用。能够进行深度数据包检测。可作为防火墙和负载均衡应用。端口转发更改端口转发和静态NAT服务端口IP转发仅对静态NAT可用。端口IP在CloudStack中，端口IP是地域级的IP地址池，其天然具有弹性，亦即可以在地理隔离的区域中进行转发。作为管理员,可以在地域级提供IP地址池供用户使用。如果在用户所属的地域，其管理员提供了端口IP，用户就可以获取此类IP。在高级区域内，这些IP可用于任一服务。也可以在基础区域中为EIP服务使用端口IP。先决条件先决条件和指南专用网关协议提供一个名称和描述。填写以下内容：公共IP地址公共LB IP在VMs中重新配置网络释放IP地址释放VPC分配的IP地址远程访问VPNVPC网络不支持Remote access VPN。在界面的CIDR框内输入10.1.1.0/24或通过UpdateNetwork API配置为guestvmcidr=10.1.1.0/24，进行IP预留清除删除层移除网络重复相同的步骤添加VPN用户。用正确的UUID替换此处的UUID。比如，如果你想转换一个portable IP至X网络和一个网络中的VM Y，请执行下列操作：从一个高级区域中预留一个VLAN范围和公共IP地址，并可以将其指定给一个账户。非cloudstack虚拟机的IP预留范围为账户预留公共IP地址及VLANS预留一个IP范围VPN连接的重启和删除在新创建的连接上点击右键并选择属性。在属性对话框中，选择网络选项卡。轮询规则SDX安全组高级区域中的安全组（只针对KVM）为使用此特性，在区域内必须开启安全组安全组提供一种方法来隔离VMs流量。一个安全组是一组依照设置名为入口规则和出口规则来过滤他们进出流量的VMs，这些规则依靠与VM通讯的IP地址来过滤网络流量。安全组在使用基础网络的zones中尤为重要，因为这里只有一个来宾网络。在高级zones中，只有KVM hypervisor支持安全组。参考 `Private VLAN Catalyst Switch Support Matrix <http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml>`__\ for more information.参阅 `章节 15.17.2.3, “添加GSLB规则” <#gslb-add>`__.参阅 `章节 15.17.2.4, “为GSLB分配负载均衡规则” <#assign-lb-gslb>`__.更多信息，参看 `章节 15.27, “Configuring a Virtual Private Cloud” <#configure-vpc>`__.参阅 `章节 15.27.5.1, “专用网关的源NAT” <#sourcenat-private-gateway>`__.参阅 `章节 15.27.5.2, “专用网关的ACL” <#acl-private-gateway>`__.下图是一个典型的来宾流量设置：查看管理指南文档。选择IP地址。选择网络ACL列表。从左边的导航栏里选择网络。如果你希望在两个VPC虚拟路由器之间建立连接，选择被动模式。选择私有网关。选择公网IP地址。选择点对点VPN选择一个模板或ISO，按向导步骤操作。选择一个区域。选择ACL规则栏选择分配VLAN范围页签选择静态路由栏。选择你需要的VPC。选择您要操作的VPN连接。选择您要操作的客户VPN连接。选择VPN选项卡。在创建层的过程中选择需要的ACL列表。选择需要的ACL列表。选择所需的GSLB。选择想要的用户网关。选择你希望提供此网络方案服务的客户网络。选择你将为区域创建的负载均衡规则。选择你想要操作的网络。选择你想创建GSLB规则的地域。选择层和目标虚机，然后点击“应用”。选中你希望赋予自定义ACL的层。选择应用规则的层。选择你想删除的层。选择默认网络服务器以如下形式连接：设置以下全局配置参数。配置站点到站点的VPN连接设置0.0.0.0以允许所有的IP都可以查询NetScaler设备与公共IP地址一样，弹性IP地址通过使用静态NAT关联至与之相关的私有IP地址。在起用了EIP的基础域中，EIP的服务与静态NAT的服务一一对应。默认的网络方案，默认共享EIP与负载均衡网络方案，在区域部署了NetScaler设备的前提下，能够提供EIP以及ELB网络服务。参见以下更详细的说明。在VPC网络之间的站点的VPN连接站点到站点 VPN一些使用案例见以下描述源IP源IPSource NAT功能是在虚拟路由里自动配置好的，它可以转发所有来宾虚拟机的外出流量。私有网关的Source NAT指定一个有效的客户虚拟机CIDR。只有不活动的IP在客户虚拟机CIDR存在时，IP预留才能被应用。指定目标网络的CIDR。指定下列扩展和缩减的策略：指定以下信息：说明是否需要IP跨区。