This blog post is intended as a quick guide to VM IPs restriction and management for your XenServer infrastructure.
The API of XenServer, XAPI, is working at the hypervisor level. In other words, it can't interfere with things inside VM's operating system.
On the other hand, it can block/authorize network communication regarding the IP of the VM. This is called "VIF Locking" (VIF = Virtual InterFace)
Add IPs (or full range)
From an administrator perspective, adding IP addresses is simple: just declare addresses (or ranges), on which network, and you're done!
By default, nothing is locked. A user can set any IP in its VM, and it will work. If you add restricted IPs, the VIF will be locked and then, only those assigned IPs will be able to do get out of the VM.
In the VM view, on Network tab, see the new row "Allowed IPs":
Click on the "Plus" icon to add authorized IPs:
Network locking mode
To change the default behavior (from "everything authorized" to "allow only authorized IPs"), you can modify a network, where VIF resides, to block everything until IPs are allowed. See the "Default Locking mode" row:
This time, a VM without allowed IP won't be able to do anything.
This feature was sponsored by Neuronnexion.
Neuronnexion is an internet operator providing network and hosting services based as much as possible on Free Software.
Neuronnexion wanted to provide a simple yet complete and easy to use web interface to allow their customers to manage their own server infrastructure.
We fell in love with Xen Orchestra and the reactivity of its team.
The self service functionality of Xen Orchestra was perfect to allow our customers to autonomously manage their server infrastructure but one crucial feature was missing: IP Addresses management.
How would users know which IP address they are allowed to use? How can we prevent IP spoofing? We hadn't the resources to contribute to Xen Orchestra with a patch, instead we thought about sponsoring that feature.
Thanks to the fantatic Xen Orchestra's developper team, and their awesome coding skills, we are glad to see the IP resource management feature released in this new version of Xen Orchestra!