Network

In the CloudFerro Platform networking is fully virtualized and is fully configurable. A User can use public shared networks or can create Virtual Networks for their VMs. He can also create Virtual Routers to route traffic between Virtual Networks or from/to the Internet. In addition, CloudFerro Platform provides several network extensions like VPNaaS, LBaaS and FWaaS.


Internet Access

Description

Outside internet can be accessed from VMS by means of: NAT on Virtual Routers (this is one directional access with no initialization of connection from outside), Floating-IPs and NAT on Virtual Routers (this allows for one-to-one mapping of internal private IP numbers to the public Floating-IP numbers) and direct connection of VMs to the public Internet networks.

Billing

In all above cases the internet traffic is billed per data transferred in GByte according to the Price List. The Internet traffic is billed per single Project (or Virtual Environment).

Virtual Network

Description

A User can use Virtual Networks to interconnect VMs and can create many IP subnets in it. An IP subnet can have a DHCP server enabled to automatically assign IP addresses and provide DNS and default gateway addresses to VMs. Each VM can be connected to one or more Virtual Networks.

Provisioning

A User can see current network topology in a legible form on a diagram and can manage them via API or the Cloud Dashboard.

Billing

Virtual Networks within a single Project are free and data transferred via such Networks is also free. Virtual Networks connecting different Projects are also free but data transferred via such Networks is billed according to the Price List.

Figure 1 - llustration of the web, routers

Virtual Routers

Description

A Virtual Router connects two or more Networks and routes traffic between them. Usually, it is a default gateway for VMs. A User needs to have a Virtual Router between public and private network to provide Internet access to VMs in this private network. Virtual Router uses NAT (Network Address Translation) to provide Internet access to VMs.

Provisioning

User can manage Virtual Routers via API or the Cloud Dashboard.

Billing

Virtual Routers are free.

Floating IP

Description

Floating IP is a public IP address that is mapped one-to-one to a private IP address assigned to a VM. It is realized on a Virtual Router using NAT mechanism. Floating IP provides a public access from the Internet to services running on a VM without assigning a public IP directly to the VM.

Provisioning

User can manage Floating IPs assignment via API or the Cloud Dashboard.

Billing

First public IP per VM or Bare Metal Machine is free. All further IPs are billed according to Price List.

Load Balancer as a Service (LBaaS)

Description

The LBaaS extension provides users with the ability to setup a L4/L7 load balancer for their services. User can define a listener (HTTP/HTTPS or TCP) with a public IP and then attach a pool of private backend servers with a specific load balancing algorithm (round robin or least connections) to the listener. The LBaaS supports SSL termination and User can also specify how backend servers will be monitored by load balancer (HTTP, HTTPS or TCP connect).

Provisioning

The LBaaS is fully configurable using API and the Cloud Dashboard.

Billing

The LBaaS is billed in monthly quanta according to the Price List.

Authentication and Authorization

Description

The CloudFerro Platform cloud security relies on OpenStack's centralized authentication and authorization model managed by the OpenStack Identity Service (Keystone). Keystone manages Tenants (Environments), Projects, Users, user Roles, service Catalogs and service access Policies. Every cloud management operation (such as mounting a volume or accessing object storage) performed by a User or an application through the Dashboard or through the API must first be checked for validity with Keystone. The Keystone security model is further described in Keystone Architecture. Keystone user profiles are connected to KeyCloack profiles that are managed by customer panel. Each user should register into user portal before managing the services.

An Environment consists of one or several Projects and is usually associated with a customer/User (an organization), sometimes called a Tenant. A single customer/User may very well have several projects. Each Project consists of a separate virtual environment composed of different resources such as VM-s, storage volumes, etc. Accounts are attributed to individual Users (persons). There may be several User accounts within a Project. The same User can participate in several Projects. Every User can be attributed certain Roles within a Project, that allow him to perform cloud management tasks on different kinds of resources (Virtual Machines, Volumes, Object Storage etc.), according to usage policies defined for these resources.

This model improves security by centralizing identity services while allowing flexible access rights management, in particular for the creation of User/person accounts, per project administrative accounts and service manager accounts having visibility and access to contract billing information across several projects. Single project administrative accounts have management and visibility rights limited to their project.

Users/persons are able to provision, start resources such as VMs and volume storage, manage their contents and configure connectivity and firewalling rules for VM-s. While provisioning a new VM, Users may provide or generate a key pair and associate it with the new VM instance. The public key will be injected in the VM and used for ssh authentication of the root account (or account with root privileges depending on os). Users may login to the instance via ssh with root privileges and setup other accounts using key pairs or passwords for authentication. Authorized Users can submit tickets for the helpdesk using either the www Customer Portal or a mail interface.

Provisioning

As part of other services.

Billing

The CloudFerro Platform authentication and authorization based on the Keystone module are free of charge.

Access Grups

Description

Security Group is a set of IP traffic filtering rules which forms a firewall installed just before VM on its all interfaces. User can specify rules, their order and can assign a Security Group to a VM. Single rule specifies protocol, source and destination addresses, ports and an action (allow/drop). Security Groups are a security mechanism attributed directly to VMs.

Provisioning

Security Groups can be managed via API or the Cloud Dashboard.

Billing

Security Groups are free within predefined limits.

Firewall as a Service (FWaaS)

Description

The FWaaS extension provides Users with the ability to deploy virtual firewalls to protect their whole private network globally at the network edge. The FWaaS extension enables you to apply firewall rules on traffic entering and leaving Tenant networks from/to Internet (north-south traffic). In the current version there is no support for traffic filtering between private networks (east-west traffic).

Provisioning

The firewall is fully configurable using API and the Cloud Dashboard.

Billing

The FWaaS is billed in monthly quanta according to the Price List.

Image Software upgrades

Description

All the operating system image templates will be updated/patched on regular base (at least once per week) with security/bugfix patches and similar hot-fixes of the system and preinstalled software. Copies of all intermediate versions will be maintained. All the virtual machines will be configured with automatic updates feature enabled. The platform will include an internal proxy server, devoted for updates for machines intentionally disconnected from Internet, but the same proxy server will serve also other machines as an update performance booster. By principle, we will not perform any operations inside the Tenant’s Virtual Machines after their provisioning.

Therefore, users will be responsible for maintaining and patching the guest system and applications after provisioning of the machine. On request we will provide technical assistance for users willing to perform major upgrades of their systems, migrate their machines to different operation system, or request similar assistance

Provisioning

Upgraded operating software images will be available in the platform image service (Glance)

Billing

Image software security upgrades are free of charge.