server: assign Public IP to VPC VR and enable static nat if VR is not Source NAT

Author: weizhouapache

engine/components-api/src/main/java/com/cloud/network/vpc/VpcManager.java

@@ -35,6 +35,7 @@
 import com.cloud.network.Network.Service;
 import com.cloud.network.PhysicalNetwork;
 import com.cloud.network.addr.PublicIp;
+import com.cloud.network.dao.IPAddressVO;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.user.Account;
 
@@ -180,4 +181,8 @@ public interface VpcManager {
     List<StaticRouteProfile> getVpcStaticRoutes(List<? extends StaticRoute> routes);
 
     boolean isProviderSupportServiceInVpc(long vpcId, Service service, Provider provider);
+
+    IPAddressVO getIpAddressForVpcVR(Vpc vpc, IPAddressVO ipAddress);
+
+    boolean enableStaticNatForVpcVR(Vpc vpc, IPAddressVO ipAddress);
 }

engine/schema/src/main/java/com/cloud/network/dao/IPAddressVO.java

@@ -116,6 +116,9 @@ public class IPAddressVO implements IpAddress {
     @Column(name = "forsystemvms")
     private boolean forSystemVms = false;
 
+    @Column(name = "for_virtual_router")
+    private boolean forVirtualRouter = false;
+
     @Column(name= GenericDao.REMOVED_COLUMN)
     private Date removed;
 
@@ -385,4 +388,12 @@ public void setRuleState(State ruleState) {
     public boolean isForSystemVms() {
         return forSystemVms;
     }
+
+    public boolean isForVirtualRouter() {
+        return forVirtualRouter;
+    }
+
+    public void setForVirtualRouter(boolean forVirtualRouter) {
+        this.forVirtualRouter = forVirtualRouter;
+    }
 }

engine/schema/src/main/resources/META-INF/db/schema-42000to42010.sql

@@ -34,4 +34,7 @@ CALL `cloud`.`IDEMPOTENT_ADD_FOREIGN_KEY`('cloud.mshost_peer', 'fk_mshost_peer__
 CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.volumes', 'last_id', 'bigint(20) unsigned DEFAULT NULL');
 
 -- Add next_hop to the static_routes table
-CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.static_routes', 'next_hop', 'varchar(50) COMMENT "next hop of the static route" AFTER `vpc_gateway_id`');
+CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.static_routes', 'next_hop', 'varchar(50) COMMENT "next hop of the static route" AFTER `vpc_gateway_id`');
+
+-- Add `for_virtual_router` to `user_ip_address` table
+CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.user_ip_address', 'for_virtual_router', 'tinyint(1) DEFAULT 0 COMMENT "If the IP is used by Virtual Router to expose services"');

server/src/main/java/com/cloud/network/rules/RulesManagerImpl.java

@@ -480,8 +480,8 @@ private boolean enableStaticNat(long ipId, long vmId, long networkId, boolean is
                 throw new InvalidParameterValueException("Unable to create static nat rule; StaticNat service is not " + "supported in network with specified id");
             }
 
+            VMInstanceVO vm = _vmInstanceDao.findById(vmId);
             if (!isSystemVm) {
-                VMInstanceVO vm = _vmInstanceDao.findById(vmId);
                 if (vm == null) {
                         throw new InvalidParameterValueException("Can't enable static nat for the address id=" + ipId + ", invalid virtual machine id specified (" + vmId +
                             ").");
@@ -593,6 +593,9 @@ private boolean enableStaticNat(long ipId, long vmId, long networkId, boolean is
 
             ipAddress.setOneToOneNat(true);
             ipAddress.setAssociatedWithVmId(vmId);
+            if (vm != null && Type.DomainRouter.equals(vm.getType())) {
+                ipAddress.setForVirtualRouter(true);
+            }
 