给最大量实例参数指定一个大的值可能引发大量VM实例的分发，这个过程会导致一个负载均衡策略耗尽账户或者域级别下VM实例指定的限制。开启SNMP服务：状态静态 NAT从每个GSLB虚拟服务器中收集统计数据。为负载均衡规则制定的粘性会话策略。粘性会话应用于基于网页的应用中，以确保在用户的会话中，对用户的多种请求持续提供信息。例如，购物者正在向购物车中增加东西，则需要记住到目前为止已买的东西。粘性的概念也指持久发现或维护状态。存储设备只与管理网络连接。在ESXi和XenServer上支持。对MPX也支持一些功能。CloudStack将VPX和MPX作为同一类型的设备看待。在KVM，XenServer和VMware hypervisors中支持TCP租户A在Zone-2中得到一个公网IP-IP-2，并且在VM5和VM6之间配置了负载均衡规则。CLOUDSTACK 编排系统在 Zone-2中LB服务上设置了一个虚拟服务器-Virtual server 2 。客户端对-IP-2的访问会到达Virtual server 2，此虚拟服务器再将流量转发到VM5和VM6上进行流量负载均衡。此时，租户A在两个区域里都启用了服务，但是，无法在这种环境下部署灾难恢复计划，也无法更智能在区域内使用负载均衡。要解决这些问题，XYZTELCO云管理员可以在两个区域内启用GSLB服务，一个GSLB服务通常是一个具有ADNS(认证域名服务器)能力的ADC，并且具有监测本地和远程站点健康状况的手段。云管理员可以在ZONE 1和2中为租户启用GSLB服务。租户- A希望利用由xyztelco cloud提供的GSLB服务。租户-A配置了一个GSLB规则对Zone-1中的虚拟服务器1和Zone-2中的虚拟服务器2提供流量负载均衡。假设域名是A.xyztelco.com 。CloudStack中协调设置GSLB服务提供者Zone-1中的GSLB虚拟服务器1。 CloudStack绑定Zone-1中的虚拟服务器1和Zone-2中的虚拟服务器2到GSLB虚拟服务器1。CloudStack也将协调设置GSLB服务提供者Zone-2中的GSLB虚拟服务器2.CloudStack绑定Zone-1中的虚拟服务器1和Zone-2中的虚拟服务器2到GSLB虚拟服务器2.GSLB虚拟服务器2配置为开始监视虚拟服务器1和2的健康。CloudStack中会绑定域名A.xyztelco.com到GSLB虚拟服务器1和2。在这一点上，租户-A的服务将在全球范围内可达于A.xyztelco.com。域名xyztelcom.com的专用DNS服务器，被管理员配置为外带管理，由两个区域的GSLB提供者对域名A.xyztelco.com提供解析。它将被配置为域名A.xyztelco.com的ADNS。当客户端请求解析A.xyztelcom.com域名时，将最终由DNS指派到GSLB提供者Zone 1 和Zone2。客户DNS请求将被GSLB提供者接获。GSLB提供者，根据需要解析的域名，将获得与域名关联的GSLB虚拟服务器。根据用于负载均衡的虚拟服务器的运行健康状况，域名DNS请求将被解析到所选择关联的虚拟服务器中。那么这个IP就不能在VPC里被另外的层所使用。比如：如果你有A层和B层以及一个公网IP地址，则你可以为A或B创建一个端口转发规则，但不能同时在A和B上创建。那个IP也不能在VPC的其它的客户网络里用作StaticNAT,负载均衡，端口转发规则。获取新IP的窗口会出现。会弹出添加帐户对话框。会显示添加帐户页添加GSLB页面显示如下：显示的添加IP范围对话框如下：添加实例的页面就会出现。会出现添加端口IP范围的窗口现实添加客户网络窗口。添加来宾网络窗口显示：显示添加网络对话框。然后，添加层的对话界面就会出现。如下：设计关联公共IP的功能，仅是为使用用户虚拟机。系统虚拟机仍然默认会获取公共IP和私有IP，与网络配置并不相关。自缩放功能支持SNMP计数，这可以用来定义扩大或缩小的前提条件。为监测SNMP计数，确保SNMP代理已经在创建自缩放虚拟机的模板中安装。通过使用标准SNMP管理器，SNMP操作可以与配置好的社区SNMP和端口一起工作。可参见 `章节 15.16.2, “在RHEL服务器上配置SNMP 团体字符串” <#configure-snmp-rhel>`__在RHEL服务器上配置SNMP团体字符串。CIDR框将变为可编辑状态思杰的NetScaler有三种变化，下表总结了在CloudStack中如何处理那些变化。配置VPC的页面显示出来了。指向你需要操作的层。系统会显示创建VPN连接对话框：会弹出分配VLAN对话框。系统显示详细信息页。EIP的工作流如下：GSLB功能支持基本和高级区域。该GSLB功能必须支持会话持久性，特定域名的一系列客户端请求被发送到同一个区域中的虚拟服务器上。