Network: CloudStack

Description

Leaseweb Private Cloud based on Apache CloudStack currently provides customers with 2 basic network types:

  • Shared
  • Isolated

Shared network is a network offering that provides an instance with a network interface with a IPv4 address that is directly connected to the Internet.
The IP addresses (range) assigned to your shared network offering are preconfigured by Leaseweb. These IP addresses must be purchased separately as part of your Private Cloud. All traffic to and from this network is measured as part of your data traffic.

Isolated network is a network offering that provides a private IP space network behind a virtual router device. Instances connected to an isolated network get a network interface which has a private IP address. The virtual router device controls access to and from the internet.
The virtual router is connected to the internet via a Source NAT public IPv4 address. The virtual router device provides several functions (such as load balancer, firewall, and port forwarding) for the isolated network and the instances within it.

Note: It is also possible to Static NAT a separate public IPv4 address on the outside of the router to an instance inside the private network. 

Both the shared and the isolated networks can be assigned to instances at the same time. An instance can simultaneously have connections within multiple networks. For each connection to a network, a separate virtual network interface is created on the instance.

Note: If instances have multiple networks, manual configuration is required to ensure correct routing.


Contents

Viewing your Networks

Guest networks are named as such in the interface because they carry guest traffic (as opposed to the storage network or the management network i.e.) 
You can view all active networks in your domain, which account they belong to and the type of the network. These guest networks can be of an Isolated or a Shared network type. The associated IP range will be displayed here too. Be it Private IP space (isolated) or public (shared network offering).
You can also add isolated networks from here, provided you have unused/free IP addresses assigned to your isolated network offering of course.

Each isolated network consumes at least 1 public IPv4 address for the Source NAT for the router. 
This source NAT IP address will only be claimed as soon as there is an instance associated with the network though.

Perform the following steps to view the guest networks:

  1. On the left panel, select Network.
    The Guest network page displays.
     
  2. You can view the following information on this page:


    Field NameDescription
    NameDisplays the name of the network. You can select individual networks to view additional information and perform various tasks.
    DomainDisplays your domain name.
    AccountDisplays the account the network belongs to. Note: If you are a domain admin, you can view all networks in the domain. If you are a user, you can only view the networks created by you.
    TypeDisplays the type of the network (shared or isolated).
    Guest CIDRDisplays the range of private IP addresses associated to the guest network.
    Public CIDRDisplays the range of Public IP addresses associated to the corresponding guest network. Leaseweb configures shared network offering and provides customers  with Public CIDR .
    QuickviewDisplays an overview of the network, the tasks that can be performed on the network(restart and delete), and a quick link to IP Addresses associated to this network.

Note; Leaseweb Private Cloud does not allow for customers to configure shared network offering networks themselves. Customers can only create Isolated networks themselves (provided customers have acquired a separate range of IP addresses for this type of network and provided there are still IP addresses available within that range)

Adding an Isolated Network

An isolated network can carry internal traffic between instances within that network. Communication to and from the Internet happens via the virtual router (deployed with each isolated network). Traffic within an isolated network is not measured/billed. 
The virtual router in an isolated network can offer the following services depending on the network offering selected:

  • Routing
  • DHCP (internal)
  • DNS
  • VPN
  • Source NAT
  • Static NAT
  • Firewall
  • Port forwarding
  • Load balancing

To add an isolated network perform the following steps:

  1. On the left panel, select Network.
    The Guest networks page displays.

  2. Select + Add Isolated Network.
    The Add Isolated Network page displays. 

Here you need to fill in the following information (only the ones with a red asterisk are mandatory);


Field NameDescription
NameEnter a name using which you can identify the isolated guest network.
Display TextEnter a display name for the network. Note: This is an editable field. so you can change it after creation
ZoneShows the zone where the network will be created. Note: Currently, Leaseweb provides only 1 pre-configured zone.
Network OfferingSelect the service to enable in the isolated network. By default, isolated network with source NAT service is offered.
Guest Gateway (optional)Enter the gateway address of the isolated network. Note: If this field is empty, the first address of the internal IP range will be used.

