¶ About Isolated Networks
In an IaaS cloud environment, networking plays a crucial role in facilitating communication between instances and the public internet. Networking is a distinct component, offering various configurations to support seamless connectivity. One notable feature is the provision of guest networks, which enable instances to interact both internally and externally. These guest networks, existing alongside storage and management networks, serve as the backbone for communication among virtual instances.
Within our IaaS Cloud, there are two primary types of guest networks: Isolated networks and Shared networks. While Shared networks allow multiple instances across different accounts to access the same network resources, Isolated networks provide dedicated environments for individual accounts, ensuring secure and private communication among instances.
In our IaaS Cloud, isolated networks are designed to be accessed solely by instances within a single account, providing a high level of security and isolation. These networks dynamically allocate and manage resources such as VLANs, ensuring efficient utilization and automatic cleanup. Each isolated network operates under a single network offering, which can be upgraded or downgraded to adjust the network's capabilities.
A key feature of isolated networks is the integration of a virtual router that offers multiple services, including DHCP, DNS, load balancing, port forwarding, and firewall functions. Instances within an isolated network communicate using private IP addresses, enabling secure internal communication without default routes to other networks or the public internet. The virtual router can manage both private and public IP address spaces and handles external connectivity through Source NAT, acting as the gateway for routing traffic.
Isolated networks can also function as standalone Layer 2 (L2) networks, providing only MAC address assignments to instances, allowing users to implement custom DHCP and DNS services. This flexibility caters to various networking needs, from simple private networks to complex setups requiring robust network services.
Administrators and end-users can create and manage isolated networks, with administrators having control over VLAN and physical network mappings. Additionally, the platform supports the acquisition of public IPv4 ranges for isolated networks, which can be mapped to instances via the virtual router's Static NAT function, enabling selective exposure of internal instances to the public internet.
Overall, the isolated networking capabilities within our IaaS cloud platform offer a secure and customizable framework for internal communication and resource management, empowering users to configure and manage networks according to their specific security and operational requirements.
¶ Creating Isolated Networks
As previously mentioned, you have two options for isolated networks. The first option is L2 networks, which provide network isolation without any additional services. The second option is L3 networks, also called Isolated networks, which include a virtual router. L2 networks operate at the data link layer, making them suitable for simple isolation tasks, while L3 networks operate at the network layer, offering advanced features like routing and firewall capabilities. Depending on your needs, you can set up either option easily by following the next chapters.
¶ Adding a L2 network
To create a L2 network, follow these steps:
1. Navigate to Network → Guest networks on the left navigation bar.
2. Click on Add network in the top row:
3. Click on the L2 tab to access the appropriate network settings, then specify the following parameters:
- Name of the L2 network.
- Short Description text of the network.
- Zone of the network.
- Assign Domain to the L2 network.
- Select an appropriate Network offering.
4. Click on OK to save and create a L2 network.
¶ Adding a L3 network
To create a L3 network, follow these steps:
1. Navigate to Network → Guest networks on the left navigation bar.
2. Click on Add network in the top row:
3. Click on the Isolated tab to access the appropriate network settings, then specify the following parameters:
- Name of the L3 network.
- Short Description text of the network.
- Zone of the network.
- Optionally, you can assign a specific Domain and Account to the L3 network.
- Custom DNS suffix for the Network domain.
- Select an appropriate Network offering.
- Specify an ID of the network in an external system.
- Gateway and Netmask of the L3 network.
Both Gateway and Netmask are required for isolated networks when they belong to a VPC.
- Optionally, specify DNS 1 and DNS 2 to set a custom IPv4 or IPv6 for the isolated network. If left empty, the DNS specified for the zone will be used.
4. Click on OK to save and create a L3 network.
¶ Managing Isolated Networks
¶ Acquiring Public IP Address for Isolated Networks
You can assign multiple public IP addresses to an isolated network, all within the range assigned to your IaaS Cloud domain. Any IP address can be used to set up load balancing rules, port forwarding, or firewall rules. To assign a new public IP address, follow these steps:
1. Navigate to Network → Guest networks on the left navigation bar.
2. Select a specific isolated network from the list view.
3. Choose Public IP addresses in the right management block:
4. Click on Acquire new IP in the first row:
5. Select an IP address from the range listed in the drop down menu.
6. Click on OK to acquire the new public IP address.
¶ Update Isolated Networks
To update a isolated network, follow these steps:
1. Navigate to Network → Guest networks on the left navigation bar.
2. Select a specific isolated network from the list view.
3. Click on Update network in the right top action toolbar:
4. Here, you can update the parameters configured during the creation process.
5. Click on OK to save and apply your changes to the isolated network.
¶ Restarting Isolated Networks
To restart a isolated network, follow these steps:
1. Navigate to Network → Guest networks on the left navigation bar.
2. Select a specific isolated network from the list view.
3. Click on Restart network in the right top action toolbar:
4. Optionally, you can decide if you want to Clean up or Live patch the shared network.
5. Click on OK to restart the isolated network.
All services provided by this network will be interrupted.
¶ Enable Static NAT for Isolated Networks
A static NAT rule links a public IP address to an instance's private IP address, enabling internet traffic to reach the instance. To enable static NAT, follow these steps:
If port forwarding rules are already configured for an IP address, you cannot assign static NAT to that IP.
1. Navigate to Network → Guest networks on the left navigation bar.
2. Select a specific isolated network from the list view.
3. Choose Public IP addresses in the right management block:
4. Select the IP address you want to assign the static NAT to.
5. Click on Enable static NAT in the top right action toolbar:
6. Select the instance you want the link IP address with.
7. Click on OK to enable the new static NAT.
¶ Enabling VPN for Isolated Networks
Enabling VPN for an isolated network IP address allows configuration of a remote access VPN connection, facilitating direct access to instances within the network from a remote machine. Only one remote access VPN can be set up per network. To enable a VPN for a isolated network, follow these steps:
1. Navigate to Network → Guest networks on the left navigation bar.
2. Select a specific isolated network from the list view.
3. Choose Public IP addresses in the right management block:
4. Select the IP address you want to enable VPN for.
5. Afterward, select the VPN settings and then click on the Enable remote access VPN button:
6. Confirm your decision by clicking on Yes in the popup window and your VPN access will be ready to go.
The IPsec pre-shared key is required for connecting from your client to the isolated network. Additionally, you'll need to configure the VPN connection on your local machine using the VPN username and password.
¶ Deleting Isolated Networks
To delete a isolated network, follow these steps:
1. Navigate to Network → Guest networks on the left navigation bar.
2. Select a specific isolated network from the list view.
3. Click on Delete network in the right top action toolbar:
4. Click on OK to confirm and delete the isolated network.
Networks can only be deleted if there are no active instances assigned to them. To remove an instance from the network, you need to either detach the NIC associated with that network from the instance or destroy the instance altogether.