网关对话框就会显示出来。Internet密钥交换协议（IKE）匹配点 ( VPN 端点 ) 通过计算并发送包含预共享密钥的哈希键值来进行相互验证。如果收接点通过自己的预共享密钥算出同一个键值的话，这就说明两个点是用的同一个密钥，相互之间认证通过，形成匹配。系统显示IP地址页面。如果在客户虚拟机CIDR外发现活动的IP地址，IP预留将不被支持。IP地址是有限资源。如果您不再需要某个IP，请解除该IP和VPC的关联，使其返回到可用地址池中。只有当IP上所有的网络规则(端口映射、负载均衡、静态NAT)都删除后，该IP才能从所属层释放。释放的IP仍属于该VPC。宾客网络流量的IP是由用户以帐号为基础设置的。这允许用户以在他们的宾客网络和他们的客户端之间开通VPN连接的方式配置他们的网络。IPsec密钥将显示在弹出的窗口中。通过公有网关连接到Internet.NetScaler可以设置成直通模式。它必须在区域中部署客户虚拟机负载均衡规则之前加入。NetScaler设备使用SNMP与虚拟机进行通讯。为保证NetScaler设备与RHEL机器之间安全的通讯，必须安装并配置社区字符串。公网IP地址页面就显示出来。替换ACL的对话界面将会弹出来。替换ACL的对话框就会出现。SNMP社区字符串类似于用户ID或用户密码，用来登录网络设备，如路由器。这类字符串随着所有的SNMP请求发送。如果社区字符串正确，设备将反馈相应的字符串若不正确，设备将丢弃请求，不进行处理。系统会显示点对点VPN页面。Source NAT服务是添加私有网关时启用。如果删除了私有网关，关联到此私有网关的Source NAT规则也会被删除。系统会显示VPC页面，您创建的所有层都列在图中。系统会显示VPC页面，您创建的所有层都列在图中。所有创建好的层都会有VPC页面里列出来。VPN连接当前显示为未连接状态。虚拟路由器为来宾提供DNS和DHCP服务。它将DNS请求代理到在可用区域中配置的DNS服务器。管理员可以为整个云配置DNS名称。管理员具有启用或配置区域为GSLB的能力管理员允许开启或禁用地域级别的GSLB功能。管理员允许所有用户创建自己的vpc,并部署应用。这个场景中，租户的虚拟机被部署到改租户的分配到的vlan中管理员创建网关用接受和发送来自vm的流量：管理员可以在虚拟路由器定义一个访问控制列表(ACL)用于过滤vlan或者因特网和vlan直接的流量。你可定义基于CIDR,端口范围，协议，类型代码(如果选用ICPM协议)和进出流量的acl管理可以部署一个vlans集，同时运行用户部署虚拟机在这些vlan上。从预先指定的vlan集中随机的为租户分配一个来宾vlan.租户处于同一层的所有vm处于分配给这个租户的来宾vlan.该按钮在启用和禁用之间切换，这取决于IP地址是否已经启用了静态NAT。这个按钮是启用和禁止的切换开关，取决于当前是否启用了自动扩展。在执行完维护操作以后，你可以启用回自动扩展配置。要启用，请再次打开自动扩展配置页面，然后点击启用自动扩展 |EnableDisable.png: button to enable or disable AutoScale.| 按钮。该连接已经准备好被激活。返回到控制面板 -> 网络连接，双击创建连接。通过site-to-siteVPN网关连接到相邻数据中心。当没有ACL明确关联时，会有一个默认的ACL起作用。默认规则是层中所有进入流量被阻止，所有外出流量被允许默认的ACL不能被删除或修改。默认ACL的内容如下：通过网络方案配置隔离来宾网络的默认出口策略。通过创建网络方案选项决定来宾网络到公共网络的所有流量在默认策略中是允许或者拒绝。使用该网络方案创建网络。如果没有指定策略，你创建的来宾网络中的所有流量将被允许。默认VPC的数量是20个。如果你需要更多的VPC的话，可以通过修改max.account.vpcs这个全局参数。这个参数是控制创建VPC的最大数量的。默认一个用户能创建VPC的层数是三层。也可以通过vpc.max.networks这个参数修改。新网络方案的默认策略是允许的，然而升级现有的网络方案后，防火墙服务提供商的出口策略默认将是拒绝。与Remote VPN不同，Site-to-site VPNs是将两个网络相互连接。比如，将一个分支办公室的网络与总公司网络互联，Site-to-site VPN的两个主机不需要VPN客户端软件，它们通过VPN网关收发普通的TCP/IP数据包流量。共享网络中不支持出口防火墙规则。出口流量起源于从专用网络访问公共网络，例如Internet。默认情况下，在默认网络方案中，出口流量被拒绝，所以没有从来宾网络到Internet的出口流量被允许。不过，你可以通过创建出口防火墙规则来控制高级网络中的出口流量。当出口防火墙规则被应用时，规则指定的流量被允许，其余的流量被阻止。