http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/72a3a7c1/source/networking/remote_access_vpn.rst ---------------------------------------------------------------------- diff --git a/source/networking/remote_access_vpn.rst b/source/networking/remote_access_vpn.rst new file mode 100644 index 0000000..94e9733 --- /dev/null +++ b/source/networking/remote_access_vpn.rst @@ -0,0 +1,696 @@ +.. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information# + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + + +Remote Access VPN +----------------- + +CloudStack account owners can create virtual private networks (VPN) to +access their virtual machines. If the guest network is instantiated from +a network offering that offers the Remote Access VPN service, the +virtual router (based on the System VM) is used to provide the service. +CloudStack provides a L2TP-over-IPsec-based remote access VPN service to +guest virtual networks. Since each network gets its own virtual router, +VPNs are not shared across the networks. VPN clients native to Windows, +Mac OS X and iOS can be used to connect to the guest networks. The +account owner can create and manage users for their VPN. CloudStack does +not use its account database for this purpose but uses a separate table. +The VPN user database is shared across all the VPNs created by the +account owner. All VPN users get access to all VPNs created by the +account owner. + +.. note:: + Make sure that not all traffic goes through the VPN. That is, the route + installed by the VPN should be only for the guest network and not for + all traffic. + +- **Road Warrior / Remote Access**. Users want to be able to connect + securely from a home or office to a private network in the cloud. + Typically, the IP address of the connecting client is dynamic and + cannot be preconfigured on the VPN server. + +- **Site to Site**. In this scenario, two private subnets are connected + over the public Internet with a secure VPN tunnel. The cloud user's + subnet (for example, an office network) is connected through a + gateway to the network in the cloud. The address of the user's + gateway must be preconfigured on the VPN server in the cloud. Note + that although L2TP-over-IPsec can be used to set up Site-to-Site + VPNs, this is not the primary intent of this feature. For more + information, see ":ref:`setting-s2s-vpn-conn`". + + +Configuring Remote Access VPN +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To set up VPN for the cloud: + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, click Global Settings. + +#. Set the following global configuration parameters. + + - remote.access.vpn.client.ip.range - The range of IP addresses to + be allocated to remote access VPN clients. The first IP in the + range is used by the VPN server. + + - remote.access.vpn.psk.length - Length of the IPSec key. + + - remote.access.vpn.user.limit - Maximum number of VPN users per + account. + +To enable VPN for a particular network: + +#. Log in as a user or administrator to the CloudStack UI. + +#. In the left navigation, click Network. + +#. Click the name of the network you want to work with. + +#. Click View IP Addresses. + +#. Click one of the displayed IP address names. + +#. Click the Enable VPN button. |vpn-icon.png| + + The IPsec key is displayed in a popup window. + + +Configuring Remote Access VPN in VPC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +On enabling Remote Access VPN on a VPC, any VPN client present outside +the VPC can access VMs present in the VPC by using the Remote VPN +connection. The VPN client can be present anywhere except inside the VPC +on which the user enabled the Remote Access VPN service. + +To enable VPN for a VPC: + +#. Log in as a user or administrator to the CloudStack UI. + +#. In the left navigation, click Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC. + + For each tier, the following options are displayed: + + - Internal LB + + - Public LB IP + + - Static NAT + + - Virtual Machines + + - CIDR + + The following router information is displayed: + + - Private Gateways + + - Public IP Addresses + + - Site-to-Site VPNs + + - Network ACL Lists + +#. In the Router node, select Public IP Addresses. + + The IP Addresses page is displayed. + +#. Click Source NAT IP address. + +#. Click the Enable VPN button. |vpn-icon.png| + + Click OK to confirm. The IPsec key is displayed in a pop-up window. + +Now, you need to add the VPN users. + +#. Click the Source NAT IP. + +#. Select the VPN tab. + +#. Add the username and the corresponding password of the user you + wanted to add. + +#. Click Add. + +#. Repeat the same steps to add the VPN users. + + +Using Remote Access VPN with Windows +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The procedure to use VPN varies by Windows version. Generally, the user +must edit the VPN properties and make sure that the default route is not +the VPN. The following steps are for Windows L2TP clients on Windows +Vista. The commands should be similar for other Windows versions. + +#. Log in to the CloudStack UI and click on the source NAT IP for the + account. The VPN tab should display the IPsec preshared key. Make a + note of this and the source NAT IP. The UI also lists one or more + users and their passwords. Choose one of these users, or, if none + exists, add a user and password. + +#. On the Windows box, go to Control Panel, then select Network and + Sharing center. Click Setup a connection or network. + +#. In the next dialog, select No, create a new connection. + +#. In the next dialog, select Use my Internet Connection (VPN). + +#. In the next dialog, enter the source NAT IP from step + #1 and give the connection a name. Check Don't + connect now. + +#. In the next dialog, enter the user name and password selected in step + #1. + +#. Click Create. + +#. Go back to the Control Panel and click Network Connections to see the + new connection. The connection is not active yet. + +#. Right-click the new connection and select Properties. In the + Properties dialog, select the Networking tab. + +#. + + In Type of VPN, choose L2TP IPsec VPN, then click IPsec settings. + Select Use preshared key. Enter the preshared key from step #1. + +#. The connection is ready for activation. Go back to Control Panel -> + Network Connections and double-click the created connection. + +#. Enter the user name and password from step #1. + + +Using Remote Access VPN with Mac OS X +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +First, be sure you've configured the VPN settings in your CloudStack +install. This section is only concerned with connecting via Mac OS X to +your VPN. + +Note, these instructions were written on Mac OS X 10.7.5. They may +differ slightly in older or newer releases of Mac OS X. + +#. On your Mac, open System Preferences and click Network. + +#. Make sure Send all traffic over VPN connection is not checked. + +#. If your preferences are locked, you'll need to click the lock in the + bottom left-hand corner to make any changes and provide your + administrator credentials. + +#. You will need to create a new network entry. Click the plus icon on + the bottom left-hand side and you'll see a dialog that says "Select + the interface and enter a name for the new service." Select VPN from + the Interface drop-down menu, and "L2TP over IPSec" for the VPN Type. + Enter whatever you like within the "Service Name" field. + +#. You'll now have a new network interface with the name of whatever you + put in the "Service Name" field. For the purposes of this example, + we'll assume you've named it "CloudStack." Click on that interface + and provide the IP address of the interface for your VPN under the + Server Address field, and the user name for your VPN under Account + Name. + +#. Click Authentication Settings, and add the user's password under User + Authentication and enter the pre-shared IPSec key in the Shared + Secret field under Machine Authentication. Click OK. + +#. You may also want to click the "Show VPN status in menu bar" but + that's entirely optional. + +#. Now click "Connect" and you will be connected to the CloudStack VPN. + + +.. _setting-s2s-vpn-conn: + +Setting Up a Site-to-Site VPN Connection +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +A Site-to-Site VPN connection helps you establish a secure connection +from an enterprise datacenter to the cloud infrastructure. This allows +users to access the guest VMs by establishing a VPN connection to the +virtual router of the account from a device in the datacenter of the +enterprise. You can also establish a secure connection between two VPC +setups or high availability zones in your environment. Having this +facility eliminates the need to establish VPN connections to individual +VMs. + +The difference from Remote VPN is that Site-to-site VPNs connects entire +networks to each other, for example, connecting a branch office network +to a company headquarters network. In a site-to-site VPN, hosts do not +have VPN client software; they send and receive normal TCP/IP traffic +through a VPN gateway. + +The supported endpoints on the remote datacenters are: + +- Cisco ISR with IOS 12.4 or later + +- Juniper J-Series routers with JunOS 9.5 or later + +- CloudStack virtual routers + +.. note:: + In addition to the specific Cisco and Juniper devices listed above, the + expectation is that any Cisco or Juniper device running on the supported + operating systems are able to establish VPN connections. + +To set up a Site-to-Site VPN connection, perform the following: + +#. Create a Virtual Private Cloud (VPC). + + See ":ref:`configuring-vpc`". + +#. Create a VPN Customer Gateway. + +#. Create a VPN gateway for the VPC that you created. + +#. Create VPN connection from the VPC VPN gateway to the customer VPN + gateway. + + +Creating and Updating a VPN Customer Gateway +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: + A VPN customer gateway can be connected to only one VPN gateway at a time. + +To add a VPN Customer Gateway: + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPN Customer Gateway. + +#. Click Add VPN Customer Gateway. + + |addvpncustomergateway.png| + + Provide the following information: + + - **Name**: A unique name for the VPN customer gateway you create. + + - **Gateway**: The IP address for the remote gateway. + + - **CIDR list**: The guest CIDR list of the remote subnets. Enter a + CIDR or a comma-separated list of CIDRs. Ensure that a guest CIDR + list is not overlapped with the VPC's CIDR, or another guest CIDR. + The CIDR must be RFC1918-compliant. + + - **IPsec Preshared Key**: Preshared keying is a method where the + endpoints of the VPN share a secret key. This key value is used to + authenticate the customer gateway and the VPC VPN gateway to each + other. + + .. note:: + The IKE peers (VPN end points) authenticate each other by + computing and sending a keyed hash of data that includes the + Preshared key. If the receiving peer is able to create the same + hash independently by using its Preshared key, it knows that both + peers must share the same secret, thus authenticating the customer + gateway. + + - **IKE Encryption**: The Internet Key Exchange (IKE) policy for + phase-1. The supported encryption algorithms are AES128, AES192, + AES256, and 3DES. Authentication is accomplished through the + Preshared Keys. + + .. note:: + The phase-1 is the first phase in the IKE process. In this initial + negotiation phase, the two VPN endpoints agree on the methods to + be used to provide security for the underlying IP traffic. The + phase-1 authenticates the two VPN gateways to each other, by + confirming that the remote gateway has a matching Preshared Key. + + - **IKE Hash**: The IKE hash for phase-1. The supported hash + algorithms are SHA1 and MD5. + + - **IKE DH**: A public-key cryptography protocol which allows two + parties to establish a shared secret over an insecure + communications channel. The 1536-bit Diffie-Hellman group is used + within IKE to establish session keys. The supported options are + None, Group-5 (1536-bit) and Group-2 (1024-bit). + + - **ESP Encryption**: Encapsulating Security Payload (ESP) algorithm + within phase-2. The supported encryption algorithms are AES128, + AES192, AES256, and 3DES. + + .. note:: + The phase-2 is the second phase in the IKE process. The purpose of + IKE phase-2 is to negotiate IPSec security associations (SA) to + set up the IPSec tunnel. In phase-2, new keying material is + extracted from the Diffie-Hellman key exchange in phase-1, to + provide session keys to use in protecting the VPN data flow. + + - **ESP Hash**: Encapsulating Security Payload (ESP) hash for + phase-2. Supported hash algorithms are SHA1 and MD5. + + - **Perfect Forward Secrecy**: Perfect Forward Secrecy (or PFS) is + the property that ensures that a session key derived from a set of + long-term public and private keys will not be compromised. This + property enforces a new Diffie-Hellman key exchange. It provides + the keying material that has greater key material life and thereby + greater resistance to cryptographic attacks. The available options + are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security + of the key exchanges increase as the DH groups grow larger, as + does the time of the exchanges. + + .. note:: + When PFS is turned on, for every negotiation of a new phase-2 SA + the two gateways must generate a new set of phase-1 keys. This + adds an extra layer of protection that PFS adds, which ensures if + the phase-2 SA's have expired, the keys used for new phase-2 SA's + have not been generated from the current phase-1 keying material. + + - **IKE Lifetime (seconds)**: The phase-1 lifetime of the security + association in seconds. Default is 86400 seconds (1 day). Whenever + the time expires, a new phase-1 exchange is performed. + + - **ESP Lifetime (seconds)**: The phase-2 lifetime of the security + association in seconds. Default is 3600 seconds (1 hour). Whenever + the value is exceeded, a re-key is initiated to provide a new + IPsec encryption and authentication session keys. + + - **Dead Peer Detection**: A method to detect an unavailable + Internet Key Exchange (IKE) peer. Select this option if you want + the virtual router to query the liveliness of its IKE peer at + regular intervals. It's recommended to have the same configuration + of DPD on both side of VPN connection. + +#. Click OK. + + +Updating and Removing a VPN Customer Gateway +'''''''''''''''''''''''''''''''''''''''''''' + +You can update a customer gateway either with no VPN connection, or +related VPN connection is in error state. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPN Customer Gateway. + +#. Select the VPN customer gateway you want to work with. + +#. To modify the required parameters, click the Edit VPN Customer + Gateway button |vpn-edit-icon.png| + +#. To remove the VPN customer gateway, click the Delete VPN Customer + Gateway button |delete.png| + +#. Click OK. + + +Creating a VPN gateway for the VPC +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC to which you want to deploy the + VMs. + + The VPC page is displayed where all the tiers you created are listed + in a diagram. + + For each tier, the following options are displayed: + + - Internal LB + + - Public LB IP + + - Static NAT + + - Virtual Machines + + - CIDR + + The following router information is displayed: + + - Private Gateways + + - Public IP Addresses + + - Site-to-Site VPNs + + - Network ACL Lists + +#. Select Site-to-Site VPN. + + If you are creating the VPN gateway for the first time, selecting + Site-to-Site VPN prompts you to create a VPN gateway. + +#. In the confirmation dialog, click Yes to confirm. + + Within a few moments, the VPN gateway is created. You will be + prompted to view the details of the VPN gateway you have created. + Click Yes to confirm. + + The following details are displayed in the VPN Gateway page: + + - IP Address + + - Account + + - Domain + + +Creating a VPN Connection +^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: CloudStack supports creating up to 8 VPN connections. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you create for the account are listed in the page. + +#. Click the Configure button of the VPC to which you want to deploy the + VMs. + + The VPC page is displayed where all the tiers you created are listed + in a diagram. + +#. Click the Settings icon. + + For each tier, the following options are displayed: + + - Internal LB + + - Public LB IP + + - Static NAT + + - Virtual Machines + + - CIDR + + The following router information is displayed: + + - Private Gateways + + - Public IP Addresses + + - Site-to-Site VPNs + + - Network ACL Lists + +#. Select Site-to-Site VPN. + + The Site-to-Site VPN page is displayed. + +#. From the Select View drop-down, ensure that VPN Connection is + selected. + +#. Click Create VPN Connection. + + The Create VPN Connection dialog is displayed: + + |createvpnconnection.png| + +#. Select the desired customer gateway. + +#. Select Passive if you want to establish a connection between two VPC + virtual routers. + + If you want to establish a connection between two VPC virtual + routers, select Passive only on one of the VPC virtual routers, which + waits for the other VPC virtual router to initiate the connection. Do + not select Passive on the VPC virtual router that initiates the + connection. + +#. Click OK to confirm. + + Within a few moments, the VPN Connection is displayed. + + The following information on the VPN connection is displayed: + + - IP Address + + - Gateway + + - State + + - IPSec Preshared Key + + - IKE Policy + + - ESP Policy + + +Site-to-Site VPN Connection Between VPC Networks +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +CloudStack provides you with the ability to establish a site-to-site VPN +connection between CloudStack virtual routers. To achieve that, add a +passive mode Site-to-Site VPN. With this functionality, users can deploy +applications in multiple Availability Zones or VPCs, which can +communicate with each other by using a secure Site-to-Site VPN Tunnel. + +This feature is supported on all the hypervisors. + +#. Create two VPCs. For example, VPC A and VPC B. + + For more information, see ":ref:`configuring-vpc`". + +#. Create