Managing Apache CloudStack Network


Leaseweb Elastic Compute provides its users two types of network to connect virtual machines to the public internet and a layer 2 private network:

Shared Network

The shared network type runs a single and static dhcp service and provides you a public IPv4 range with IP addresses to assign to your virtual machines. Every virtual machine created with this network type offering receives a public IPv4 address, making it directly available to the public internet.

  • The public IPv4 range is purchased separately as part of your Private Cloud
  • The IPv4 range is preconfigured to your network offering by Leaseweb
  • All traffic to and from this network is measured as part of your billed data traffic

This type of network is useful if you like to run separate virtual machines that do not require additional network level security and are allowed to be connected directly to the public internet.

Isolated Network

The isolated network type runs a redundant virtual router and provides a private IP range with IP addresses from the range 10.0.0.0/8, to assign to your virtual machines. Every virtual machine created with this network type offering receives a private IPv4 address, making it only available to the public internet via the virtual router. The virtual router is connected to the internet via a Source NAT public IPv4 address. The virtual router device provides several functions (such as load balancer, firewall, and port forwarding) for the isolated network and the virtual machines within it.

  • The private IPv4 range is purchased separately as part of your Private Cloud
  • The private IPv4 range is assigned by Leaseweb to the virtual router and a private IP address out of the range can be mapped by you to a virtual machine on the private network side of the virtual router
  • Traffic between the virtual machines within this private network are free, only public traffic is measured as part of your billed data traffic

This type of network is useful if you do not want outside hosts initiating a connection directly to internal virtual machines, allowing only connections between virtual machines in the private network. Using the virtual router’s Static NAT function allows you to map public IP address to a virtual machine with a private IP address.

Layer 2 network

The layer 2 network type is a guest network transferring data on the data link layer between hosts. There are no other networking services provided in CloudStack and meant for creating and managing your own networking, e.g. running external dhcp services or statically assigning IP addresses.

Both the shared and the isolated networks can be assigned to instances at the same time. An instance can simultaneously have connections within multiple networks. For each connection to a network, a separate virtual network interface is created on the instance.

Note: If instances have multiple networks, manual configuration is required to ensure correct routing.


Contents

Viewing your Networks

Guest networks are named as such in the interface because they carry guest traffic (as opposed to the storage network or the management network) 
You can view all active networks in your domain, which account they belong to and the type of the network. These guest networks can be of an Isolated or a Shared network type. The associated IP range will be displayed here too. Be it Private IP space (isolated) or public (shared network offering).
You can also add isolated networks from here, provided you have unused/free IP addresses assigned to your isolated network offering of course.

Each isolated network consumes at least 1 public IPv4 address for the Source NAT for the router. 
This source NAT IP address will only be claimed as soon as there is an instance associated with the network though.

Perform the following steps to view the guest networks:

  1. On the left panel, select Network.
    The Guest network page displays.
     

  2. You can view the following information on this page:


    Field NameDescription
    NameDisplays the name of the network. You can select individual networks to view additional information and perform various tasks.
    DomainDisplays your domain name.
    AccountDisplays the account the network belongs to. Note: If you are a domain admin, you can view all networks in the domain. If you are a user, you can only view the networks created by you.
    TypeDisplays the type of the network (shared or isolated).
    Guest CIDRDisplays the range of private IP addresses associated to the guest network.
    Public CIDRDisplays the range of Public IP addresses associated to the corresponding guest network. Leaseweb configures shared network offering and provides customers  with Public CIDR .
    QuickviewDisplays an overview of the network, the tasks that can be performed on the network(restart and delete), and a quick link to IP Addresses associated to this network.