当所有的防火墙规则从默认策略中移除，阻止策略再次被应用。最终用户能看到他们自己的VPC，系统管理用户和域管理员可以看到所有被授权查看的VPC。这些功能仅能在IPV4的地址是实现。下图演示了一个单提供点的网络配置。主机均连接到提供点层级的交换机。每一个主机至少有一个物理网卡连接到交换机。当然，这种环境也支持网卡绑定。提供点层级的交换机由两个1000M冗余组成，它们通过10G线路上联。在ACL页面，下面默认规则将会显示出来：default\_allow, default\_deny.VPN网关页面会显示以下详细信息：下面这个例子允许内部任何地方的HTTP访问下图说明了一个单一区域内的网络设置。下图显示了可能的部署一个VLAN间的场景设置的：VPN连接信息以下对象会在负载均衡上创建：下面这些选项就会出现。显示以下路由器信息：CloudStack中NetScaler的功能作用与CloudStack文档中说明的使用F5 外部负载均衡器的功能作用相同。一点差别就是，F5支持路由域名，而NetScaler无此功能。NetScaler也不可以用作防火墙。一个实例只能有一个私有IP地址，为了访问Internet,你可以为VPC里的此实例启用NAT功能。VPC中只有一层支持负载均衡服务。主要的优势为：不能超过每个账户最大的IP限制数。在不部署任何VM的情况下就初始化好的网络称为持久化网络。持久化网络可以是VPC的一部分，也可以不是。新的网关就会出现在列表中。你可以重复这些步骤为VPC增加更多的网关。在列表中会出现新加的负载均衡规则。可以重复以上步骤以对此IP增加更多的负载均衡规则。新的负载均衡策略会显示在列表中。您可以重复以上步骤为该IP地址添加更多的负载均衡策略。新的安全组出现在安全组详细信息标签中。通过源NAT，静态NAT以及负载均衡规则进出的字节数均被计量并保存在每一个外部设备中。按一定的规则对这些数据进行收集，并将其存储在CloudStack的数据库中。phase-1是IKE过程的第一阶段。在这个开始的协商阶段，两个VPN端点在将底层IP流量加密安全的方法上取得一致。第一阶段认证通过的条件是：两个VPN网关之间使用的是同一个预定义密钥。phase-2是IKE过程的第二阶段，其目标是协助IPSec安全关联 (SA) 以建立IPSec通道。在 phase-2阶段，会利用 phase-1阶段建立好的DH安全协议方法来交换新的密钥。程序使用不同Windows版本的VPN。通常用户必须编辑VPN属性并确保不使用VPN的默认路由。以下步骤使用基于Windows Vista的Windows L2TP客户端。命令应该类似于其他版本的Windows。端口IP的主要功能如下：目前支持的数据中心的终端设备是:VPC私有网关的进出流量是被ACL规则控制的。ACL均包含允许和阻止的规则。在每一条规则中，所有进出私有网关接口的流量是被阻止的。当用户获取公共IP（弹性IP）时。这些公共IP与帐户相关联，但不与任何私有IP相关。然而，用户可以开启静态NAT将帐户中虚拟机的私有IP与之关联。对应公共IP的静态NAT规则可随时取消。当静态NAT关闭时，会从地址池中分配的一个新的公共IP，并不必须是最初分配的那一个。用户可以选择关联同一个公网IP到多个虚拟机。 CloudStack实现了TCP级别的负载平衡器，有以下策略。用户应能设置区域级虚拟服务器的权重。负载均衡在分配流量时会考虑该权重。用户提供的名称与管理员提供的DNS名称一起为用户的全局负载均衡服务产生一个全局解析的FQDN。例如，如果管理员已经配置xyztelco.com为云中的DNS名称，以及用户为GSLB虚拟服务器指定的名称为'foo'，那么GSLB虚拟服务器的FQDN名称是foo.xyztelco.com。用户可以为同一个区域或不同地域间可用的区域流量进行负载均衡。用户可以为云中的全局负载均衡服务指定一个唯一的名称。所提供名称的域名相当于云的DNS名称。如果管理员在地域中启用了GSLB，用户可以使用GSLB对地狱中的所有区域的VMs进行负载均衡。虚拟路由器提供DHCP功能，能自动的为每一个客户虚拟机在预先定义好的IP范围之内分配IP地址。用户也可以为虚拟机手工配置不同的IP地址。下面的步骤假定你已经登录进入 CloudStack 的界面。设置基本的客户网络：默认的公共IP在两种情况下会被释放：这个特性只能被实现在：在KVM, xenServer以及VMware虚拟机中，都支持这项功能。在 XenServer ,KVM和 VMware hypervisors支持这个特性在XenServer，KVM和VMware虚拟机中，都支持这些功能。注意，VMware不支持基础区域的安全组。XenServer、VMware和KVM hypervisors支持这个特性。这个特性支持所有类型的HYPERVISOR.