Guest Net mask
(optional)

Enter the size of the guest network. Note: If this field is empty, the default netmask value of 255.255.255.0 will be used.
Network Domain
(optional) 
Enter the domain name to be sent to the virtual machines via DHCP. The default value is ACOUNTNAME.leasewebcloud.com.
Domain
(optional) 
Select a domain to assign the isolated network to a specific account.
Account
(optional) 
Select the account to which you want to assign the network. Note: This field displays only if you select a domain. It also is only available for Domain Admin accounts. If you are a user for a normal account you cannot select another account.

Network offering options

In order to help you pick the right network offering for your isolated network we explain the six options Leaseweb currently offers:

 

  • Default Isolated Network Offering With Source Nat Service. 

Description: Offering for Isolated networks with Source Nat service enabled with No Redundancy (Egress traffic is blocked)

Egress Default Policy: Deny

Redundant router: NO

Supported Services: Port Forwarding, DNS, Source Nat, User Data, Static Nat, Lb, DHCP, Firewall, VPN

  • Isolated Network with Source Nat and Dual VR (Deny)

Description: Isolated Network with Source Nat and Dual VR (Egress traffic is blocked)

Egress Default Policy: Deny

Redundant router: YES

Supported Services: Port Forwarding, DNS, Source Nat, User Data, Static Nat, Lb, DHCP, Firewall, VPN

  • Isolated Network with Source Nat and Dual VR (Allow)

Description: Isolated Network with Source Nat and Dual VR (Egress traffic is allowed)

Egress Default Policy: Allow

Redundant router: YES

Supported Services: Port Forwarding, DNS, Source Nat, User Data, Static Nat, Lb, DHCP, Firewall, VPN

  • Fully Isolated Network

Description: Fully Isolated Network with DHCP/DNS/User Data

Egress Default Policy: Deny

Redundant router: NO

Supported Services: DHCP, DNS, User Data

  • Fully Isolated Network No Services

Description: Fully Isolated Network without Services

Egress Default Policy: Deny

Redundant router: NO

Supported Services: -

  • Network Offering used for cloudstack container service

Description: Isolated Network service for container clusters.

Egress Default Policy: Allow

Redundant router:

Supported Services: Source Nat, User Data, Firewall, Port Forwarding, DHCP


The availability of the options (supported services) are dependent on the specific network offering;

-DHCP: This provides as service which hands out Private IP addresses and other network information to all instances within the isolated network. 
(primary IP address only!! secondary IP addresses need manual configuration.)
-DNS: Provides DNS services for all instances within the network making the virtual router the primary DNS
-Source NAT: Every instance within the  isolated network has access to internet via the IP address which is associated (as Source NAT address) to the router. 
(if the instance is not configured to have a Static NAT-ed IP address that is)

-Static NAT: this provides the option to 'fuse' a public reachable IP address on the outside of the virtual router to be solely connected to the internal IP address of an instance. Thereby circumventing the Source NAT IP address as source address and making this particular instance reachable on this IP address.
-User data: this option is not yet usable within Private Cloud by Leaseweb. It allows for having user data inserted into an instance after creation for customization. It requires enabling this in the instance configurator, which is not yet available for our product.
-Firewall: firewalling both Ingres and Egres through the virtual router for all IP addresses (instances) within the isolated network
-VPN: the ability to create an IPsec VPN endpoint for a public IP address associated with the network (right now only 1 public IP address per network)
-Load balancer: This gives the possibility to enable a basic load balancer with basic options on the an  IP address on the virtual router
-Port forwarding: This gives the possibility to forward specific ports on the Source NAT IP address of the virtual router to instances (either on the same or a different port than the origin)
-ACL (access control lists): This option is related to VPC network offerings only. It provides a means to allow or disallow traffic between different tiers (networks) within a VPC. So in the VPC configuration (shown below) ACLs allow for traffic to flow between the Database tier and the webfarm tier (or not)

Adding VPC and VPC tiers 

CloudStack Virtual Private Cloud is a private, isolated part of CloudStack. A VPC can have its own virtual network topology that resembles a traditional physical network. You can launch VMs in the virtual network that can have private addresses in the range of your choice, for example: 10.0.0.0/16. You can define network tiers within your VPC network range, which in turn enables you to group similar kinds of instances based on IP address range.

A VPC is a combination of isolated networks or tiers governed by one virtual router device. The VPC allows for multiple separated isolated networks to be combined into one environment. The virtual router device which normally exists per isolated network is promoted to govern/control all isolated networks within the VPC. This allows for ACL rules between the isolated networks which in turn allows for more security.

To add a VPC please perform the following steps:

  1. On the left panel, select Network.

  2. Choose "VPC" in "Select view" dropdown.
  3. Select +Add VPC 


VPC offering options

In order to help you pick the right VPC offering for your VPC we explain the two options below;

  • Default VPC offering

Supported Services: VPN, DNS, Static Nat, Network ACL, User Data, Source Nat, Lb, Port Forwarding, DHCP

Service provider: Virtual Router

Redundant virtual router: NO

  • Redundant VPC offering

Supported Services: VPN, DNS, Static Nat, Network ACL, User Data, Source Nat, Lb, Port Forwarding, DHCP

Service provider: Virtual Router

Redundant virtual router: YES

Network offering options for VPC tiers

After create a VPC, you will be able to add VPC tiers.

  1. On the left panel, select Network.

  2. Choose "VPC" in  "Select view" drop down, you will see the list of VPCs.
  3.  Click "Configure" on selected VPC. You will  see a dialog to "create network ". Clicking on same will prompt to add a new VPC tier.


In order to help you pick the right network offering for your VPC tiers we explain the three options (currently) below;

  • Default isolated network offering for VPC networks

Supported Services: Vpn, Dns, StaticNat, NetworkACL, UserData, SourceNat, Lb, PortForwarding, Dhcp

This is the standard isolated network offering for a tier within a Virtual Private Cloud or VPC. Please note there is at most one VPC tier with Public Lb can be created.

  • Default isolated network offering for VPC networks with no Loadbalancer

Supported Services: Vpn, Dns, StaticNat, NetworkACL, UserData, SourceNat, PortForwarding, Dhcp

This is the standard isolated network offering for a tier within a Virtual Private Cloud or VPC, but without the option to do load balancing for the isolated network.

  • Default isolated network offering for VPC networks with internal Loadbalancer

 Supported Services:  Dns, NetworkACL, UserData, SourceNat, Lb, Dhcp

 This is the standard isolated network offering for a tier within a Virtual Private Cloud or VPC, but with the option to have internal load balancing with in the isolated network. 

Viewing IP Addresses associated to an Isolated Network

You can view the public IP addresses (both public and private) associated to your isolated network and access the virtual router functionality from this overview.

To view the IP addresses of an isolated network:

  1. On the left panel, select Network.

  2. Select the network for which you want to view the IP addresses.

  3. Select which type of IP`s you want to view, Public or Private.

    The Private and Public IP Addresses display as below.

    You can view the following information in the IP Address page for a selected isolated network.

    Field NameDescription
    IPsDisplays the public or private IP addresses currently associated to this network (either to the instance or the virtual router).
    ZoneDisplays the zone where this network is deployed.
    VM nameDisplays the instance to which the IP address is assigned.
    Note: This does not apply for the Source NAT address or an unassociated (no VM name visible) IP address these are always associated to the virtual router.
    StateDisplays the state of the IP Address. (allocated is the default state)
    Quickview

    Displays an overview of the IP address and the tasks that can be performed on it. (depending on use of IP; enable VPN/enable disable Static NAT/release IP)

Acquiring New IP Address for an Isolated Network

You can allocate multiple public IP addresses to an isolated network. This allows you to i.e. statically NAT a public IP address to an instance on the network or get multiple IP addresses to load-balance on. If you do not statically NAT a new IP address to an instance, it will be assigned to the virtual router. Any IP address associated to the virtual router can be used to create load balancing rules, port forwarding, or firewall rules.

Perform the following steps to acquire a new IP address for an isolated network:

  1. On the left panel, select Network.

  2. Select the network for which you want to view the IP address.

  3. Select View IP Address for public IP`s.
  4. Select + Acquire New IP.

    Any public IP address assigned to the isolated network is from within the range of IP addresses assigned to you.

Assigning a Static NAT for an IP address to an instance

Cloud stack provides Static NAT as an option allowing to 'glue' a public IP address on the outside of the Virtual router to an internal instance within an Isolated network.

You can only use Static NAT to glue 1 public IP address to a single instance at the same time.

Below you can find the steps to assign a Static NAT for an IP address to an instance.

  1. From the listing of public IP addresses of an Isolated network, select an unassociated IP address (not Source NAT and no VM name assigned):


  2. You will get several options for that IP, select 'enable static NAT';


  3. You will be asked which instance you want to create the static NAT for. There is also the option to select the internal private IP address you want to fuse/glue it to.
    This can be useful if you configured multiple private IP addresses on a NIC. 

Enabling a VPN for an IP Address of an Isolated Network

By enabling VPN for an isolated network IP address, you can configure a remote access VPN (IPsec) connection. This allows you to directly access the instances within the network from a remote machine.

You can only set up one remote access VPN per network.

To enable a VPN for an IP address in an isolated network:

  1. From the Network section select the appropriate network and drill down to the public IP addresses

  2. Select the IP/instance for which you want to setup a VPN (VM name in the overview is helpful here)

  3. Select the IP for which you want to enable VPN and select enable VPN.
  4. A Status dialog box confirms that VPN access is enabled and shares the IPSec pre-shared key that has been generated

  5. select the VPN tab, add VPN username(s) with password, and select Add. 

    The newly added username displays below. You will need this credential to connect to the VPN server.

To disable the VPN for the IP address, select the Disable VPN icon.

Configuring a load balancer for an IP Address of an Isolated Network

You can create a load balancer on an acquired public IP and add some load balancing rules. The traffic to the public IP will be forwarded to the VMs configured in the load balancing rules.

To create a load balancer on a public IP, and to add load balancing rules, you may follow the official Apache CloudStack document.

http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/4.7/networking_and_traffic.html#adding-lb-rule

Starting from CloudStack 4.7.1-leaseweb11, we support customized configurations for load balancers. The feature is implemented by resource tags of Network and Load Balancer.

Add Network tags and Load Balancer tags

Network tags:

Load balancer rule tag:

Configure load balancing

There are two level configurations: Network and Load Balancer.  All key (in resource tag) starts with cfg.lb.* will be applied to haproxy in VR's of the network.

CategoryNetwork tagLoad balancer tagSettings in Haproxy

default timeout

cfg.lb.timeout=value


timeout client $value (default value is 50000)

timeout server $value (default value is 50000)

Haproxy stats

cfg.lb.stats.auth=

username:password


stats auth $username:$password (default value is admin1:AdMiN123)

global

connections

cfg.lb.maxconn=value

cfg.lb.maxpipes=value


maxconn $value (default value is 4096)

maxpipes $value (default value is cfg.lb.maxconn / 4)

load balancer

connections


cfg.lb.maxconn=value

cfg.lb.fullconn=value

cfg.lb.maxconn.each=value

cfg.lb.minconn.each=value

cfg.lb.maxqueue.each=value

maxconn $value (not set by default)

fullconn $value ((not set by default. default value is $maxconn / 10 in haproxy)

maxconn $value (per site/vm)

minconn $value (per site/vm)

maxqueue $value (per site/vm)

default action

cfg.lb.default.action=

restart/reload


(VR) service haproxy $value

(the action if configurations change, default value is reload)