Note; Private Cloud does not allow for customers to configure shared network offering networks themselves. Customers can only create Isolated networks themselves (provided customers have acquired a separate range of IP addresses for this type of network and provided there are still IP addresses available within that range)

Adding an Isolated Network

An isolated network can carry internal traffic between instances within that network. Communication to and from the Internet happens via the virtual router (deployed with each isolated network). Traffic within an isolated network is not measured/billed. 
The virtual router in an isolated network can offer the following services depending on the network offering selected:

  • Routing
  • DHCP (internal)
  • DNS
  • VPN
  • Source NAT
  • Static NAT
  • Firewall
  • Port forwarding
  • Load balancing

To add an isolated network perform the following steps:

  1. On the left panel, select Network.
    The Guest networks page displays.


  2. Select the +Add Isolated Network button.
    The Add Isolated Network page displays. 

Here you need to fill in the following information (only the ones with a red asterisk are mandatory);


Field NameDescription
NameEnter a name using which you can identify the isolated guest network.
Display TextEnter a display name for the network. Note: This is an editable field. so you can change it after creation
ZoneShows the zone where the network will be created. Note: Currently, Leaseweb provides only 1 pre-configured zone.
Network OfferingSelect the service to enable in the isolated network. By default, isolated network with source NAT service is offered.
Guest Gateway (optional)Enter the gateway address of the isolated network. Note: If this field is empty, the first address of the internal IP range will be used.

Guest Netmask
(optional)

Enter the size of the guest network. Note: If this field is empty, the default netmask value of 255.255.255.0 will be used.
Network Domain
(optional) 
Enter the domain name to be sent to the virtual machines via DHCP. The default value is ACCOUNTNAME.leasewebcloud.com.
Domain
(optional) 
Select a domain to assign the isolated network to a specific account.
Account
(optional) 
Select the account to which you want to assign the network. Note: This field displays only if you select a domain. It also is only available for Domain Admin accounts. If you are a user of a normal account you cannot select another account.

Network offering options

In order to help you pick the right network offering for your isolated network we explain the six options Leaseweb currently offers:

 


  • Default Isolated Network Offering With Source Nat Service. 

Description: Offering for Isolated networks with Source Nat service enabled with No Redundancy (Egress traffic is blocked)

Egress Default Policy: Deny

Redundant router: NO

Supported Services: Port Forwarding, DNS, Source Nat, User Data, Static Nat, Lb, DHCP, Firewall, VPN

  • Isolated Network with Source Nat and Dual VR (Deny)

Description: Isolated Network with Source Nat and Dual VR (Egress traffic is blocked)

Egress Default Policy: Deny

Redundant router: YES

Supported Services: Port Forwarding, DNS, Source Nat, User Data, Static Nat, Lb, DHCP, Firewall, VPN

  • Isolated Network with Source Nat and Dual VR (Allow)

Description: Isolated Network with Source Nat and Dual VR (Egress traffic is allowed)

Egress Default Policy: Allow

Redundant router: YES

Supported Services: Port Forwarding, DNS, Source Nat, User Data, Static Nat, Lb, DHCP, Firewall, VPN

  • Fully Isolated Network

Description: Fully Isolated Network with DHCP/DNS/User Data

Egress Default Policy: Deny

Redundant router: NO

Supported Services: DHCP, DNS, User Data

  • Fully Isolated Network No Services

Description: Fully Isolated Network without Services

Egress Default Policy: Deny

Redundant router: NO

Supported Services: -

  • Network Offering used for cloudstack container service

Description: Isolated Network service for container clusters.

Egress Default Policy: Allow

Redundant router:

Supported Services: Source Nat, User Data, Firewall, Port Forwarding, DHCP


The availability of the options (supported services) are dependent on the specific network offering;

-DHCP: This provides as service which hands out Private IP addresses and other network information to all instances within the isolated network. 
(primary IP address only!! secondary IP addresses need manual configuration.)
-DNS: Provides DNS services for all instances within the network making the virtual router the primary DNS
-Source NAT: Every instance within the  isolated network has access to internet via the IP address which is associated (as Source NAT address) to the router. 
(if the instance is not configured to have a Static NAT-ed IP address that is)

-Static NAT: this provides the option to 'fuse' a public reachable IP address on the outside of the virtual router to be solely connected to the internal IP address of an instance. Thereby circumventing the Source NAT IP address as source address and making this particular instance reachable on this IP address.
-User data: this option is not yet usable within Private Cloud by Leaseweb. It allows for having user data inserted into an instance after creation for customization. It requires enabling this in the instance configurator, which is not yet available for our product.
-Firewall: firewalling both Ingres and Egres through the virtual router for all IP addresses (instances) within the isolated network
-VPN: the ability to create an IPsec VPN endpoint for a public IP address associated with the network (right now only 1 public IP address per network)
-Load balancer: This gives the possibility to enable a basic load balancer with basic options on the an  IP address on the virtual router
-Port forwarding: This gives the possibility to forward specific ports on the Source NAT IP address of the virtual router to instances (either on the same or a different port than the origin)
-ACL (access control lists): This option is related to VPC network offerings only. It provides a means to allow or disallow traffic between different tiers (networks) within a VPC. So in the VPC configuration (shown below) ACLs allow for traffic to flow between the Database tier and the webfarm tier (or not)

Adding layer 2 network

To add a layer 2 network without any networking services provides by CloudStack, click on 'Network' and then on 'Add L2 Guest Network'.

A pop-up window will be displayed where you can define and create the network.

  • Name: the name of the network
  • Display Text: text explaining the network
  • Account: your account name under the domain

Adding VPC and VPC tiers 

CloudStack Virtual Private Cloud is a private, isolated part of CloudStack. A VPC can have its own virtual network topology that resembles a traditional physical network. You can launch VMs in the virtual network that can have private addresses in the range of your choice, for example: 10.0.0.0/16. You can define network tiers within your VPC network range, which in turn enables you to group similar kinds of instances based on IP address range.

A VPC is a combination of isolated networks or tiers governed by one virtual router device. The VPC allows for multiple separated isolated networks to be combined into one environment. The virtual router device which normally exists per isolated network is promoted to govern/control all isolated networks within the VPC. This allows for ACL rules between the isolated networks which in turn allows for more security.

To add a VPC please perform the following steps:

  1. On the left panel, select Network.

  2. Choose VPC in Select view drop-down.
  3. Select +Add VPC 


VPC offering options

In order to help you pick the right VPC offering for your VPC we explain the two options below;

  • Default VPC offering

Supported Services: VPN, DNS, Static Nat, Network ACL, User Data, Source Nat, Lb, Port Forwarding, DHCP

Service provider: Virtual Router

Redundant virtual router: NO

  • Redundant VPC offering

Supported Services: VPN, DNS, Static Nat, Network ACL, User Data, Source Nat, Lb, Port Forwarding, DHCP

Service provider: Virtual Router

Redundant virtual router: YES

Network offering options for VPC tiers

After create a VPC, you will be able to add VPC tiers.

  1. On the left panel, select Network.

  2. Choose "VPC" in  "Select view" drop down, you will see the list of VPCs.
  3.  Click "Configure" on selected VPC. You will  see a dialog to "create network ". Clicking on same will prompt to add a new VPC tier.


In order to help you pick the right network offering for your VPC tiers we explain the three options (currently) below;

  • Default isolated network offering for VPC networks

Supported Services: Vpn, Dns, StaticNat, NetworkACL, UserData, SourceNat, Lb, PortForwarding, Dhcp

This is the standard isolated network offering for a tier within a Virtual Private Cloud or VPC. Please note there is at most one VPC tier with Public Lb can be created.

  • Default isolated network offering for VPC networks with no Loadbalancer

Supported Services: Vpn, Dns, StaticNat, NetworkACL, UserData, SourceNat, PortForwarding, Dhcp

This is the standard isolated network offering for a tier within a Virtual Private Cloud or VPC, but without the option to do load balancing for the isolated network.