该特定只支持虚拟路由器和Juniper SRX。这些特性可提供以下的功能：这类似于端口转发，但目标可能会有多个IP地址。这个选项只在你选择的方案在VLAN-enabled的情况下才会显示出来。在private VLAN中有三种端口类型，它们实质上决定了所包含的主机的流量走势。每组端口都有自己唯一的策略，它能控制配置同一个private VLAN域中连接到端口的主机与其他已连接主机的通讯。使用下面三种端口定义中的一种来配置每个PVLAN对中的主机：层在VPC里起来隔离网络的作用，默认规则是层之间不能互访。不同VLAN之间的层可以通过虚拟机实现连接。层在VPC内部提供一种廉价，低延迟的网络连接。添加 VPN 客户网关为了创建ACL规则，需要在VPC中定义下面哪些网络流量是允许的。为添加一个出口规则，点击出口规则并填写以下内容，以说明在此安全组内的虚拟机，被允许哪一类型的流量送出。如果出口规则没有说明，所以的流量都被允许出去一旦进行了说明，则以下流量可以允许出去：在出口规则中进行说明的，查询DNS和DHCP服务器的，响应来自入口规则允许进入的流量的要添加出口策略，点击出口策略选项卡并填写以下字段指定哪种类型的流量在来宾网络中是被允许从VM中实例发送出的。为增加入口规则，点击入口规则并填写相应内容，以说明在此安全组内何种网络流量可以到达虚拟机实例。如果没有说明入口规则，则不会允许流量进入。也就只有出口规允许的流量了。为了允许接收到的流量, 用户可以设置一些防火墙规则和/或端口转发规则. 例如, 你可以在公共IP地址上设定防火墙规则来打开一个端口范围, 比如从33到44端口. 然后使用端口转发将流量从这个特定的范围内的端口直接送到指定的用户虚机端口. 例如, 一个端口转发的规则可以将接收的流量从公共IP的33端口到用户虚机私有IP的100端口.为了允许外出的流量，遵循 `章节 15.22.2, “高级区域中的外出防火墙规则” <#egress-firewall-rule>`__ 中的步骤。要指定一个已有IP范围给帐户，按以下操作进行要配置GSLB的部署，您必须首先为每个区域配置一个标准的负载平衡设置。这使您能够在该地域中每个区域的不同服务器之间进行负载均衡。然后在NetScaler方面，配置您计划添加到每个区域作为权威DNS(ADNS)服务器的两个NetScaler应用。接下来，为每个区域创建GSLB站点、配置GSLB虚拟服务器、创建GSLB服务并绑定GSLB服务到GSLB虚拟服务器中。最后，绑定该域到GSLB虚拟服务器。两个应用的GSLB配置在两个不同区域中是完全相同的，尽管每个网站的负载均衡配置特定于该网站。为配置默认的健康检查执行频率，通过全局配置参数 healthcheck.update.interval进行设备，默认值是600秒。可以根据需要进行设置此值。创建防火墙规则：要指定一个新的IP范围给帐户，按以下操作进行要创建一个Persistent网络，请按如下操作：为此，选择网络名称，点击增加负载均衡。按 `7 <#config-lb>`__ 继续进行配置。为VPC开启VPN：为特定的网络启用VPN：如要有已有私有网关中启用Source NAT，需要先删除（私有网关），然后再建一个启用Source NAT的私有网关。要在VPC中启用外部负载均衡支持，依如下操作建立网络方案：要在VPC当中使用内部负载均衡，可以使用默认的DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB,或按如下操作新建一个网络方案：为方便CloudStack的管理，安装并开启外部负载均衡器，请参考 `章节13.5.4，"外部客户负载均衡器集成(可选)"<#external-guest-lb-integration>`__.要使安全组生效，继续给这个安全组添加入口和出口策略。如需要修改一些参数，点击编辑客户VPN网关按钮。|edit.png: button to edit a VPN customer gateway|为防止IP冲突，当多个网络连接至同一个虚拟机时，要配置不同的子网。删除一个VPN连接，点击删除VPN连接按钮。 |remove-vpn.png: button to remove a VPN connection|删除一个客户VPN网关，点击删除客户VPN网关按钮。 |delete.png: button to remove a VPN customer gateway|为重置一个已存在的IP预留，通过在CIDR框指定CIDR值就可应用IP预留。如果要重启一个VPC，点击重启按钮。|restart-vpc.png: button to restart a VPC|要重启VPN连接，请点击详细信息页的重置VPN连接按钮。 |reset-vpn.png: button to reset a VPN connection|为云设置VPN：为了建立站点到站点的VPN连接, 需要执行以下步骤:关于设置一个多层VLAN的信息，参看 `章节 15.27, “配置虚拟专用云” <#configure-vpc>`__.设置端口转发：要跨网络转换一个portable IP，执行下列API：流量类型便携式IP在共享网络的特殊帐户内，同一VLAN内具有不同网关或掩码的二个IP范围在开启了安全组的共享网络内，同一VLAN内具有不同网关或掩码的二个IP范围，类型通常，管理服务会自动为每一个网络建立一个虚拟路由。一个虚拟路由实际上就是运行在物理主机上的一台特殊的虚拟机。每一台在一个独立网络中的虚拟路由有3个网口。如果使用多个公共 VLAN，相应的这台路由器就有多个公共的网口。它的 eth0 网口是提供客户机通信的网关服务的，它的IP地址是 10.1.1.1。eth1 网口是为系统来配置这个虚拟路由而提供的。eth2 网口被赋予一个公共 IP 地址用来实现外部的公共通信。同样如果使用了多个公共 VLAN 接入，这台路由器将会拥有多个公共的网口。UDP在iptalbes中解除对SNMP的锁定。在网络导航栏，选择你希望虚拟机所在的网络。更新和删除一个VPN客户网关.在IP预留中，引起CIDR变化的网络升级方案都将无效，如将无外部设备的方案升级到带有外部设备的方案。在新实施的网络中，要重新配置IP预留。使用案例在支持的交换机上使用PVLAN。编辑下表时，使用一个强密码使用详细查看栏。参看 `4 <#details-tab>`__ through .使用快速查看视图，参看 `3 <#quickview>`__.使用删除VLAN范围的API删除IP范围。如果拟删除的IP在被使用时，此操作会失败。如果删除的范围包含DHCP服务器拟分配的IP地址CloudStack会从同一个子网下获取新的IP。如果在子网内没有可供利用的IP时，删除操作会失败。使用多个来宾网络在Mac OS X 中使用远程访问VPN在Windows系统中使用远程访问VPN只有私有网关的VPC以及site-to-site VPN访问只有一个公网网关的VPCVPC的公有和私有网关VPC的公有和私有网关以及site-to-site VPN访问VPX查看分配给帐户的公共IP地址。虚拟机虚拟应用，可以运行在XenServer，ESXi以及Hyper-V上虚拟机上。与MPX功能相同。稍等片刻，新的路由就创建好了。稍等片刻。你就会看到新的ACL规则出现在详细页面里了。等待更新完成。在网络变更完成之前不要试图重启VMs。等待更新完成。我们推荐用多个物理网卡以改进性能，也推荐用冗余的光纤交换机以改进网络可靠性。在基础域中使用NetScaler负载均衡提供EIP或ELB服务时，确保所有的客户虚拟机流量必须通过NetScaler设备进出。当入流量通过NetScaler设备时流量通过使用NAT协议被路由，此NAT协议依赖于公共IP到私有IP的配置。来自客户虚拟机的流量通常要经过3层路由器，为确保出流量通过提供EIP/ELB的NetScaler设备，3层路由器，必须具有基础策略。必有设立一个具有基础策略的路由器可保证所有客户机的流量都能转向NetScaler设备。这也需要确保客户虚拟机的出流量通过使用NAT被路由到公共IP。关于EIP的更多信息，参考 `15.11，“关于弹性IP” <#elastic-ip>`__.当PFS打开后，两个网关之间的新的phase-2 SA协商都会产生新的phase-1的一组KEY，这就会导致增加一个额外的层。这个层的作用是保证即使phase-2 SA失效过期，其KEY也不会由phase-1生成。当VPC创建好之后，默认会分配好SourceNAT IP。当此VPC删除之后，SourceNAT IP也会被释放。当健康检查策略生效时，负载均衡被发现处于非健康状态时，会停止转发到源的任何请求。如果随后资源变为可用，周期性进行的健康检查就会发现，此资源就会再一次被添加至从负载均衡器收到的请求资源池里。任一时刻，最近的健康检查结果会显示在UI中。对绑定了负载均衡规则的虚拟机，且此规则配置了健康检查，依据最近的检查，状态会显示为正常或失败。当部署一个用户虚拟机时，会从区域配置的IP中自动获得一个公共IP。这个IP为虚拟机帐户所拥有。当创建VPC时，你只需要提供区域名和VPC要使用的一组IP地址。这组IP地址是以CIDR块的形式提供。当虚拟机停止时。当虚拟机启动时，可以重新获取一个新的公共IP，并不必须是从公共IP地址池中最初分配的那一个。当为一个新帐户创建一个虚拟机时，CloudStack会设置程序以让外部防火墙和负载均衡与虚拟机共同工作。会在防火墙上创建以下对象：当网络中最后一台VM销毁时，网络垃圾回收器会检查该网络的网络方案是否为持久化，若不是持久化，则会关闭网络。