VPN gateways on both the VPCs you created. + + For more information, see `"Creating a VPN gateway + for the VPC" <#creating-a-vpn-gateway-for-the-vpc>`_. + +#. Create VPN customer gateway for both the VPCs. + + For more information, see `"Creating and Updating + a VPN Customer Gateway" <#creating-and-updating-a-vpn-customer-gateway>`_. + +#. Enable a VPN connection on VPC A in passive mode. + + For more information, see `"Creating a VPN + Connection" <#creating-a-vpn-connection>`_. + + Ensure that the customer gateway is pointed to VPC B. The VPN + connection is shown in the Disconnected state. + +#. Enable a VPN connection on VPC B. + + Ensure that the customer gateway is pointed to VPC A. Because virtual + router of VPC A, in this case, is in passive mode and is waiting for + the virtual router of VPC B to initiate the connection, VPC B virtual + router should not be in passive mode. + + The VPN connection is shown in the Disconnected state. + + Creating VPN connection on both the VPCs initiates a VPN connection. + Wait for few seconds. The default is 30 seconds for both the VPN + connections to show the Connected state. + + +Restarting and Removing a VPN Connection +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC to which you want to deploy the + VMs. + + The VPC page is displayed where all the tiers you created are listed + in a diagram. + +#. Click the Settings icon. + + For each tier, the following options are displayed: + + - Internal LB + + - Public LB IP + + - Static NAT + + - Virtual Machines + + - CIDR + + The following router information is displayed: + + - Private Gateways + + - Public IP Addresses + + - Site-to-Site VPNs + + - Network ACL Lists + +#. Select Site-to-Site VPN. + + The Site-to-Site VPN page is displayed. + +#. From the Select View drop-down, ensure that VPN Connection is + selected. + + All the VPN connections you created are displayed. + +#. Select the VPN connection you want to work with. + + The Details tab is displayed. + +#. To remove a VPN connection, click the Delete VPN connection button + |remove-vpn.png| + + To restart a VPN connection, click the Reset VPN connection button + present in the Details tab. |reset-vpn.png| + + +.. |vpn-icon.png| image:: /_static/images/vpn-icon.png + :alt: button to enable VPN. +.. |addvpncustomergateway.png| image:: /_static/images/add-vpn-customer-gateway.png + :alt: adding a customer gateway. +.. |createvpnconnection.png| image:: /_static/images/create-vpn-connection.png + :alt: creating a VPN connection to the customer gateway. +.. |remove-vpn.png| image:: /_static/images/remove-vpn.png + :alt: button to remove a VPN connection +.. |reset-vpn.png| image:: /_static/images/reset-vpn.png + :alt: button to reset a VPN connection +.. |delete.png| image:: /_static/images/delete-button.png + :alt: button to remove a VPN customer gateway. +.. |vpn-edit-icon.png| image:: /_static/images/edit-icon.png + :alt: button to edit.
http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/72a3a7c1/source/networking/security_groups.rst ---------------------------------------------------------------------- diff --git a/source/networking/security_groups.rst b/source/networking/security_groups.rst new file mode 100644 index 0000000..9ff2841 --- /dev/null +++ b/source/networking/security_groups.rst @@ -0,0 +1,214 @@ +.. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information# + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + + +Security Groups +--------------- + +About Security Groups +~~~~~~~~~~~~~~~~~~~~~ + +Security groups provide a way to isolate traffic to VMs. A security +group is a group of VMs that filter their incoming and outgoing traffic +according to a set of rules, called ingress and egress rules. These +rules filter network traffic according to the IP address that is +attempting to communicate with the VM. Security groups are particularly +useful in zones that use basic networking, because there is a single +guest network for all guest VMs. In advanced zones, security groups are +supported only on the KVM hypervisor. + +.. note:: + In a zone that uses advanced networking, you can instead define multiple guest networks to isolate traffic to VMs. + +Each CloudStack account comes with a default security group that denies +all inbound traffic and allows all outbound traffic. The default +security group can be modified so that all new VMs inherit some other +desired set of rules. + +Any CloudStack user can set up any number of additional security groups. +When a new VM is launched, it is assigned to the default security group +unless another user-defined security group is specified. A VM can be a +member of any number of security groups. Once a VM is assigned to a +security group, it remains in that group for its entire lifetime; you +can not move a running VM from one security group to another. + +You can modify a security group by deleting or adding any number of +ingress and egress rules. When you do, the new rules apply to all VMs in +the group, whether running or stopped. + +If no ingress rules are specified, then no traffic will be allowed in, +except for responses to any traffic that has been allowed out through an +egress rule. + + +Adding a Security Group +~~~~~~~~~~~~~~~~~~~~~~~ + +A user or administrator can define a new security group. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In Select view, choose Security Groups. + +#. Click Add Security Group. + +#. Provide a name and description. + +#. Click OK. + + The new security group appears in the Security Groups Details tab. + +#. To make the security group useful, continue to Adding Ingress and + Egress Rules to a Security Group. + + +Security Groups in Advanced Zones (KVM Only) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +CloudStack provides the ability to use security groups to provide +isolation between guests on a single shared, zone-wide network in an +advanced zone where KVM is the hypervisor. Using security groups in +advanced zones rather than multiple VLANs allows a greater range of +options for setting up guest isolation in a cloud. + + +Limitations +^^^^^^^^^^^ + +The following are not supported for this feature: + +- Two IP ranges with the same VLAN and different gateway or netmask in + security group-enabled shared network. + +- Two IP ranges with the same VLAN and different gateway or netmask in + account-specific shared networks. + +- Multiple VLAN ranges in security group-enabled shared network. + +- Multiple VLAN ranges in account-specific shared networks. + +Security groups must be enabled in the zone in order for this feature to +be used. + + +Enabling Security Groups +~~~~~~~~~~~~~~~~~~~~~~~~ + +In order for security groups to function in a zone, the security groups +feature must first be enabled for the zone. The administrator can do +this when creating a new zone, by selecting a network offering that +includes security groups. The procedure is described in Basic Zone +Configuration in the Advanced Installation Guide. The administrator can +not enable security groups for an existing zone, only when creating a +new zone. + + +Adding Ingress and Egress Rules to a Security Group +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network + +#. In Select view, choose Security Groups, then click the security group + you want. + +#. To add an ingress rule, click the Ingress Rules tab and fill out the + following fields to specify what network traffic is allowed into VM + instances in this security group. If no ingress rules are specified, + then no traffic will be allowed in, except for responses to any + traffic that has been allowed out through an egress rule. + + - **Add by CIDR/Account**. Indicate whether the source of the + traffic will be defined by IP address (CIDR) or an existing + security group in a CloudStack account (Account). Choose Account + if you want to allow incoming traffic from all VMs in another + security group + + - **Protocol**. The networking protocol that sources will use to + send traffic to the security group. TCP and UDP are typically used + for data exchange and end-user communications. ICMP is typically + used to send error messages or network monitoring data. + + - **Start Port, End Port**. (TCP, UDP only) A range of listening + ports that are the destination for the incoming traffic. If you + are opening a single port, use the same number in both fields. + + - **ICMP Type, ICMP Code**. (ICMP only) The type of message and + error code that will be accepted. + + - **CIDR**. (Add by CIDR only) To accept only traffic from IP + addresses within a particular address block, enter a CIDR or a + comma-separated list of CIDRs. The CIDR is the base IP address of + the incoming traffic. For example, 192.168.0.0/22. To allow all + CIDRs, set to 0.0.0.0/0. + + - **Account, Security Group**. (Add by Account only) To accept only + traffic from another security group, enter the CloudStack account + and name of a security group that has already been defined in that + account. To allow traffic between VMs within the security group + you are editing now, enter the same name you used in step 7. + + The following example allows inbound HTTP access from anywhere: + + |httpaccess.png| + +#. To add an egress rule, click the Egress Rules tab and fill out the + following fields to specify what type of traffic is allowed to be + sent out of VM instances in this security group. If no egress rules + are specified, then all traffic will be allowed out. Once egress + rules are specified, the following types of traffic are allowed out: + traffic specified in egress rules; queries to DNS and DHCP servers; + and responses to any traffic that has been allowed in through an + ingress rule + + - **Add by CIDR/Account**. Indicate whether the destination of the + traffic will be defined by IP address (CIDR) or an existing + security group in a CloudStack account (Account). Choose Account + if you want to allow outgoing traffic to all VMs in another + security group. + + - **Protocol**. The networking protocol that VMs will use to send + outgoing traffic. TCP and UDP are typically used for data exchange + and end-user communications. ICMP is typically used to send error + messages or network monitoring data. + + - **Start Port, End Port**. (TCP, UDP only) A range of listening + ports that are the destination for the outgoing traffic. If you + are opening a single port, use the same number in both fields. + + - **ICMP Type, ICMP Code**. (ICMP only) The type of message and + error code that will be sent + + - **CIDR**. (Add by CIDR only) To send traffic only to IP addresses + within a particular address block, enter a CIDR or a + comma-separated list of CIDRs. The CIDR is the base IP address of + the destination. For example, 192.168.0.0/22. To allow all CIDRs, + set to 0.0.0.0/0. + + - **Account, Security Group**. (Add by Account only) To allow + traffic to be sent to another security group, enter the CloudStack + account and name of a security group that has already been defined + in that account. To allow traffic between VMs within the security + group you are editing now, enter its name. + +#. Click Add. + + +.. |httpaccess.png| image:: /_static/images/http-access.png + :alt: allows inbound HTTP access from anywhere. + http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/72a3a7c1/source/networking/static_nat.rst ---------------------------------------------------------------------- diff --git a/source/networking/static_nat.rst b/source/networking/static_nat.rst new file mode 100644 index 0000000..4e6199e --- /dev/null +++ b/source/networking/static_nat.rst @@ -0,0 +1,56 @@ +.. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information# + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + + +Static NAT +---------- + +A static NAT rule maps a public IP address to the private IP address of +a VM in order to allow Internet traffic into the VM. The public IP +address always remains the same, which is why it is called static NAT. +This section tells how to enable or disable static NAT for a particular +IP address. + + +Enabling or Disabling Static NAT +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If port forwarding rules are already in effect for an IP address, you +cannot enable static NAT to that IP. + +If a guest VM is part of more than one network, static NAT rules will +function only if they are defined on the default network. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. Click the name of the network where you want to work with. + +#. Click View IP Addresses. + +#. Click the IP address you want to work with. + +#. Click the Static NAT |enabledisablenat.png| button. + + The button toggles between Enable and Disable, depending on whether + static NAT is currently enabled for the IP address. + +#. If you are enabling static NAT, a dialog appears where you can choose + the destination VM and click Apply. + + +.. |enabledisablenat.png| image:: /_static/images/enable-disable.png + :alt: button to enable/disable NAT. http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/72a3a7c1/source/networking/virtual_private_cloud_config.rst ---------------------------------------------------------------------- diff --git a/source/networking/virtual_private_cloud_config.rst b/source/networking/virtual_private_cloud_config.rst new file mode 100644 index 0000000..87188aa --- /dev/null +++ b/source/networking/virtual_private_cloud_config.rst @@ -0,0 +1,1438 @@ +.. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information# + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + + +.. _configuring-vpc: + +Configuring a Virtual Private Cloud +----------------------------------- + +About Virtual Private Clouds +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +CloudStack Virtual Private Cloud is a private, isolated part of +CloudStack. A VPC can have its own virtual network topology that +resembles a traditional physical network. You can launch VMs in the +virtual network that can have private addresses in the range of your +choice, for example: 10.0.0.0/16. You can define network tiers within +your VPC network range, which in turn enables you to group similar kinds +of instances based on IP address range. + +For example, if a VPC has the private range 10.0.0.0/16, its guest +networks can have the network ranges 10.0.1.0/24, 10.0.2.0/24, +10.0.3.0/24, and so on. + + +Major Components of a VPC +^^^^^^^^^^^^^^^^^^^^^^^^^ + +A VPC is comprised of the following network components: + +- **VPC**: A VPC acts as a container for multiple isolated networks + that can communicate with each other via its virtual router. + +- **Network Tiers**: Each tier acts as an isolated network with its own + VLANs and CIDR list, where you can place groups of resources, such as + VMs. The tiers are segmented by means of VLANs. The NIC of each tier + acts as its gateway. + +- **Virtual Router**: A virtual router is automatically created and + started when you create a VPC. The virtual router connect the tiers + and direct traffic among the public gateway, the VPN gateways, and + the NAT instances. For each tier, a corresponding NIC and IP exist in + the virtual router. The virtual router provides DNS and DHCP services + through its IP. + +- **Public Gateway**: The traffic to and from the Internet routed to + the VPC through the public gateway. In a VPC, the public gateway is + not exposed to the end user; therefore, static routes are not support + for the public gateway. + +- **Private Gateway**: All the traffic to and from a private network + routed to the VPC through the private gateway. For more information, + see ":ref:`adding-priv-gw-vpc`". + +- **VPN Gateway**: The VPC side of a VPN connection. + +- **Site-to-Site VPN Connection**: A hardware-based VPN connection + between your VPC and your datacenter, home network, or co-location + facility. For more information, see ":ref:`setting-s2s-vpn-conn`". + +- **Customer Gateway**: The customer side of a VPN Connection. For more + information, see `"Creating and Updating a VPN + Customer Gateway" <#creating-and-updating-a-vpn-customer-gateway>`_. + +- **NAT Instance**: An instance that provides Port Address Translation + for instances to access the Internet via the public gateway. For more + information, see ":ref:`enabling-disabling-static-nat-on-vpc`". + +- **Network ACL**: Network ACL is a group of Network ACL items. Network + ACL items are nothing but numbered rules that are evaluated in order, + starting with the lowest numbered rule. These rules determine whether + traffic is allowed in or out of any tier associated with the network + ACL. For more information, see ":ref:`conf-net-acl`". + + +Network Architecture in a VPC +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +In a VPC, the following four basic options of network architectures are +present: + +- VPC with a public gateway only + +- VPC with public and private gateways + +- VPC with public and private gateways and site-to-site VPN access + +- VPC with a private gateway only and site-to-site VPN access + + +Connectivity Options for a VPC +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You can connect your VPC to: + +- The Internet through the public gateway. + +- The corporate datacenter by using a site-to-site VPN connection + through the VPN gateway. + +- Both the Internet and your corporate datacenter by using both the + public gateway and a VPN gateway. + + +VPC Network Considerations +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Consider the following before you create a VPC: + +- A VPC, by default, is created in the enabled state. + +- A VPC can be created in Advance zone only, and can't belong to more + than one zone at a time. + +- The default number of VPCs an account can create is 20. However, you + can change it by using the max.account.vpcs global parameter, which + controls the maximum number of VPCs an account is allowed to create. + +- The default number of tiers an account can create within a VPC is 3. + You can configure this number by using the vpc.max.networks + parameter. + +- Each tier should have an unique CIDR in the VPC. Ensure that the + tier's CIDR should be within the VPC CIDR range. + +- A tier belongs to only one VPC. + +- All network tiers inside the VPC should belong to the same account. + +- When a VPC is created, by default, a SourceNAT IP is allocated to it. + The Source NAT IP is released only when the VPC is removed. + +- A public IP can be used for only one purpose at a time. If the IP is + a sourceNAT, it cannot be used for StaticNAT or port forwarding. + +- The instances can only have a private IP address that you provision. + To communicate with the Internet, enable NAT to an instance that you + launch in your VPC. + +- Only new networks can be added to a VPC. The maximum number of + networks per VPC is limited by the value you specify in the + vpc.max.networks parameter. The default value is three. + +- The load balancing service can be supported by only one tier inside + the VPC. + +- If an IP address is assigned to a tier: + + - That IP can't be used by more than one tier at a time in the VPC. + For example, if you have tiers A and B, and a public IP1, you can + create a port forwarding rule by using the IP either for A or B, + but not for both. + + - That IP can't be used for StaticNAT, load balancing, or port + forwarding rules for another guest network inside the VPC. + +- Remote access VPN is not supported in VPC networks. + + +Adding a Virtual Private Cloud +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When creating the VPC, you simply provide the zone and a set of IP +addresses for the VPC network address space. You specify this set of +addresses in the form of a Classless Inter-Domain Routing (CIDR) block. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + +#. Click Add VPC. The Add VPC page is displayed as follows: + + |add-vpc.png| + + Provide the following information: + + - **Name**: A short name for the VPC that you are creating. + + - **Description**: A brief description of the VPC. + + - **Zone**: Choose the zone where you want the VPC to be available. + + - **Super CIDR for Guest Networks**: Defines the CIDR range for all + the tiers (guest networks) within a VPC. When you create a tier, + ensure that its CIDR is within the Super CIDR value you enter. The + CIDR must be RFC1918 compliant. + + - **DNS domain for Guest Networks**: If you want to assign a special + domain name, specify the DNS suffix. This parameter is applied to + all the tiers within the VPC. That implies, all the tiers you + create in the VPC belong to the same DNS domain. If the parameter + is not specified, a DNS domain name is generated automatically. + + - **Public Load Balancer Provider**: You have two options: VPC + Virtual Router and Netscaler. + +#. Click OK. + + +Adding Tiers +~~~~~~~~~~~~ + +Tiers are distinct locations within a VPC that act as isolated networks, +which do not have access to other tiers by default. Tiers are set up on +different VLANs that can communicate with each other by using a virtual +router. Tiers provide inexpensive, low latency network connectivity to +other tiers within the VPC. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPC that you have created for the account is listed in the + page. + + .. note:: + The end users can see their own VPCs, while root and domain admin can + see any VPC they are authorized to see. + +#. Click the Configure button of the VPC for which you want to set up + tiers. + +#. Click Create network. + + The Add new tier dialog is displayed, as follows: + + |add-tier.png| + + If you have already created tiers, the VPC diagram is displayed. + Click Create Tier to add a new tier. + +#. Specify the following: + + All the fields are mandatory. + + - **Name**: A unique name for the tier you create. + + - **Network Offering**: The following default network offerings are + listed: Internal LB, + DefaultIsolatedNetworkOfferingForVpcNetworksNoLB, + DefaultIsolatedNetworkOfferingForVpcNetworks + + In a VPC, only one tier can be created by using LB-enabled network + offering. + + - **Gateway**: The gateway for the tier you create. Ensure that the + gateway is within the Super CIDR range that you specified while + creating the VPC, and is not overlapped with the CIDR of any + existing tier within the VPC. + + - **VLAN**: The VLAN ID for the tier that the root admin creates. + + This option is only visible if the network offering you selected + is VLAN-enabled. + + For more information, see `"Assigning VLANs to + Isolated Networks" <hosts.html#assigning-vlans-to-isolated-networks>`_. + + - **Netmask**: The netmask for the tier you create. + + For example, if the VPC CIDR is 10.0.0.0/16 and the network tier + CIDR is 10.0.1.0/24, the gateway of the tier is 10.0.1.1, and the + netmask of the tier is 255.255.255.0. + +#. Click OK. + +#. Continue with configuring access control list for the tier. + + +.. _conf-net-acl: + +Configuring Network Access Control List +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Define Network Access Control List (ACL) on the VPC virtual router to +control incoming (ingress) and outgoing (egress) traffic between the VPC +tiers, and the tiers and Internet. By default, all incoming traffic to +the guest networks is blocked and all outgoing traffic from guest +networks is allowed, once you add an ACL rule for outgoing traffic, then +only outgoing traffic specified in this ACL rule is allowed, the rest is +blocked. To open the ports, you must create a new network ACL. The +network ACLs can be created for the tiers only if the NetworkACL service +is supported. + + +About Network ACL Lists +^^^^^^^^^^^^^^^^^^^^^^^ + +In CloudStack terminology, Network ACL is a group of Network ACL items. +Network ACL items are nothing but numbered rules that are evaluated in +order, starting with the lowest numbered rule. These rules determine +whether traffic is allowed in or out of any tier associated with the +network ACL. You need to add the Network ACL items to the Network ACL, +then associate the Network ACL with a tier. Network ACL is associated +with a VPC and can be assigned to multiple VPC tiers within a VPC. A +Tier is associated with a Network ACL at all the times. Each tier can be +associated with only one ACL. + +The default Network ACL is used when no ACL is associated. Default +behavior is all the incoming traffic is blocked and outgoing traffic is +allowed from the tiers. Default network ACL cannot be removed or +modified. Contents of the default Network ACL is: + +===== ======== ============ ====== ========= +Rule Protocol Traffic type Action CIDR +===== ======== ============ ====== ========= +1 All Ingress Deny 0.0.0.0/0 +2 All Egress Deny 0.0.0.0/0 +===== ======== ============ ====== ========= + + +Creating ACL Lists +^^^^^^^^^^^^^^^^^^ + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC. + + For each tier, the following options are displayed: + + - Internal LB + + - Public LB IP + + - Static NAT + + - Virtual Machines + + - CIDR + + The following router information is displayed: + + - Private Gateways + + - Public IP Addresses + + - Site-to-Site VPNs + + - Network ACL Lists + +#. Select Network ACL Lists. + + The following default rules are displayed in the Network ACLs page: + default\_allow, default\_deny. + +#. Click Add ACL Lists, and specify the following: + + - **ACL List Name**: A name for the ACL list. + + - **Description**: A short description of the ACL list that can be + displayed to users. + + +Creating an ACL Rule +^^^^^^^^^^^^^^^^^^^^ + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC. + +#. Select Network ACL Lists. + + In addition to the custom ACL lists you have created, the following + default rules are displayed in the Network ACLs page: default\_allow, + default\_deny. + +#. Select the desired ACL list. + +#. Select the ACL List Rules tab. + + To add an ACL rule, fill in the following fields to specify what kind + of network traffic is allowed in the VPC. + + - **Rule Number**: The order in which the rules are evaluated. + + - **CIDR**: The CIDR acts as the Source CIDR for the Ingress rules, + and Destination CIDR for the Egress rules. To accept traffic only + from or to the IP addresses within a particular address block, + enter a CIDR or a comma-separated list of CIDRs. The CIDR is the + base IP address of the incoming traffic. For example, + 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0. + + - **Action**: What action to be taken. Allow traffic or block. + + - **Protocol**: The networking protocol that sources use to send + traffic to the tier. The TCP and UDP protocols are typically used + for data exchange and end-user communications. The ICMP protocol + is typically used to send error messages or network monitoring + data. All supports all the traffic. Other option is Protocol + Number. + + - **Start Port**, **End Port** (TCP, UDP only): A range of listening + ports that are the destination for the incoming traffic. If you + are opening a single port, use the same number in both fields. + + - **Protocol Number**: The protocol number associated with IPv4 or + IPv6. For more information, see `Protocol Numbers + <http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml>`_. + + - **ICMP Type**, **ICMP Code** (ICMP only): The type of message and + error code that will be sent. + + - **Traffic Type**: The type of traffic: Incoming or outgoing. + +#. Click Add. The ACL rule is added. + + You can edit the tags assigned to the ACL rules and delete the ACL + rules you have created. Click the appropriate button in the Details + tab. + + +Creating a Tier with Custom ACL List +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +#. Create a VPC. + +#. Create a custom ACL list. + +#. Add ACL rules to the ACL list. + +#. Create a tier in the VPC. + + Select the desired ACL list while creating a tier. + +#. Click OK. + + +Assigning a Custom ACL List to a Tier +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +#. Create a VPC. + +#. Create a tier in the VPC. + +#. Associate the tier with the default ACL rule. + +#. Create a custom ACL list. + +#. Add ACL rules to the ACL list. + +#. Select the tier for which you want to assign the custom ACL. + +#. Click the Replace ACL List icon. |replace-acl-icon.png| + + The Replace ACL List dialog is displayed. + +#. Select the desired ACL list. + +#. Click OK. + + +.. _adding-priv-gw-vpc: + +Adding a Private Gateway to a VPC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +A private gateway can be added by the root admin only. The VPC private +network has 1:1 relationship with the NIC of the physical network. You +can configure multiple private gateways to a single VPC. No gateways +with duplicated VLAN and IP are allowed in the same data center. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC to which you want to configure + load balancing rules. + + The VPC page is displayed where all the tiers you created are listed + in a diagram. + +#. Click the Settings icon. + + The following options are displayed. + + - Internal LB + + - Public LB IP + + - Static NAT + + - Virtual Machines + + - CIDR + + The following router information is displayed: + + - Private Gateways + + - Public IP Addresses + + - Site-to-Site VPNs + + - Network ACL Lists + +#. Select Private Gateways. + + The Gateways page is displayed. + +#. Click Add new gateway: + + |add-new-gateway-vpc.png| + +#. Specify the following: + + - **Physical Network**: The physical network you have created in the + zone. + + - **IP Address**: The IP address associated with the VPC gateway. + + - **Gateway**: The gateway through which the traffic is routed to + and from the VPC. + + - **Netmask**: The netmask associated with the VPC gateway. + + - **VLAN**: The VLAN associated with the VPC gateway. + + - **Source NAT**: Select this option to enable the source NAT + service on the VPC private gateway. + + See ":ref:`source-nat-priv-gw`". + + - **ACL**: Controls both ingress and egress traffic on a VPC private + gateway. By default, all the traffic is blocked. + + See ":ref:`acl-priv-gw`". + + The new gateway appears in the list. You can repeat these steps to + add more gateway for this VPC. + + +.. _source-nat-priv-gw: + +Source NAT on Private Gateway +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You might want to deploy multiple VPCs with the same super CIDR and +guest tier CIDR. Therefore, multiple guest VMs from different VPCs can +have the same IPs to reach a enterprise data center through the private +gateway. In such cases, a NAT service need to be configured on the +private gateway to avoid IP conflicts. If Source NAT is enabled, the +guest VMs in VPC reaches the enterprise network via private gateway IP +address by using the NAT service. + +The Source NAT service on a private gateway can be enabled while adding +the private gateway. On deletion of a private gateway, source NAT rules +specific to the private gateway are deleted. + +To enable source NAT on existing private gateways, delete them and +create afresh with source NAT. + + +.. _acl-priv-gw: + +ACL on Private Gateway +^^^^^^^^^^^^^^^^^^^^^^ + +The traffic on the VPC private gateway is controlled by creating both +ingress and egress network ACL rules. The ACLs contains both allow and +deny rules. As per the rule, all the ingress traffic to the private +gateway interface and all the egress traffic out from the private +gateway interface are blocked. + +You can change this default behaviour while creating a private gateway. +Alternatively, you can do the following: + +#. In a VPC, identify the Private Gateway you want to work with. + +#. In the Private Gateway page, do either of the following: + + - Use the Quickview. See 3. + + - Use the Details tab. See 4 through . + +#. In the Quickview of the selected Private Gateway, click Replace ACL, + select the ACL rule, then click OK + +#. Click the IP address of the Private Gateway you want to work with. + +#. In the Detail tab, click the Replace ACL button. + |replace-acl-icon.png| + + The Replace ACL dialog is displayed. + +#. select the ACL rule, then click OK. + + Wait for few seconds. You can see that the new ACL rule is displayed + in the Details page. + + +Creating a Static Route +^^^^^^^^^^^^^^^^^^^^^^^ + +CloudStack enables you to specify routing for the VPN connection you +create. You can enter one or CIDR addresses to indicate which traffic is +to be routed back to the gateway. + +#. In a VPC, identify the Private Gateway you want to work with. + +#. In the Private Gateway page, click the IP address of the Private + Gateway you want to work with. + +#. Select the Static Routes tab. + +#. Specify the CIDR of destination network. + +#. Click Add. + + Wait for few seconds until the new route is created. + + +Blacklisting Routes +^^^^^^^^^^^^^^^^^^^ + +CloudStack enables you to block a list of routes so that they are not +assigned to any of the VPC private gateways. Specify the list of routes +that you want to blacklist in the ``blacklisted.routes`` global +parameter. Note that the parameter update affects only new static route +creations. If you block an existing static route, it remains intact and +continue functioning. You cannot add a static route if the route is +blacklisted for the zone. + + +Deploying VMs to the Tier +~~~~~~~~~~~~~~~~~~~~~~~~~ + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC to which you want to deploy the + VMs. + + The VPC page is displayed where all the tiers you have created are + listed. + +#. Click Virtual Machines tab of the tier to which you want to add a VM. + + |add-vm-vpc.png| + + The Add Instance page is displayed. + + Follow the on-screen instruction to add an instance. For information + on adding an instance, see the Installation Guide. + + +Deploying VMs to VPC Tier and Shared Networks +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +CloudStack allows you deploy VMs on a VPC tier and one or more shared +networks. With this feature, VMs deployed in a multi-tier application +can receive monitoring services via a shared network provided by a +service provider. + +#. Log in to the CloudStack UI as an administrator. + +#. In the left navigation, choose Instances. + +#. Click Add Instance. + +#. Select a zone. + +#. Select a template or ISO, then follow the steps in the wizard. + +#. Ensure that the hardware you have allows starting the selected + service offering. + +#. Under Networks, select the desired networks for the VM you are + launching. + + You can deploy a VM to a VPC tier and multiple shared networks. + + |addvm-tier-sharednw.png| + +#. Click Next, review the configuration and click Launch. + + Your VM will be deployed to the selected VPC tier and shared network. + + +Acquiring a New IP Address for a VPC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When you acquire an IP address, all IP addresses are allocated to VPC, +not to the guest networks within the VPC. The IPs are associated to the +guest network only when the first port-forwarding, load balancing, or +Static NAT rule is created for the IP or the network. IP can't be +associated to more than one network at a time. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC to which you want to deploy the + VMs. + + The VPC page is displayed where all the tiers you created are listed + in a diagram. + + The following options are displayed. + + - Internal LB + + - Public LB IP + + - Static NAT + + - Virtual Machines + + - CIDR + + The following router information is displayed: + + - Private Gateways + + - Public IP Addresses + + - Site-to-Site VPNs + + - Network ACL Lists + +#. Select IP Addresses. + + The Public IP Addresses page is displayed. + +#. Click Acquire New IP, and click Yes in the confirmation dialog. + + You are prompted for confirmation because, typically, IP addresses + are a limited resource. Within a few moments, the new IP address + should appear with the state Allocated. You can now use the IP + address in port forwarding, load balancing, and static NAT rules. + + +Releasing an IP Address Alloted to a VPC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The IP address is a limited resource. If you no longer need a particular +IP, you can disassociate it from its VPC and return it to the pool of +available addresses. An IP address can be released from its tier, only +when all the networking ( port forwarding, load balancing, or StaticNAT +) rules are removed for this IP address. The released IP address will +still belongs to the same VPC. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC whose IP you want to release. + + The VPC page is displayed where all the tiers you created are listed + in a diagram. + + The following options are displayed. + + - Internal LB + + - Public LB IP + + - Static NAT + + - Virtual Machines + + - CIDR + + The following router information is displayed: + + - Private Gateways + + - Public IP Addresses + + - Site-to-Site VPNs + + - Network ACL Lists + +#. Select Public IP Addresses. + + The IP Addresses page is displayed. + +#. Click the IP you want to release. + +#. In the Details tab, click the Release IP button |release-ip-icon.png| + + +.. _enabling-disabling-static-nat-on-vpc: + +Enabling or Disabling Static NAT on a VPC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +A static NAT rule maps a public IP address to the private IP address of +a VM in a VPC to allow Internet traffic to it. This section tells how to +enable or disable static NAT for a particular IP address in a VPC. + +If port forwarding rules are already in effect for an IP address, you +cannot enable static NAT to that IP. + +If a guest VM is part of more than one network, static NAT rules will +function only if they are defined on the default network. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC to which you want to deploy the + VMs. + + The VPC page is displayed where all the tiers you created are listed + in a diagram. + + For each tier, the following options are displayed. + + - Internal LB + + - Public LB IP + + - Static NAT + + - Virtual Machines + + - CIDR + + The following router information is displayed: + + - Private Gateways + + - Public IP Addresses + + - Site-to-Site VPNs + + - Network ACL Lists + +#. In the Router node, select Public IP Addresses. + + The IP Addresses page is displayed. + +#. Click the IP you want to work with. + +#. In the Details tab,click the Static NAT button. |enable-disable.png| + The button toggles between Enable and + Disable, depending on whether static NAT is currently enabled for the + IP address. + +#. If you are enabling static NAT, a dialog appears as follows: + + |select-vmstatic-nat.png| + +#. Select the tier and the destination VM, then click Apply. + + +Adding Load Balancing Rules on a VPC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In a VPC, you can configure two types of load balancing: external LB and +internal LB. External LB is nothing but a LB rule created to redirect +the traffic received at a public IP of the VPC virtual router. The +traffic is load balanced within a tier based on your configuration. +Citrix NetScaler and VPC virtual router are supported for external LB. +When you use internal LB service, traffic received at a tier is load +balanced across different VMs within that tier. For example, traffic +reached at Web tier is redirected to another VM in that tier. External +load balancing devices are not supported for internal LB. The service is +provided by a internal LB VM configured on the target tier. + + +Load Balancing Within a Tier (External LB) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +A CloudStack user or administrator may create load balancing rules that +balance traffic received at a public IP to one or more VMs that belong +to a network tier that provides load balancing service in a VPC. A user +creates a rule, specifies an algorithm, and assigns the rule to a set of +VMs within a tier. + + +Enabling NetScaler as the LB Provider on a VPC Tier +''''''''''''''''''''''''''''''''''''''''''''''''''' + +#. Add and enable Netscaler VPX in dedicated mode. + + Netscaler can be used in a VPC environment only if it is in dedicated + mode. + +#. Create a network offering, as given in ":ref:`create-net-offering-ext-lb`". + +#. Create a VPC with Netscaler as the Public LB provider. + + For more information, see `"Adding a Virtual Private + Cloud" <#adding-a-virtual-private-cloud>`_. + +#. For the VPC, acquire an IP. + +#. Create an external load balancing rule and apply, as given in + :ref:`create-ext-lb-rule`. + + +.. _create-net-offering-ext-lb: + +Creating a Network Offering for External LB +''''''''''''''''''''''''''''''''''''''''''' + +To have external LB support on VPC, create a network offering as +follows: + +#. Log in to the CloudStack UI as a user or admin. + +#. From the Select Offering drop-down, choose Network Offering. + +#. Click Add Network Offering. + +#. In the dialog, make the following choices: + + - **Name**: Any desired name for the network offering. + + - **Description**: A short description of the offering that can be + displayed to users. + + - **Network Rate**: Allowed data transfer rate in MB per second. + + - **Traffic Type**: The type of network traffic that will be carried + on the network. + + - **Guest Type**: Choose whether the guest network is isolated or + shared. + + - **Persistent**: Indicate whether the guest network is persistent + or not. The network that you can provision without having to + deploy a VM on it is termed persistent network. + + - **VPC**: This option indicate whether the guest network is Virtual + Private Cloud-enabled. A Virtual Private Cloud (VPC) is a private, + isolated part of CloudStack. A VPC can have its own virtual + network topology that resembles a traditional physical network. + For more information on VPCs, see `"About Virtual Private Clouds" <#about-virtual-private-clouds>`_. + + - **Specify VLAN**: (Isolated guest networks only) Indicate whether + a VLAN should be specified when this offering is used. + + - **Supported Services**: Select Load Balancer. Use Netscaler or + VpcVirtualRouter. + + - **Load Balancer Type**: Select Public LB from the drop-down. + + - **LB Isolation**: Select Dedicated if Netscaler is used as the + external LB provider. + + - **System Offering**: Choose the system service offering that you + want virtual routers to use in this network. + + - **Conserve mode**: Indicate whether to use conserve mode. In this + mode, network resources are allocated only when the first virtual + machine starts in the network. + +#. Click OK and the network offering is created. + + +.. _create-ext-lb-rule: + +Creating an External LB Rule +'''''''''''''''''''''''''''' + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC, for which you want to + configure load balancing rules. + + The VPC page is displayed where all the tiers you created listed in a + diagram. + + For each tier, the following options are displayed: + + - Internal LB + + - Public LB IP + + - Static NAT + + - Virtual Machines + + - CIDR + + The following router information is displayed: + + - Private Gateways + + - Public IP Addresses + + - Site-to-Site VPNs + + - Network ACL Lists + +#. In the Router node, select Public IP Addresses. + + The IP Addresses page is displayed. + +#. Click the IP address for which you want to create the rule, then + click the Configuration tab. + +#. In the Load Balancing node of the diagram, click View All. + +#. Select the tier to which you want to apply the rule. + +#. Specify the following: + + - **Name**: A name for the load balancer rule. + + - **Public Port**: The port that receives the incoming traffic to be + balanced. + + - **Private Port**: The port that the VMs will use to receive the + traffic. + + - **Algorithm**. Choose the load balancing algorithm you want + CloudStack to use. CloudStack supports the following well-known + algorithms: + + - Round-robin + + - Least connections + + - Source + + - **Stickiness**. (Optional) Click Configure and choose the + algorithm for the stickiness policy. See Sticky Session Policies + for Load Balancer Rules. + + - **Add VMs**: Click Add VMs, then select two or more VMs that will + divide the load of incoming traffic, and click Apply. + +The new load balancing rule appears in the list. You can repeat these +steps to add more load balancing rules for this IP address. + + +Load Balancing Across Tiers +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +CloudStack supports sharing workload across different tiers within your +VPC. Assume that multiple tiers are set up in your environment, such as +Web tier and Application tier. Traffic to each tier is balanced on the +VPC virtual router on the public side, as explained in +`"Adding Load Balancing Rules on a VPC" <#adding-load-balancing-rules-on-a-vpc>`_. +If you want the traffic coming +from the Web tier to the Application tier to be balanced, use the +internal load balancing feature offered by CloudStack. + + +How Does Internal LB Work in VPC? +''''''''''''''''''''''''''''''''' + +In this figure, a public LB rule is created for the public IP +72.52.125.10 with public port 80 and private port 81. The LB rule, +created on the VPC virtual router, is applied on the traffic coming from +the Internet to the VMs on the Web tier. On the Application tier two +internal load balancing rules are created. An internal LB rule for the +guest IP 10.10.10.4 with load balancer port 23 and instance port 25 is +configured on the VM, InternalLBVM1. Another internal LB rule for the +guest IP 10.10.10.4 with load balancer port 45 and instance port 46 is +configured on the VM, InternalLBVM1. Another internal LB rule for the +guest IP 10.10.10.6, with load balancer port 23 and instance port 25 is +configured on the VM, InternalLBVM2. + +|vpc-lb.png| + + +Guidelines +'''''''''' + +- Internal LB and Public LB are mutually exclusive on a tier. If the + tier has LB on the public side, then it can't have the Internal LB. + +- Internal LB is supported just on VPC networks in CloudStack 4.2 + release. + +- Only Internal LB VM can act as the Internal LB provider in CloudStack + 4.2 release. + +- Network upgrade is not supported from the network offering with + Internal LB to the network offering with Public LB. + +- Multiple tiers can have internal LB support in a VPC. + +- Only one tier can have Public LB support in a VPC. + + +Enabling Internal LB on a VPC Tier +'''''''''''''''''''''''''''''''''' + +#. Create a network offering, as given in + :ref:`creating-net-offering-internal-lb`. + +#. Create an internal load balancing rule and apply, as given in + :ref:`create-int-lb-rule`. + + +.. _creating-net-offering-internal-lb: + +Creating a Network Offering for Internal LB +''''''''''''''''''''''''''''''''''''''''''' + +To have internal LB support on VPC, either use the default offering, +DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB, or create a +network offering as follows: + +#. Log in to the CloudStack UI as a user or admin. + +#. From the Select Offering drop-down, choose Network Offering. + +#. Click Add Network Offering. + +#. In the dialog, make the following choices: + + - **Name**: Any desired name for the network offering. + + - **Description**: A short description of the offering that can be + displayed to users. + + - **Network Rate**: Allowed data transfer rate in MB per second. + + - **Traffic Type**: The type of network traffic that will be carried + on the network. + + - **Guest Type**: Choose whether the guest network is isolated or + shared. + + - **Persistent**: Indicate whether the guest network is persistent + or not. The network that you can provision without having to + deploy a VM on it is termed persistent network. + + - **VPC**: This option indicate whether the guest network is Virtual + Private Cloud-enabled. A Virtual Private Cloud (VPC) is a private, + isolated part of CloudStack. A VPC can have its own virtual + network topology that resembles a traditional physical network. + For more information on VPCs, see `"About Virtual + Private Clouds" <#about-virtual-private-clouds>`_. + + - **Specify VLAN**: (Isolated guest networks only) Indicate whether + a VLAN should be specified when this offering is used. + + - **Supported Services**: Select Load Balancer. Select + ``InternalLbVM`` from the provider list. + + - **Load Balancer Type**: Select Internal LB from the drop-down. + + - **System Offering**: Choose the system service offering that you + want virtual routers to use in this network. + + - **Conserve mode**: Indicate whether to use conserve mode. In this + mode, network resources are allocated only when the first virtual + machine starts in the network. + +#. Click OK and the network offering is created. + + +.. _create-int-lb-rule: + +Creating an Internal LB Rule +'''''''''''''''''''''''''''' + +When you create the Internal LB rule and applies to a VM, an Internal LB +VM, which is responsible for load balancing, is created. + +You can view the created Internal LB VM in the Instances page if you +navigate to **Infrastructure** > **Zones** > <zone\_ name> > +<physical\_network\_name> > **Network Service Providers** > **Internal +LB VM**. You can manage the Internal LB VMs as and when required from +the location. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Locate the VPC for which you want to configure internal LB, then + click Configure. + + The VPC page is displayed where all the tiers you created listed in a + diagram. + +#. Locate the Tier for which you want to configure an internal LB rule, + click Internal LB. + + In the Internal LB page, click Add Internal LB. + +#. In the dialog, specify the following: + + - **Name**: A name for the load balancer rule. + + - **Description**: A short description of the rule that can be + displayed to users. + + - **Source IP Address**: (Optional) The source IP from which traffic + originates. The IP is acquired from the CIDR of that particular + tier on which you want to create the Internal LB rule. If not + specified, the IP address is automatically allocated from the + network CIDR. + + For every Source IP, a new Internal LB VM is created for load + balancing. + + - **Source Port**: The port associated with the source IP. Traffic + on this port is load balanced. + + - **Instance Port**: The port of the internal LB VM. + + - **Algorithm**. Choose the load balancing algorithm you want + CloudStack to use. CloudStack supports the following well-known + algorithms: + + - Round-robin + + - Least connections + + - Source + + +Adding a Port Forwarding Rule on a VPC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC to which you want to deploy the + VMs. + + The VPC page is displayed where all the tiers you created are listed + in a diagram. + + For each tier, the following options are displayed: + + - Internal LB + + - Public LB IP + + - Static NAT + + - Virtual Machines + + - CIDR + + The following router information is displayed: + + - Private Gateways + + - Public IP Addresses + + - Site-to-Site VPNs + + - Network ACL Lists + +#. In the Router node, select Public IP Addresses. + + The IP Addresses page is displayed. + +#. Click the IP address for which you want to create the rule, then + click the Configuration tab. + +#. In the Port Forwarding node of the diagram, click View All. + +#. Select the tier to which you want to apply the rule. + +#. Specify the following: + + - **Public Port**: The port to which public traffic will be + addressed on the IP address you acquired in the previous step. + + - **Private Port**: The port on which the instance is listening for + forwarded public traffic. + + - **Protocol**: The communication protocol in use between the two + ports. + + - TCP + + - UDP + + - **Add VM**: Click Add VM. Select the name of the instance to which + this rule applies, and click Apply. + + You can test the rule by opening an SSH session to the instance. + + +Removing Tiers +~~~~~~~~~~~~~~ + +You can remove a tier from a VPC. A removed tier cannot be revoked. When +a tier is removed, only the resources of the tier are expunged. All the +network rules (port forwarding, load balancing and staticNAT) and the IP +addresses associated to the tier are removed. The IP address still be +belonging to the same VPC. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPC that you have created for the account is listed in the + page. + +#. Click the Configure button of the VPC for which you want to set up + tiers. + + The Configure VPC page is displayed. Locate the tier you want to work + with. + +#. Select the tier you want to remove. + +#. In the Network Details tab, click the Delete Network button. + |del-tier.png| + + Click Yes to confirm. Wait for some time for the tier to be removed. + + +Editing, Restarting, and Removing a Virtual Private Cloud +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. note:: Ensure that all the tiers are removed before you remove a VPC. + +#. Log in to the CloudStack UI as an administrator or end user. + +#. In the left navigation, choose Network. + +#. In the Select view, select VPC. + + All the VPCs that you have created for the account is listed in the + page. + +#. Select the VPC you want to work with. + +#. In the Details tab, click the Remove VPC button |remove-vpc.png| + + You can remove the VPC by also using the remove button in the Quick + View. + + You can edit the name and description of a VPC. To do that, select + the VPC, then click the Edit button. |vpc-edit-icon.png| + + To restart a VPC, select the VPC, then click the Restart button. + |restart-vpc.png| + + +.. |add-vpc.png| image:: /_static/images/add-vpc.png + :alt: adding a vpc. +.. |add-tier.png| image:: /_static/images/add-tier.png + :alt: adding a tier to a vpc. +.. |replace-acl-icon.png| image:: /_static/images/replace-acl-icon.png + :alt: button to replace an ACL list +.. |add-new-gateway-vpc.png| image:: /_static/images/add-new-gateway-vpc.png + :alt: adding a private gateway for the VPC. +.. |add-vm-vpc.png| image:: /_static/images/add-vm-vpc.png + :alt: adding a VM to a vpc. +.. |addvm-tier-sharednw.png| image:: /_static/images/addvm-tier-sharednw.png + :alt: adding a VM to a VPC tier and shared network. +.. |release-ip-icon.png| image:: /_static/images/release-ip-icon.png + :alt: button to release an IP. +.. |enable-disable.png| image:: /_static/images/enable-disable.png + :alt: button to enable Static NAT. +.. |select-vmstatic-nat.png| image:: /_static/images/select-vm-staticnat-vpc.png + :alt: selecting a tier to apply staticNAT. +.. |vpc-lb.png| image:: /_static/images/vpc-lb.png + :alt: Configuring internal LB for VPC +.. |del-tier.png| image:: /_static/images/del-tier.png + :alt: button to remove a tier +.. |vpc-edit-icon.png| image:: /_static/images/edit-icon.png + :alt: button to edit. +.. |remove-vpc.png| image:: /_static/images/remove-vpc.png + :alt: button to remove a VPC +.. |restart-vpc.png| image:: /_static/images/restart-vpc.png + :alt: button to restart a VPC