             ipAddress.setVmIp(dstIp);
             if (_ipAddressDao.update(ipAddress.getId(), ipAddress)) {
@@ -1347,6 +1350,7 @@ public boolean disableStaticNat(long ipId, Account caller, long callerUserId, bo
             ipAddress.setAssociatedWithVmId(null);
             ipAddress.setRuleState(null);
             ipAddress.setVmIp(null);
+            ipAddress.setForVirtualRouter(false);
             if (isIpSystem && !releaseIpIfElastic) {
                 ipAddress.setSystem(false);
             }

server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java

@@ -50,7 +50,10 @@
 import com.cloud.dc.Vlan;
 import com.cloud.network.dao.NsxProviderDao;
 import com.cloud.network.element.NsxProviderVO;
+import com.cloud.network.rules.RulesManager;
 import com.cloud.resourcelimit.CheckedReservation;
+import com.cloud.vm.VMInstanceVO;
+import com.cloud.vm.dao.VMInstanceDao;
 import com.google.common.collect.Sets;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.alert.AlertService;
@@ -292,6 +295,12 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
     private NsxProviderDao nsxProviderDao;
     @Inject
     RoutedIpv4Manager routedIpv4Manager;
+    @Inject
+    DomainRouterDao domainRouterDao;
+    @Inject
+    RulesManager rulesManager;
+    @Inject
+    VMInstanceDao vmInstanceDao;
 
     private final ScheduledExecutorService _executor = Executors.newScheduledThreadPool(1, new NamedThreadFactory("VpcChecker"));
     private List<VpcProvider> vpcElements = null;
@@ -3581,4 +3590,74 @@ public List<StaticRouteProfile> getVpcStaticRoutes(final List<? extends StaticRo
     public boolean isProviderSupportServiceInVpc(long vpcId, Service service, Provider provider) {
         return _vpcSrvcDao.canProviderSupportServiceInVpc(vpcId, service, provider);
     }
+
+    @Override
+    public IPAddressVO getIpAddressForVpcVR(Vpc vpc, IPAddressVO ipAddress) {
+        // Validate if the IP address is associated to a VPC VR
+        final List<IPAddressVO> ips = _ipAddressDao.listByAssociatedVpc(vpc.getId(), null);
+        IPAddressVO ipAddressForVR = ips.stream().filter(ip -> ip.isForVirtualRouter()).findFirst().orElse(null);
+        if (ipAddressForVR != null) {
+            if (ipAddress != null && ipAddressForVR.getId() != ipAddress.getId()) {
+                throw new InvalidParameterValueException(String.format("Cannot assign Public IP %s to VPC VR as %s has been associated to the VPC VR.",
+                        ipAddress.getAddress().addr(), ipAddressForVR.getAddress().addr()));
+            }
+            return ipAddressForVR;
+        } else if (ipAddress != null) {
+            return ipAddress;
+        }
+
+        Account account = _accountMgr.getAccount(vpc.getAccountId());
+        DataCenter zone = _dcDao.findById(vpc.getZoneId());
+        try {
+            IpAddress ip = _ipAddrMgr.allocateIp(account, false, CallContext.current().getCallingAccount(),
+                    CallContext.current().getCallingUserId(), zone, null, null);
+            this.associateIPToVpc(ip.getId(), vpc.getId());
+            return _ipAddressDao.findById(ip.getId());
+        } catch (InsufficientAddressCapacityException | ResourceAllocationException | ResourceUnavailableException ex) {
+            throw new InvalidParameterValueException("Cannot assign Public IP to VPC VR: " + ex.getMessage());
+        }
+    }
+
+    @Override
+    public boolean enableStaticNatForVpcVR(Vpc vpc, IPAddressVO ipAddress) {
+        // Get VPC networks
+        List<NetworkVO> networks = _ntwkDao.listByVpc(vpc.getId());
+        if (CollectionUtils.isEmpty(networks)) {
+            throw new InvalidParameterValueException("Cannot assign Public IP to VPC VR as there is no VPC networks");
+        }
+
+        List<DomainRouterVO> routers = domainRouterDao.listByVpcId(vpc.getId());
+        if (CollectionUtils.isEmpty(routers)) {
+            throw new InvalidParameterValueException("Cannot assign Public IP to VPC VR as there is no VPC VR");
+        }
+
+        if (ipAddress.isOneToOneNat()) {
+            Long vmId = ipAddress.getAssociatedWithVmId();
+            VMInstanceVO vm = vmInstanceDao.findById(vmId);
+            if (vm != null && VirtualMachine.Type.DomainRouter.equals(vm.getType())) {
+                logger.debug("The Public IP has been already associated with VM " + vm);
+                return true;
+            } else {
+                throw new InvalidParameterValueException("Cannot assign Public IP to VPC VR as the Public IP is associated with vm with id=" + vmId);
+            }
+        }
+
+        for (NetworkVO network : networks) {
+            for (DomainRouterVO router : routers) {
+                NicVO nic = nicDao.findByNtwkIdAndInstanceId(network.getId(), router.getId());
+                if (nic != null) {
+                    try {
+                        // Enable static nat for the VPC VR
+                        rulesManager.enableStaticNat(ipAddress.getId(), router.getId(), network.getId(), null);
+                    } catch (ResourceUnavailableException | NetworkRuleConflictException ex) {
+                        throw new CloudRuntimeException("Failed to enable static nat for VPC VR due to " + ex.getMessage());
+                    }
+                    return true;
+                }
+            }
+        }
+
+        logger.debug("Failed to enable static nat for VPC VR as there is no VPC VR on VPC networks");
+        return false;
+    }
 }