当IP的最后一条规则删除后，您就能够释放该IP。然而，该IP仍属于VPC，无论如何，该IP可以再次被VPC中的来宾网络再次获取。当用户的VMs部署在启用GSLB功能的多个可用区域中时，他们可以使用GSLB功能在多个区域中将VM的流量进行负载均衡。当获取IP地址时，所有的IP地址会被分配到该VPC，而不是VPC中的用户网络。只有当在IP或用户网络上创建第一个网络规则（端口映射、负载均衡、静态NAT）时，该IP才会关联到用户网络。一个IP不能同时关联一个以上的网络。当您创建客户网络时，您选择的网络方案定义了该网络的持久化。反过来，这依赖于选择的网络方案是否启用持久化网络。在您创建其它类型的网络时，在网络中第一台VM创建之前，该网络仅是数据库的一条记录。当第一个VM创建时，网络会指定一个VLAN ID并初始化。同样，当网络中最后一个VM销毁后，VLAN ID会被释放，这样该网络就不再可用。通过使用持久化网络，您就有能力在不部署VM的情况下在&PRODUCT;中创建一个网络用来部署物理设备。而且，您可以在该网络中部署物理设备。当你创建好一个内部负载均衡规则，并将之用于一个虚拟之后，一个内部负载均衡的应用就建立起来了。设置GSLB时，用户可以为GSLB跨区域的一部分选择负载均衡方式，例如 round robin。过一会儿，系统会显示该VPN连接。过一会儿，VPN网关就创建出来了。系统会提示您查看VPN网关的详细信息，请点击“是”。稍等一会，新的IP地址会出现，状态栏为会显示为分配。现在可以在端口转发或静态NAT规则中使用此IP地址了。稍等一会，新的IP地址会出现，状态栏为会显示为分配。现在可以在端口转发或静态NAT规则中使用此IP地址了。在使用复杂网络的区域中，你需要告知管理服务器，为了实现隔离不同类型的通讯，物理网络是如何设置的。因为通常IP地址是有限资源，系统会提示您确认。在稍等片刻之后，新的IP地址将会出现并且状态是已分配。现在您就可以使用这个IP地址做端口转发、负载均衡或静态NAT。你可以在创建私有网关时，改变这个默认的行为。或者，你也可以按如下方式操作：你可以连接你的VPC：可以删除或修改存在的健康检查策略。你可以将虚拟机部署在一个拥有多个共享网络的VPC层中。您可以编辑VPC的名称和描述。选择VPC，然后点击编辑按钮。|edit-icon.png: button to edit a VPC|你可以重新编辑ACL标签，或是删除ACL。点击详细信息里的appropriate按钮。或者指定一个已经的IP范围给帐户，或创建一个新的IP范围并指定给一个帐户。你可以通过删除或添加任意的入口和出口策略来修改一个安全组。当你这么做的时候，新的策略会应用到组中的所有VMs，无论是运行的还是关机的。你可以从一个VPC中删除一个层。一个被删除的层是不能被擦除的。当一个层被删除后，只有层的资源被删去。所有的网络规则(端口转发，负载均衡，静态NAT)还有关联到此层的IP地址都会删除。但这些IP地址仍然属于这个VPC。你也可以在快速查看视图里点击删除按钮进行VPC的删除。你可以通过SSH连接实例来测试此规则。你可以更新一个客户网关：即可以从无到有新建一个VPN，或是将有错误提示的VPN改正。你可以更新各种参数和添加或者删除扩展或缩减策略中的条件。在你更新自动扩展配置之前，请确保你已经通过点击禁止自动扩展按钮禁止了自动扩展负载均衡策略。你可以在实例页面中查看创建的内部LB VM 按如下导航 **基础构架** > **区域** > <zone\_ name> > <physical\_network\_name> > **网络服务提供** > **内部负载均衡虚拟机**，你就可以看到已创建了内部负载均衡的实例上。也可以在此进行内部负载均衡的管理。如果任一虚拟机被分配了客户虚拟机CIDR之外的IP地址时，IP预留将不能应用。你不能使用防火墙规则打开弹性IP的端口。当弹性IP处在使用状态时，外部的通过请求将被安全组管理。参阅 `章节 15.15.2, “Adding a Security Group” <#add-security-group>`__.您不能使用端口转发打开弹性IP地址的端口。当使用弹性IP时，外部访问是由安全组控制的。参见安全组。你有两个选择：允许和拒绝。你也可以点击"在菜单栏中查看VPN状态",这完全是可选的操作。你可能需要向下滚动才能看到。你可能希望在同一个超级CIDR和客户层CIDR中部署多个VPC。因此，在一个数据中心，不同VPC中的虚拟机通过私有网络可以拥有相同的IP地址。在这种情况下，就需要在私有网关里配置Source NAT服务以避免IP冲突。如果Source NAT服务启用，VPC中的客户虚拟机使用私有网关IP地址与数据中心其它机器交流。需要手动配置来宾虚拟机的网卡。