  • Default isolated network offering for VPC networks with internal Loadbalancer

 Supported Services:  Dns, NetworkACL, UserData, SourceNat, Lb, Dhcp

 This is the standard isolated network offering for a tier within a Virtual Private Cloud or VPC, but with the option to have internal load balancing with in the isolated network. 

Viewing IP Addresses associated to an Isolated Network

You can view the public IP addresses (both public and private) associated to your isolated network and access the virtual router functionality from this overview.

To view the IP addresses of an isolated network:

  1. On the left panel, select Network.

  2. Select the network for which you want to view the IP addresses.

  3. Select which type of IPs you want to view, Public or Private.

    The Private and Public IP Addresses display as below.

    You can view the following information in the IP Address page for a selected isolated network.

    Field NameDescription
    IPsDisplays the public or private IP addresses currently associated to this network (either to the instance or the virtual router).
    ZoneDisplays the zone where this network is deployed.
    VM nameDisplays the instance to which the IP address is assigned.
    Note: This does not apply for the Source NAT address or an unassociated (no VM name visible) IP address these are always associated to the virtual router.
    StateDisplays the state of the IP Address. (allocated is the default state)
    Quickview

    Displays an overview of the IP address and the tasks that can be performed on it. (depending on use of IP; enable VPN/enable disable Static NAT/release IP)

Acquiring New IP Address for an Isolated Network

You can allocate multiple public IP addresses to an isolated network. This allows you to i.e. statically NAT a public IP address to an instance on the network or get multiple IP addresses to load-balance on. If you do not statically NAT a new IP address to an instance, it will be assigned to the virtual router. Any IP address associated to the virtual router can be used to create load balancing rules, port forwarding, or firewall rules.

Perform the following steps to acquire a new IP address for an isolated network:

  1. On the left panel, select Network.

  2. Select the network for which you want to view the IP address.

  3. Click View IP Address for public IPs.
  4. Click + Acquire New IP.

    Any public IP address assigned to the isolated network is from within the range of IP addresses assigned to you.

Assigning a Static NAT for an IP address to an instance

Cloud stack provides Static NAT as an option allowing to 'glue' a public IP address on the outside of the Virtual router to an internal instance within an Isolated network.

You can only use Static NAT to glue 1 public IP address to a single instance at the same time.

Below you can find the steps to assign a Static NAT for an IP address to an instance.

  1. From the listing of public IP addresses of an Isolated network, select an unassociated IP address (not Source NAT and no VM name assigned):


  2. You will get several options for that IP, select enable static NAT


  3. You will be asked which instance you want to create the static NAT for. There is also the option to select the internal private IP address you want to fuse/glue it to.
    This can be useful if you configured multiple private IP addresses on a NIC. 

Enabling a VPN for an IP Address of an Isolated Network

By enabling VPN for an isolated network IP address, you can configure a remote access VPN (IPsec) connection. This allows you to directly access the instances within the network from a remote machine.

You can only set up one remote access VPN per network.

To enable a VPN for an IP address in an isolated network:

  1. From the Network section select the appropriate network and drill down to the public IP addresses.

  2. Select the IP/instance for which you want to setup a VPN (VM name in the overview is helpful here)


  3. Select the IP for which you want to enable VPN and select Enable Remote Access VPN.


  4. A Status dialog box confirms that VPN access is enabled and shares the IPSec pre-shared key that has been generated


  5. select the VPN tab, add VPN Username(s) with Password, and select Add

    The newly added username displays below. You will need this credential to connect to the VPN server.

To disable the VPN for the IP address, select the Disable Remote Access VPN icon.

Configuring a load balancer for an IP Address of an Isolated Network

You can create a load balancer on an acquired public IP and add some load balancing rules. The traffic to the public IP will be forwarded to the VMs configured in the load balancing rules.

