Product SiteDocumentation Site

11.19. Configuring a Virtual Private Cloud

11.19.1. About Virtual Private Clouds

CloudStack Virtual Private Cloud is a private, isolated part of CloudStack. A VPC can have its own virtual network topology that resembles a traditional physical network. You can launch VMs in the virtual network that can have private addresses in the range of your choice, for example: 10.0.0.0/16. You can define network tiers within your VPC network range, which in turn enables you to group similar kinds of instances based on IP address range.
For example, if a VPC has the private range 10.0.0.0/16, its guest networks can have the network ranges 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, and so on.
Major Components of a VPC:
A VPC is comprised of the following network components:
  • VPC: A VPC acts as a container for multiple isolated networks that can communicate with each other via its virtual router.
  • Network Tiers: Each tier acts as an isolated network with its own VLANs and CIDR list, where you can place groups of resources, such as VMs. The tiers are segmented by means of VLANs. The NIC of each tier acts as its gateway.
  • Virtual Router: A virtual router is automatically created and started when you create a VPC. The virtual router connect the tiers and direct traffic among the public gateway, the VPN gateways, and the NAT instances. For each tier, a corresponding NIC and IP exist in the virtual router. The virtual router provides DNS and DHCP services through its IP.
  • Public Gateway: The traffic to and from the Internet routed to the VPC through the public gateway. In a VPC, the public gateway is not exposed to the end user; therefore, static routes are not support for the public gateway.
  • Private Gateway: All the traffic to and from a private network routed to the VPC through the private gateway. For more information, see Section 11.19.5, “Adding a Private Gateway to a VPC”.
  • VPN Gateway: The VPC side of a VPN connection.
  • Site-to-Site VPN Connection: A hardware-based VPN connection between your VPC and your datacenter, home network, or co-location facility. For more information, see Section 11.17.4, “Setting Up a Site-to-Site VPN Connection”.
  • Customer Gateway: The customer side of a VPN Connection. For more information, see Section 11.17.4.1, “Creating and Updating a VPN Customer Gateway”.
  • NAT Instance: An instance that provides Port Address Translation for instances to access the Internet via the public gateway. For more information, see Section 11.19.9, “Enabling or Disabling Static NAT on a VPC”.
Network Architecture in a VPC
In a VPC, the following four basic options of network architectures are present:
  • VPC with a public gateway only
  • VPC with public and private gateways
  • VPC with public and private gateways and site-to-site VPN access
  • VPC with a private gateway only and site-to-site VPN access
Connectivity Options for a VPC
You can connect your VPC to:
  • The Internet through the public gateway.
  • The corporate datacenter by using a site-to-site VPN connection through the VPN gateway.
  • Both the Internet and your corporate datacenter by using both the public gateway and a VPN gateway.
VPC Network Considerations
Consider the following before you create a VPC:
  • A VPC, by default, is created in the enabled state.
  • A VPC can be created in Advance zone only, and can't belong to more than one zone at a time.
  • The default number of VPCs an account can create is 20. However, you can change it by using the max.account.vpcs global parameter, which controls the maximum number of VPCs an account is allowed to create.
  • The default number of tiers an account can create within a VPC is 3. You can configure this number by using the vpc.max.networks parameter.
  • Each tier should have an unique CIDR in the VPC. Ensure that the tier's CIDR should be within the VPC CIDR range.
  • A tier belongs to only one VPC.
  • All network tiers inside the VPC should belong to the same account.
  • When a VPC is created, by default, a SourceNAT IP is allocated to it. The Source NAT IP is released only when the VPC is removed.
  • A public IP can be used for only one purpose at a time. If the IP is a sourceNAT, it cannot be used for StaticNAT or port forwarding.
  • The instances only have a private IP address that you provision. To communicate with the Internet, enable NAT to an instance that you launch in your VPC.
  • Only new networks can be added to a VPC. The maximum number of networks per VPC is limited by the value you specify in the vpc.max.networks parameter. The default value is three.
  • The load balancing service can be supported by only one tier inside the VPC.
  • If an IP address is assigned to a tier:
    • That IP can't be used by more than one tier at a time in the VPC. For example, if you have tiers A and B, and a public IP1, you can create a port forwarding rule by using the IP either for A or B, but not for both.
    • That IP can't be used for StaticNAT, load balancing, or port forwarding rules for another guest network inside the VPC.
  • Remote access VPN is not supported in VPC networks.

11.19.2. Adding a Virtual Private Cloud

When creating the VPC, you simply provide the zone and a set of IP addresses for the VPC network address space. You specify this set of addresses in the form of a Classless Inter-Domain Routing (CIDR) block.
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
  4. Click Add VPC. The Add VPC page is displayed as follows:
    add-vpc.png: adding a vpc.
    Provide the following information:
    • Name: A short name for the VPC that you are creating.
    • Description: A brief description of the VPC.
    • Zone: Choose the zone where you want the VPC to be available.
    • Super CIDR for Guest Networks: Defines the CIDR range for all the tiers (guest networks) within a VPC. When you create a tier, ensure that its CIDR is within the Super CIDR value you enter. The CIDR must be RFC1918 compliant.
    • DNS domain for Guest Networks: If you want to assign a special domain name, specify the DNS suffix. This parameter is applied to all the tiers within the VPC. That implies, all the tiers you create in the VPC belong to the same DNS domain. If the parameter is not specified, a DNS domain name is generated automatically.

11.19.3. Adding Tiers

Tiers are distinct locations within a VPC that act as isolated networks, which do not have access to other tiers by default. Tiers are set up on different VLANs that can communicate with each other by using a virtual router. Tiers provide inexpensive, low latency network connectivity to other tiers within the VPC.
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPC that you have created for the account is listed in the page.

    Note

    The end users can see their own VPCs, while root and domain admin can see any VPC they are authorized to see.
  4. Click the Configure button of the VPC for which you want to set up tiers.
    The Add new tier dialog is displayed, as follows:
    add-tier.png: adding a tier to a vpc.
    If you have already created tiers, the VPC diagram is displayed. Click Create Tier to add a new tier.
  5. Specify the following:
    All the fields are mandatory.
    • Name: A unique name for the tier you create.
    • Network Offering: The following default network offerings are listed: DefaultIsolatedNetworkOfferingForVpcNetworksNoLB, DefaultIsolatedNetworkOfferingForVpcNetworks
      In a VPC, only one tier can be created by using LB-enabled network offering.
    • Gateway: The gateway for the tier you create. Ensure that the gateway is within the Super CIDR range that you specified while creating the VPC, and is not overlapped with the CIDR of any existing tier within the VPC.
    • Netmask: The netmask for the tier you create.
      For example, if the VPC CIDR is 10.0.0.0/16 and the network tier CIDR is 10.0.1.0/24, the gateway of the tier is 10.0.1.1, and the netmask of the tier is 255.255.255.0.
  6. Click OK.
  7. Continue with configuring access control list for the tier.

11.19.4. Configuring Access Control List

Define Network Access Control List (ACL) on the VPC virtual router to control incoming (ingress) and outgoing (egress) traffic between the VPC tiers, and the tiers and Internet. By default, all incoming and outgoing traffic to the guest networks is blocked. To open the ports, you must create a new network ACL. The network ACLs can be created for the tiers only if the NetworkACL service is supported.
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you have created for the account is listed in the page.
  4. Click the Settings icon.
    The following options are displayed.
    • IP Addresses
    • Gateways
    • Site-to-Site VPN
    • Network ACLs
  5. Select Network ACLs.
    The Network ACLs page is displayed.
  6. Click Add Network ACLs.
    To add an ACL rule, fill in the following fields to specify what kind of network traffic is allowed in this tier.
    • CIDR: The CIDR acts as the Source CIDR for the Ingress rules, and Destination CIDR for the Egress rules. To accept traffic only from or to the IP addresses within a particular address block, enter a CIDR or a comma-separated list of CIDRs. The CIDR is the base IP address of the incoming traffic. For example, 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.
    • Protocol: The networking protocol that sources use to send traffic to the tier. The TCP and UDP protocols are typically used for data exchange and end-user communications. The ICMP protocol is typically used to send error messages or network monitoring data.
    • Start Port, End Port (TCP, UDP only): A range of listening ports that are the destination for the incoming traffic. If you are opening a single port, use the same number in both fields.
    • Select Tier: Select the tier for which you want to add this ACL rule.
    • ICMP Type, ICMP Code (ICMP only): The type of message and error code that will be sent.
    • Traffic Type: Select the traffic type you want to apply.
      • Egress: To add an egress rule, select Egress from the Traffic type drop-down box and click Add. This specifies what type of traffic is allowed to be sent out of VM instances in this tier. If no egress rules are specified, all traffic from the tier is allowed out at the VPC virtual router. Once egress rules are specified, only the traffic specified in egress rules and the responses to any traffic that has been allowed in through an ingress rule are allowed out. No egress rule is required for the VMs in a tier to communicate with each other.
      • Ingress: To add an ingress rule, select Ingress from the Traffic type drop-down box and click Add. This specifies what network traffic is allowed into the VM instances in this tier. If no ingress rules are specified, then no traffic will be allowed in, except for responses to any traffic that has been allowed out through an egress rule.

      Note

      By default, all incoming and outgoing traffic to the guest networks is blocked. To open the ports, create a new network ACL.
  7. Click Add. The ACL rule is added.
    To view the list of ACL rules you have added, click the desired tier from the Network ACLs page, then select the Network ACL tab.
    network-acl.png: adding, editing, deleting an ACL rule.
    You can edit the tags assigned to the ACL rules and delete the ACL rules you have created. Click the appropriate button in the Actions column.

11.19.5. Adding a Private Gateway to a VPC

A private gateway can be added by the root admin only. The VPC private network has 1:1 relationship with the NIC of the physical network. No gateways with duplicated VLAN and IP are allowed in the same data center.
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you have created for the account is listed in the page.
  4. Click the Configure button of the VPC to which you want to configure load balancing rules.
    The VPC page is displayed where all the tiers you created are listed in a diagram.
  5. Click the Settings icon.
    The following options are displayed.
    • IP Addresses
    • Private Gateways
    • Site-to-Site VPN
    • Network ACLs
  6. Select Private Gateways.
    The Gateways page is displayed.
  7. Click Add new gateway:
    add-new-gateway-vpc.png: adding a private gateway for the VPC.
  8. Specify the following:
    • Physical Network: The physical network you have created in the zone.
    • IP Address: The IP address associated with the VPC gateway.
    • Gateway: The gateway through which the traffic is routed to and from the VPC.
    • Netmask: The netmask associated with the VPC gateway.
    • VLAN: The VLAN associated with the VPC gateway.
    The new gateway appears in the list. You can repeat these steps to add more gateway for this VPC.

11.19.6. Deploying VMs to the Tier

  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you have created for the account is listed in the page.
  4. Click the Configure button of the VPC to which you want to deploy the VMs.
    The VPC page is displayed where all the tiers you created are listed.
  5. Click the Add VM button of the tier for which you want to add a VM.
    The Add Instance page is displayed.
    Follow the on-screen instruction to add an instance. For information on adding an instance, see Adding Instances section in the Installation Guide.

11.19.7. Acquiring a New IP Address for a VPC

When you acquire an IP address, all IP addresses are allocated to VPC, not to the guest networks within the VPC. The IPs are associated to the guest network only when the first port-forwarding, load balancing, or Static NAT rule is created for the IP or the network. IP can't be associated to more than one network at a time.
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you have created for the account is listed in the page.
  4. Click the Configure button of the VPC to which you want to deploy the VMs.
    The VPC page is displayed where all the tiers you created are listed in a diagram.
  5. Click the Settings icon.
    The following options are displayed.
    • IP Addresses
    • Gateways
    • Site-to-Site VPN
    • Network ACLs
  6. Select IP Addresses.
    The IP Addresses page is displayed.
  7. Click Acquire New IP, and click Yes in the confirmation dialog.
    You are prompted for confirmation because, typically, IP addresses are a limited resource. Within a few moments, the new IP address should appear with the state Allocated. You can now use the IP address in port forwarding, load balancing, and static NAT rules.

11.19.8. Releasing an IP Address Alloted to a VPC

The IP address is a limited resource. If you no longer need a particular IP, you can disassociate it from its VPC and return it to the pool of available addresses. An IP address can be released from its tier, only when all the networking ( port forwarding, load balancing, or StaticNAT ) rules are removed for this IP address. The released IP address will still belongs to the same VPC.
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you have created for the account is listed in the page.
  4. Click the Configure button of the VPC whose IP you want to release.
    The VPC page is displayed where all the tiers you created are listed in a diagram.
  5. Click the Settings icon.
    The following options are displayed.
    • IP Addresses
    • Gateways
    • Site-to-Site VPN
    • Network ACLs
  6. Select IP Addresses.
    The IP Addresses page is displayed.
  7. Click the IP you want to release.
  8. In the Details tab, click the Release IP button release-ip-icon.png: button to release an IP.

11.19.9. Enabling or Disabling Static NAT on a VPC

A static NAT rule maps a public IP address to the private IP address of a VM in a VPC to allow Internet traffic to it. This section tells how to enable or disable static NAT for a particular IP address in a VPC.
If port forwarding rules are already in effect for an IP address, you cannot enable static NAT to that IP.
If a guest VM is part of more than one network, static NAT rules will function only if they are defined on the default network.
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you have created for the account is listed in the page.
  4. Click the Configure button of the VPC to which you want to deploy the VMs.
    The VPC page is displayed where all the tiers you created are listed in a diagram.
  5. Click the Settings icon.
    The following options are displayed.
    • IP Addresses
    • Gateways
    • Site-to-Site VPN
    • Network ACLs
  6. Select IP Addresses.
    The IP Addresses page is displayed.
  7. Click the IP you want to work with.
  8. In the Details tab,click the Static NAT button. enable-disable.png: button to enable Statid NAT. The button toggles between Enable and Disable, depending on whether static NAT is currently enabled for the IP address.
  9. If you are enabling static NAT, a dialog appears as follows:
    select-vmstatic-nat.png: selecting a tier to apply staticNAT.
  10. Select the tier and the destination VM, then click Apply.

11.19.10. Adding Load Balancing Rules on a VPC

A CloudStack user or administrator may create load balancing rules that balance traffic received at a public IP to one or more VMs that belong to a network tier that provides load balancing service in a VPC. A user creates a rule, specifies an algorithm, and assigns the rule to a set of VMs within a VPC.
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you have created for the account is listed in the page.
  4. Click the Configure button of the VPC to which you want to configure load balancing rules.
    The VPC page is displayed where all the tiers you created are listed in a diagram.
  5. Click the Settings icon.
    The following options are displayed.
    • IP Addresses
    • Gateways
    • Site-to-Site VPN
    • Network ACLs
  6. Select IP Addresses.
    The IP Addresses page is displayed.
  7. Click the IP address for which you want to create the rule, then click the Configuration tab.
  8. In the Load Balancing node of the diagram, click View All.
  9. Select the tier to which you want to apply the rule.

    Note

    In a VPC, the load balancing service is supported only on a single tier.
  10. Specify the following:
    • Name: A name for the load balancer rule.
    • Public Port: The port that receives the incoming traffic to be balanced.
    • Private Port: The port that the VMs will use to receive the traffic.
    • Algorithm. Choose the load balancing algorithm you want CloudStack to use. CloudStack supports the following well-known algorithms:
      • Round-robin
      • Least connections
      • Source
    • Stickiness. (Optional) Click Configure and choose the algorithm for the stickiness policy. See Sticky Session Policies for Load Balancer Rules.
    • Add VMs: Click Add VMs, then select two or more VMs that will divide the load of incoming traffic, and click Apply.
The new load balancing rule appears in the list. You can repeat these steps to add more load balancing rules for this IP address.

11.19.11. Adding a Port Forwarding Rule on a VPC

  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you have created for the account is listed in the page.
  4. Click the Configure button of the VPC to which you want to deploy the VMs.
    The VPC page is displayed where all the tiers you created are listed in a diagram.
  5. Click the Settings icon.
    The following options are displayed.
    • IP Addresses
    • Gateways
    • Site-to-Site VPN
    • Network ACLs
  6. Choose an existing IP address or acquire a new IP address. Click the name of the IP address in the list.
    The IP Addresses page is displayed.
  7. Click the IP address for which you want to create the rule, then click the Configuration tab.
  8. In the Port Forwarding node of the diagram, click View All.
  9. Select the tier to which you want to apply the rule.
  10. Specify the following:
    • Public Port: The port to which public traffic will be addressed on the IP address you acquired in the previous step.
    • Private Port: The port on which the instance is listening for forwarded public traffic.
    • Protocol: The communication protocol in use between the two ports.
      • TCP
      • UDP
    • Add VM: Click Add VM. Select the name of the instance to which this rule applies, and click Apply.
      You can test the rule by opening an ssh session to the instance.

11.19.12. Removing Tiers

You can remove a tier from a VPC. A removed tier cannot be revoked. When a tier is removed, only the resources of the tier are expunged. All the network rules (port forwarding, load balancing and staticNAT) and the IP addresses associated to the tier are removed. The IP address still be belonging to the same VPC.
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPC that you have created for the account is listed in the page.
  4. Click the Configure button of the VPC for which you want to set up tiers.
    The Configure VPC page is displayed. Locate the tier you want to work with.
  5. Click the Remove VPC button:
    remove-tier.png: removing a tier from a vpc.
    Wait for some time for the tier to be removed.

11.19.13. Editing, Restarting, and Removing a Virtual Private Cloud

Note

Ensure that all the tiers are removed before you remove a VPC.
  1. Log in to the CloudStack UI as an administrator or end user.
  2. In the left navigation, choose Network.
  3. In the Select view, select VPC.
    All the VPCs that you have created for the account is listed in the page.
  4. Select the VPC you want to work with.
  5. To remove, click the Remove VPC button remove-vpc.png: button to remove a VPC
    You can edit the name and description of a VPC. To do that, select the VPC, then click the Edit button. edit-icon.png: button to edit a VPC
    To restart a VPC, select the VPC, then click the Restart button. restart-vpc.png: button to restart a VPC