HTTP settings


cfg.lb.http=true/false

cfg.lb.http.keepalive=true/false

mode http (if true,default value true for 80, default value false for other ports)

option httpclose (if false and cfg.lb.http set to true, default value is false)

Transparent

mode

cfg.lb.haproxy.transparent=true/false


cfg.lb.transparent=true/false

(VR) add iptables rules and ip rule/route (if true)

source 0.0.0.0 usesrc clientip (if true and cfg.lb.haproxy.transparent set to true)

SSL offloading/termination

SSL Offloading feature allows load balancers to handle encryption/decryption of HTTP(s) traffic giving plaintext HTTP to the backend servers freeing them from the resource intensive task of handling encryption/decryption. Major load blancers like the Netscaler and F5 have this functionality. More details can be found at https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Termination+Support

    • Add a load balancer tag
CategoryNetwork tagLoad balancer tagSettings in Cloudstack VR/Haproxy
ssl offloading
cfg.lb.ssl.offloading=true/false
      • Add SSL certificate on the Accounts -> "SSL Certificates" page

      • Assign a SSL certificate to load balancer rule, on Network -> select network -> Public IP -> select IP -> configuration -> View all in "Load Balancing" -> click "SSL Certificate" field of a rule.


Enable HTTP/2

Starting from CloudStack 4.7.1-leaseweb19, we support http2 for load balancers with ssl offloading (see above).

    • Restart network with clean up (Optional)

You are suggested to restart network with cleanup, so virtual routers will be created with systemvm template with haproxy 1.8 which supports HTTP/2.

Virtual routers which are created before 4.7.1-leaseweb19 do NOT support HTTP/2.

Please refer to "Restarting isolated network" .

    • Add a load balancer tag
CategoryNetwork tagLoad balancer tagSettings in Cloudstack VR/Haproxy
HTTP/2 support
cfg.lb.http2=true/falsealpn h2,http/1.1

Customized SSL configuration

Starting from CloudStack 4.7.1-leaseweb21, we support customized SSL configuration for load balancers with ssl offloading (see above) in a network.

    • Restart network with clean up (Optional)

It is recommended to restart network with cleanup, so virtual routers will be created with systemvm template with haproxy 1.8.17 and openssl 1.0.2l .

Virtual routers which are created before 4.7.1-leaseweb21 do not support customized SSL configuration.

Please refer to "Restarting isolated network" .

    • Add a network tag
CategoryNetwork tagLoad balancer tagSettings in CloudStack VR/Haproxy
Customized SSL configurationcfg.lb.ssl.configuration=none/old/intermediate

if 'none', no SSL configurations will be added. (Default tag for existing isolated networks created before 4.7.1-leaseweb21)

if 'old', refer to https://ssl-config.mozilla.org/#server=haproxy&server-version=1.8.17&config=old&openssl-version=1.0.2l

if 'intermediate', refer to https://ssl-config.mozilla.org/#server=haproxy&server-version=1.8.17&config=intermediate&openssl-version=1.0.2l (Default tag for new isolated networks created after 4.7.1-leaseweb21)

You may get more information about haproxy configurations on https://cbonte.github.io/haproxy-dconv/1.8/configuration.html

To get the haproxy stats, please allow 8081 port in the firewall rules and then access the page with the username/password specified in cfg.lb.stats.auth
http://<Source NAT IP>:8081/admin?stats

Loadbalancer on Instances

You can create load balancing rules to configure autoscaling feature Virtual Machines instances. This helps to automatically scale up number of instances or scale down depending on the load of the system. This helps to create more instances when the usage is high and destroy unwanted instances when the load reduces. It also helps to provide high availability, reliability and reduce cost.

To configure auto scaling configuration, refer to "Autoscaling for Instances" under Instances section.


Releasing an IP Address

When you release an IP address from an isolated network, it returns to the pool of available public IP addresses. This allows the IP address to be used in a different network.

