Networking in CloudPlatform
Note: This article assumes you've already followed the wizard to create an instance. Read: How do I create a new Cloud Server.
Each instance/VM in CloudPlatform is placed within a customer defined guest network. Each network is on separate VLANs, thus achieving isolation via Layer 2 networking. When you create your first instance (VM), a new guest network is automatically created. This is the default network offering (DefaultIsolatedNetworkOfferingWithSourceNatService). You can find this listed under the Networks.
In this mode the guest Networks is allocated a single public IP that acts as a NAT (Network Address Translation) providing yours instances with a private IP in the 192.168.x.x-range via the DHCP mechanism. These IPs can be treated as static as they ‘stick’ to a VM – The IPs and other configuration is kept in a database.
Note: There is no intranet routing available - the network traffic between VM in separate guest networks can only be routed via the public IP, the WAN gateway on the Virtual Router. Therefore all the outgoing traffic is measured and charged.
Enable outgoing traffic from the Cloud Server to the Internet – Egress Rules
To enable accessing the Internet from within the VM (outgoing traffic - cloud server to the Internet) the Egress firewall has to be configured. When an egress firewall rule is applied, the traffic specific to the rule is allowed and the remaining traffic is blocked. When all the firewall rules are removed the default policy, Block, is applied.
Consider the following scenarios to apply egress firewall rules:
- Allow the Egress traffic from specified source CIDR. The Source CIDR is part of guest network CIDR.
- Allow the Egress traffic with destination protocol TCP, UDP, ICMP, or ALL.
- Allow the Egress traffic with destination protocol and port range. The port range is specified for TCP, UDP or for ICMP type and code.
Configuring an Egress firewall rule:
1. In the left navigation, choose Network.
2. In Select view, choose Guest networks, then click the Guest network you want.
3. To add an Egress rule, click the Egress rules tab and fill out the following fields to specify what type of traffic is allowed to be sent out of VM instances in this guest network:
4. Click Add.
Example: to allow all traffic to leave your server uncontrolled you would set the source CIDR to 0.0.0.0/0, set the protocol to ‘All’ and click ‘Add’.
Enable incoming traffic from the Internet to the Cloud Server
To enable accessing your cloud server from the VM (incoming traffic, from the Internet to the cloud), here are two options for exposing your VM to the Internet:
- Setup port forwarding on the NAT for your network
- Set up a Static NAT DMZ for a single VM
1. Setup port forwarding on the NAT for your network
a) Go to Network – Guest networks> Select Network > View IP Addresses > Select xxx.xxx.xxx.xxx [Source NAT] (Your public IP address)
b) Configuration Tab > Port Forwarding
c) Add required ports/protocols to the port forwarding (i.e. 3389 TCP for RDP or 80 TCP for HTTP, or 22 for SSH) port as both private and public networks
d) Add your VM
e) Repeat steps c+d for UDP ports if required.
f) Open the same ports on the firewall
Note: 0.0.0.0/0 CIDR means the whole Internet
2. Set up a Static NAT DMZ for a single VM
a) Click Acquire New IP button in the upper right corner:
b) Click Enable Static NAT
c) Select VM, click apply
d) Again open ports on the firewall - diagram on the configuration tab.
e) Resulting network looks like this:
Configuring the Operating System
Finally, you will need to ensure that the software firewall within your Cloud Server is enabled to allow traffic on the port number you wish to accept it on.
Refer to these operating system specific guides: