Collapse AllExpand All

Set Up Security Groups

In Managed and Managed (No VLAN) networking modes, you must configure the system with parameters that define how Eucalyptus will allocate and manage virtual machine networks. These virtual machine networks are known as security groups. The relevant parameters are set in the eucalyptus.conf on all machines running a CC. These parameters are:
  • VNET_SUBNET
  • VNET_NETMASK
  • VNET_ADDRSPERNET
The CC will read VNET_SUBNET and VNET_NETMASK to construct a range of IP addresses that are available to all security groups. This range will then be further divided into smaller networks of the size specified in VNET_ADDRSPERNET.
The first time an instance runs in a given security group, Eucalyptus chooses an unused range of IPs of size specified in VNET_ADDRSPERNET. Eucalyptus then implements this network across all CCs. All instances that run within this given security group obtain a specific IP from this range.
Tip
Tip
Ten of the IP addresses within each security group network are reserved for Eucalyptus to use as gateway addresses, broadcast address, etc. For example, if you set VNET_ADDRSPERNET to 32, there will be 22 free IPs that are available for instances running in that security group.
In Managed mode, each security group network is assigned an additional parameter that is used as the VLAN tag. This parameter is added to all virtual machine traffic running within the security group. By default, Eucalyptus uses VLAN tags starting at 2, going to a maximum of 4094. The maximum is dependent on how many security group networks of the size specified in VNET_ADDRSPERNET fit in the network defined by VNET_SUBNET and VNET_NETMASK.
If your networking environment is already using VLANs for other reasons, Eucalyptus supports the definition of a smaller range of VLANs that are available to Eucalyptus. To set this range with a running and configured Eucalyptus installation:
  1. Determine the range that your cluster controllers are configured to support.
    euca-describe-properties | grep cluster.maxnetworktag  
    euca-describe-properties | grep cluster.minnetworktag
  2. Define a range that is a proper subset of the above bounds.
    euca-modify-property -p cloud.network.global_max_network_tag=<max_vlan_tag>
    euca-modify-property -p cloud.network.global_min_network_tag=<min_vlan_tag>