server/src/main/java/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java

@@ -243,11 +243,11 @@ public RemoteAccessVpn createRemoteAccessVpn(final long publicIpId, String ipRan
                     throw new InvalidParameterValueException("Vpn service is not supported in network id=" + ipAddr.getAssociatedWithNetworkId());
                 }
                 cidr = NetUtils.getCidr(network.getCidr());
-                validateIpAddressForVpnServiceOnNetwork(networkId, ipAddress);
+                validateIpAddressForVpnServiceOnNetwork(network, ipAddress);
             } else {
                 Vpc vpc = _vpcDao.findById(vpcId);
                 cidr = NetUtils.getCidr(vpc.getCidr());
-                validateIpAddressForVpnServiceOnVpc(vpcId, ipAddress);
+                validateIpAddressForVpnServiceOnVpc(vpc, ipAddress);
             }
 
             String[] guestIpRange = NetUtils.getIpRangeFromCidr(cidr.first(), cidr.second());
@@ -279,7 +279,8 @@ public RemoteAccessVpn createRemoteAccessVpn(final long publicIpId, String ipRan
         }
     }
 
-    private void validateIpAddressForVpnServiceOnNetwork(Long networkId, IPAddressVO ipAddress) {
+    private void validateIpAddressForVpnServiceOnNetwork(Network network, IPAddressVO ipAddress) {
+        Long networkId = network.getId();
         if (_networkMgr.isProviderSupportServiceInNetwork(networkId, Service.Dhcp, Network.Provider.VirtualRouter)) {
             // if VR is the VPN provider,
             // (1) if VR is Source NAT, the IP address must be used as Source NAT
@@ -291,10 +292,14 @@ private void validateIpAddressForVpnServiceOnNetwork(Long networkId, IPAddressVO
             if (!isVRSourceNat && ipAddress.isSourceNat()) {
                 throw new InvalidParameterValueException("Vpn service can not be configured on the Source NAT IP of network id=" + ipAddress.getAssociatedWithNetworkId());
             }
+            if (!isVRSourceNat) {
+                throw new InvalidParameterValueException("Currently it is not supported to create Vpn service on a non-Source NAT IP of network id=" + ipAddress.getAssociatedWithNetworkId());
+            }
         }
     }
 
