We have a organization in vCloud that contains several vApps for different customers, they share a organization network pool (public IPs). There was a situation that one of our customers manually bind a IP (which was assigned to the other customer's VM by vCloud) in OS level to his VMs, and caused the other customer's VM unreachable. so how to prevent it?
Thank you for your help!
Don't give them the ability to do so? vCloud Director doesn't have the ability to check inside the Guest OS.
You might be able to do some post provision compliance check, but if they have access to the OS and the permissions to set an IP address ... there is technically nothing stopping them from setting the IP Address to something other than what vCloud Director provisioned.
The alternative is to not give them Public IPs from an External Network. If they are using an internal Organization Level Network, which is properly isolated via a Network Pool, then there should be no issue with the changed IP because they are separated via the Network Pools method (VXLAN, vLAN, etc).
Thank you for your reply!
In our situation, the customers have to have full local administrator permission for the Guest OS, and also Public IPs.
Just wondering whether there is a way to binding (or lock) MAC address and IP address at VM virtual network or virtual switch level.
In VMware vShield Manager, there is SpoofGuard, and it has an option "Virtual NICs IP Required Approval", do you think it can be used to deal with the issue here?
After tested it, it seems that "vShield App" firewall + Spoofguard could control it.
yeah, i found that out today as well ... but it's not something vCloud Director has control over.
if we control it via vShield API, do you think we can add it into vCloud Director? such as building a custom cloud portal?
According to the document https://www.vmware.com/pdf/vshield_55_api.pdf on page 185, the IP change can be approved via API, we could get the list of the IP changes by: GET https://vsmURL/api/2.0/services/spoofguard/datacenter-21?list=PUBLISHED and here is the IP change that we would like to approve
<spoofguard>
<vnicUuid>5039c73c-f622-03e4-ca22-5a65a47fcea1.000</vnicUuid>
<nicName> Win7-new (f3bd946d-4448-4bbf-80e4-5a41696fbe3f) - Network adapter 1 </nicName> |
<portGroupId>dvportgroup-61</portGroupId>
<vmMoId>vm-273</vmMoId>
<approvedIpAddress>192.168.159.162</approvedIpAddress>
<approvedMacAddress>00:50:56:01:00:00</approvedMacAddress>
<approvedBy>admin</approvedBy>
<approvedOn>2013-11-16 00:46:08.867</approvedOn>
<publishedIpAddress>192.168.159.162</publishedIpAddress>
<publishedMacAddress>00:50:56:01:00:00</publishedMacAddress>
<publishedBy>admin</publishedBy>
<publishedOn>2013-11-16 01:20:49.459</publishedOn>
<state>0</state>
<detectedIpAddress>192.168.159.163</detectedIpAddress>
<detectedMacAddress>00:50:56:01:00:00</detectedMacAddress>
</spoofguard>
However, when we tried to approve it by POST https://vsmURL/api/2.0/services/spoofguard/datacenter-21?action=approve with copying and pasting the above text into the message body, we got following error:
type Status report
message
description The server refused this request because the request entity is in a format not supported by the requested resource for the requested method.
I think we might not get this one right: "An XML representation of VnicIdList is expected in the message body for delete and approve actions." (Page 185).
Is there anyone made this working before? or you have some idea about it?
Thank you!