Eucalyptus provides two primary mechanisms for instance security: Availability Zones, and Security Groups.
An Availability Zone is a subset of the cloud (typically a collection of servers and storage) that shares a local area network. An Availability Zone receives a fixed amount of resources, and those resources can be controlled via quotas and access control lists.
Availability Zones vs. Clusters
A Cluster is a group of servers that provide resources to an Availability Zone. Clusters consist of a grouping of resources that are separated for administrative or technical reasons. Administrative reasons might include server ownership or compliance rules. Technical reasons might include different quality of service (QoS) requirements between users, a single cloud managing resources across different distributed datacenters, or the decision to deploy multiple hypervisors. A single cluster can only manage one hypervisor type.
As of this writing, in Eucalyptus there is a 1:1 relationship between Availability Zones and Clusters. Each Availability Zone can have only one Cluster Controller (CC), and if you must configure a separate Cluster, it will exist in a separate Availability Zone.
The two concepts are not inseparable. An Availability Zone is an administrative distinction, whereas a cluster is a collection of physical resources. In the future, you may be able to configure an Availability Zone that contains multiple clusters, if such a design was beneficial.
Security Groups are sets of networking rules applied to all virtual machine instances associated with a group. They define access rules for all instances that are part of the group - for example, accessible ports - and are in effect a firewall.
When a virtual machine instance is created, it is assigned to a default security group that denies incoming network traffic from all sources. Multiple security groups can be configured to allow multiple levels of security based on application needs.
For example, Susan has a multi-tier application that includes a Web Server front-end, an application server, and a database server. The web server needs to be accessed through Port 80 and Port 443. The application server might need to be accessible to the web server and on the internal network through Port 22. The database server might not need to be accessible at all other than through the application server. This can be accomplished by configuring three separate security groups with the appropriate rules.
This concludes our discussion of Eucalyptus platform concepts. In our next blog post we'll transition into a discussion around Eucalyptus architecture.