-    private void validateIpAddressForVpnServiceOnVpc(Long vpcId, IPAddressVO ipAddress) {
+    private void validateIpAddressForVpnServiceOnVpc(Vpc vpc, IPAddressVO ipAddress) {
+        Long vpcId = vpc.getId();
         if (vpcManager.isProviderSupportServiceInVpc(vpcId, Service.Dhcp, Network.Provider.VPCVirtualRouter)) {
             // if VPC VR is the VPN provider,
             // (1) if VPC VR is Source NAT, the IP address must be used as Source NAT
@@ -306,6 +311,12 @@ private void validateIpAddressForVpnServiceOnVpc(Long vpcId, IPAddressVO ipAddre
             if (!isVpcVRSourceNat && ipAddress.isSourceNat()) {
                 throw new InvalidParameterValueException("Vpn service can not be configured on the Source NAT IP of VPC id=" + ipAddress.getVpcId());
             }
+            if (!isVpcVRSourceNat) {
+                IPAddressVO ipAddressForVpcVR = vpcManager.getIpAddressForVpcVR(vpc, ipAddress);
+                if (!vpcManager.enableStaticNatForVpcVR(vpc, ipAddressForVpcVR)) {
+                    throw new CloudRuntimeException("Failed to enable static nat for VPC VR as part of remote access vpn creation");
+                }
+            }
         }
     }
 

server/src/main/java/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java

@@ -48,6 +48,7 @@
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.IpAddressManager;
 import com.cloud.network.Network;
 import com.cloud.network.Site2SiteCustomerGateway;
 import com.cloud.network.Site2SiteVpnConnection;
@@ -62,6 +63,8 @@
 import com.cloud.network.dao.Site2SiteVpnGatewayDao;
 import com.cloud.network.dao.Site2SiteVpnGatewayVO;
 import com.cloud.network.element.Site2SiteVpnServiceProvider;
+import com.cloud.network.vpc.Vpc;
+import com.cloud.network.vpc.VpcManager;
 import com.cloud.network.vpc.VpcVO;
 import com.cloud.network.vpc.VpcOfferingServiceMapVO;
 import com.cloud.network.vpc.dao.VpcDao;
@@ -110,6 +113,10 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
     VpcOfferingServiceMapDao vpcOfferingServiceMapDao;
     @Inject
     private DomainRouterDao domainRouterDao;
+    @Inject
+    private IpAddressManager ipAddressManager;
+    @Inject
+    private VpcManager vpcManager;
 
     int _connLimit;
     int _subnetsLimit;
@@ -158,14 +165,13 @@ private Long getIpAddressIdForVpn(Long vpcId, Long vpcOferingId) {
         if (mapForSourceNat == null && mapForVpn != null) {
             // Use Static NAT IP of VPC VR
             logger.debug(String.format("The VPC VR provides %s Service, however it does not provide %s service, trying to configure using IP of VPC VR", Network.Service.Vpn.getName(), Network.Service.SourceNat.getName()));
-            List<DomainRouterVO> routers = domainRouterDao.listByVpcId(vpcId);
-            for (DomainRouterVO router : routers) {
-                List<IPAddressVO> ips = _ipAddressDao.listByAssociatedVmId(router.getId());
-                if (!ips.isEmpty()) {
-                    return ips.get(0).getId();
-                }
+
+            Vpc vpc = _vpcDao.findById(vpcId);
+            IPAddressVO ipAddressForVpcVR = vpcManager.getIpAddressForVpcVR(vpc, null);
+            if (!vpcManager.enableStaticNatForVpcVR(vpc, ipAddressForVpcVR)) {
+                throw new CloudRuntimeException("Failed to enable static nat for VPC VR as part of vpn gateway");
             }
-            throw new CloudRuntimeException("Cannot found static nat ip for VR of vpc " + vpcId);
+            return ipAddressForVpcVR.getId();
         } else {
             //Use source NAT ip for VPC
             List<IPAddressVO> ips = _ipAddressDao.listByAssociatedVpc(vpcId, true);