Perform the following steps to release an IP address for an isolated network:

  1. From the network section drill down to a specific network and IP address range

  2. Select the IP address that you want to release from the isolated network.
     
  3. Select the Release IP icon and confirm the release.

Editing an Isolated Network

Perform the following steps to edit an isolated network:

  1. From the network section select the network you wish to edit.

  2. Select the Edit icon.
    The editable fields allow you to enter/select new values. 

  3. Update the values and select Apply.

    Editable fields: Name, Description, Network Offering, CIDR, and Network Domain

Restarting an Isolated Network

If any of the services within your network are failing, restarting your network might resolve it. On restarting the network, all services offered through the virtual router are restarted. The virtual router will be destroyed and recreated. All virtual machines within the network will lose public connectivity during this process.

When services within the network are unavailable or broken, you can restart the network. Please check the 'cleanup' checkbox.

You can only restart a network when the state of the network is either "Implemented" or "Setup". You can view the state of the network in the Details page of the network. If an isolated network is in the "Allocated" state, it means that the network was created, but there was never any running instance assigned to it yet. After assigning the first running instance to it, the network state would change to "implemented".

Perform the following steps to restart an isolated network:

  1. On the left panel, select Network.
    The Guest network page displays.
  2. Select the network that you want to restart.
    The Details tab displays.

  3. Select the Restart network icon.
    The Restart network dialog box displays.
     
  4. Select OK to confirm.

    Clean up: On selecting this check box and confirming restart of the network, all unassigned IP address configurations will be removed.

Deleting an Isolated Network

You can delete a network if no virtual machines are in that network. To remove a virtual machine from the network, you must remove the NIC for that network on the instance, or destroy the instance.

When you delete a network, it is completely removed from the platform. 

 Perform the following steps to delete an isolated network: 

  1. On the left panel, select Network.
    The Guest network page displays.
  2. Select the network that you want to delete.
    The Details tab displays.
  3. Select the Delete Network icon.
    A confirmation dialog box displays.
  4. select Yes to delete the network.

Updating isolated network/VPC from single VR to redundant VR

If you created an isolated network of VPC with single VR, we offer you the way to update it to redundant VR.

For isolated networks, please follow "Editing an Isolated Network" part and choose another network offerings with redundant VR.

For example, if you are using "Default Isolated Network Offering With Source Nat Service" (Offering for Isolated networks with Source Nat service enabled with No Redundancy (Egress traffic is blocked)), please choose the network offering: Isolated Network with Source Nat and Dual VR (Egress traffic is blocked), see below.  Then your network will have redundant VRs after about 5~10 minutes (depends on setting in your network). There will be 3~10 seconds downtime with your isolated network (depends on setting in your network).

For VPC, Please go to the VPC details page, and click "Restart VPC"

A dialog will be shown.

Check "Make redundant" check box in the dialog and click "OK". 

Your VPC will have redundant VRs after about 5~10 minutes (depends on setting in your VPC). There will be 3~10 seconds downtime with your VPC (depends on setting in your VPC).

Configuring private network between private cloud and a dedicated server

After receiving the private network to your dedicated server you should see it as a separate virtual network in your cloud dashboard:

IP addressing in private networks

Private networks between dedicated servers and cloud always have DHCP server providing internal IP addresses. However, obtaining the address via DHCP it is up to you: you can statically assign any IP address instead.

Private network throughput

Private networks between dedicated servers and cloud servers have throughput 100Mbit per second per virtual machine.


To configure private network on a virtual machine please follow these steps:

  1. navigate to "Instances" page, click on the virtual machine you are going to add to the private network, then switch to "NICs" tab:



  2. Press "Add network to VM" button. In the pop-up dialog select the private network and press "OK":

  3. The new network interface should appear in your virtual machine operating system. 

Creating a site-to-site VPN

The below tutorial show you how to create a site-to-site VPN from your off-site location to our cloud. This way you can establish a permanent secure connection.

We also refer to the CloudStack documentation for this subject.


https://wiki.ocom.com/display/TEK/.Network%3A+CloudStack+v1#SSL-picture