在虚拟机上，CloudStack不会自动配置获取IP。确保在虚拟机重启IP地址配置仍有效。您将需要创建一个新的网络入口。点击底部左侧的加号图标，你会看到一个对话框，写着“选择接口并输入新服务的名称”。在接口下拉菜单中选择VPN，VPN类型为“基于IPSec的L2TP”。在“服务名称”中输入任何你喜欢的字段。现在你需要在"Service Name" 中填入新的网络接口的名称。对于这个例子，我们假设你已经把它命名为“CloudStack”。点击该接口，并在服务器地址字段中填入提供的VPN IP地址，并在账户名称中填入您的VPN用户名。你的这个虚拟机就已被部署到所选择的VPC层和共享网络中。`Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment <http://tools.ietf.org/html/rfc5517>`__`Private VLAN (PVLAN) on vNetwork Distributed Switch - Concept Overview (1010691) <http://kb.vmware.com>`__`理解 Private VLANs <http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swpvlan.html#wp1038379>`__如果虚拟路由是由DHCP提供的IPv4地址在KVM，XenServer和VMware hypervisorsremote.access.vpn.client.ip.range – 分配给远程访问VPN客户端的IP地址范围。第一个IP被VPN服务器使用。remote.access.vpn.psk.length – IPsec密钥长度。remote.access.vpn.user.limit – 单个账户的最大VPN用户数量。选择ACL规则，然后点击OK按钮。|add-ip-range.png: adding an IP range to a network.||add-new-gateway-vpc.png: adding a private gateway for the VPC.||add-tier.png: adding a tier to a vpc.||add-vm-vpc.png: adding a VM to a vpc.||add-vpc.png: adding a vpc.||addguestnetwork.png: Add guest network setup in a single zone||addvm-tier-sharednw.png: adding a VM to a VPC tier and shared network.||addvpncustomergateway.png: adding a customer gateway.||autoscaleateconfig.png: Configuring AutoScale||createvpnconnection.png: creating a VPN connection to the customer gateway.||egress-firewall-rule.png: adding an egress firewall rule||eip-ns-basiczone.png: Elastic IP in a NetScaler-enabled Basic Zone.||gslb-add.png: adding a gslb rule||gslb.png: GSLB architecture||guest-traffic-setup.png: Depicts a guest traffic setup||httpaccess.png: allows inbound HTTP access from anywhere||mutltier.png: a multi-tier setup.||networksetupzone.png: Depicts network setup in a single zone||networksinglepod.png: diagram showing logical view of network in a pod||select-vmstatic-nat.png: selecting a tier to apply staticNAT.||vpc-lb.png: Configuring internal LB for VPC|

source/installguide/locale/zh_CN/LC_MESSAGES/managing_networks.mo (78 lines of code) (raw):