This diagram illustrates the network architecture of a large-scale CloudStack deployment.
A layer-3 switching layer is at the core of the data center. A router redundancy protocol like VRRP should be deployed. Typically high-end core switches also include firewall modules. Separate firewall appliances may also be used if the layer-3 switch does not have integrated firewall capabilities. The firewalls are configured in NAT mode. The firewalls provide the following functions:
Forwards HTTP requests and API calls from the Internet to the Management Server. The Management Server resides on the management network.
When the cloud spans multiple zones, the firewalls should enable site-to-site VPN such that servers in different zones can directly reach each other.
A layer-2 access switch layer is established for each pod. Multiple switches can be stacked to increase port count. In either case, redundant pairs of layer-2 switches should be deployed.
The Management Server cluster (including front-end load balancers, Management Server nodes, and the MySQL database) is connected to the management network through a pair of load balancers.
Secondary storage servers are connected to the management network.
Each pod contains storage and computing servers. Each storage and computing server should have redundant NICs connected to separate layer-2 access switches.