To create a load balancer on a public IP, and to add load balancing rules, you may follow the official Apache CloudStack document.

http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/4.7/networking_and_traffic.html#adding-lb-rule

Starting from CloudStack 4.7.1-leaseweb11, we support customized configurations for load balancers. The feature is implemented by resource tags of Network and Load Balancer.

Add Network tags and Load Balancer tags

Network tags:

Load balancer rule tag:

Load balancer configs can be configured by navigating to Network → Your isolated network → View Public IP Addresses → Select IP with Source NAT → Configuration → Load Balancing → Configure


Configure load balancing

There are two-level configurations: Network and Load Balancer.  All the tags configured under load balancer rule will be applied to HAproxy in VR's of the network.

CategoryNetwork tagLoad balancer tagSettings in Haproxy

default timeout

lb.timeout.client=value

lb.timeout.server=value

lb.timeout.connect=value


timeout client $value (default value is 50000)

timeout server $value (default value is 50000)

timeout connect $value (default value is 5000)

Enabling statslb.stats.enable
stats enable (default value is true)
URIlb.stats.uri
/admin?stats

Haproxy stats

lb.stats.auth=

username:password


stats auth $username:$password (default value is admin1:AdMiN123)

global

connections

global.maxconn=value

global.maxpipes=value

global.stats.socket=value


maxconn $value (default value is 4096)

maxpipes $value (default value is global.maxconn / 4)

default value is false

load balancer

connections


lb.maxconn=value

lb.fullconn=value

lb.maxconn.each=value

lb.minconn.each=value

lb.maxqueue.each=value

lb.timeout.connect=value

lb.timeout.client=value

lb.timeout.server=value

lb.server.maxconn=value

lb.server.minconn=value

lb.server.maxqueue=value

maxconn $value (not set by default)

fullconn $value ((not set by default. default value is $maxconn / 10 in haproxy)

maxconn $value (per site/vm)

minconn $value (per site/vm)

maxqueue $value (per site/vm)

timeout connect $value (default value is 5000ms)

timeout server $value (default value is 50000ms)

timeout client $value (default value ius 50000ms)

server maxconn $value (default value is unlimited)

server minconn $value

server maxqueue $value (default value is unlimited)

(TBD) default action

lb.default.action=

restart/reload


(VR) service haproxy $value

(the action if configurations change, default value is reload)

HTTP settings


lb.http=true/false

lb.http.keepalive=true/false

mode http (if true,default value true for 80, default value false for other ports)

option httpclose (if false and lb.http set to true, default value is false)

HTTPS settings
lb.backend.https=true/falsessl verify none (default value is false)

Transparent

mode


lb.transparent.mode=true/false

source 0.0.0.0 usesrc clientip

SSL offloading/termination

SSL Offloading feature allows load balancers to handle encryption/decryption of HTTP(s) traffic giving plaintext HTTP to the backend servers freeing them from the resource-intensive task of handling encryption/decryption. Major load balancers like the Netscaler and F5 have this functionality. More details can be found at https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Termination+Support

SSL offloading is automatically enabled if the Load balancer rule protocol is SSL and a certificate is added to the account. Below steps explain how to add an SSL certificate to the account

    • Add SSL certificate on the Accounts -> SSL Certificates page



      • Assign a SSL certificate to load balancer rule, on Network -> select network -> Public IP -> select IP -> configuration -> View all in Load Balancing -> click SSL Certificate field of a rule.


Enable HTTP/2

Starting from CloudStack 4.7.1-leaseweb19, we support http2 for load balancers with ssl offloading (see above).

    • Restart network with clean up (Optional)

You are suggested to restart network with cleanup, so virtual routers will be created with systemvm template with haproxy 1.8 which supports HTTP/2.

Virtual routers which are created before 4.7.1-leaseweb19 do NOT support HTTP/2.

Please refer to "Restarting isolated network".

    • Add a load balancer tag
CategoryNetwork tagLoad balancer tagSettings in Cloudstack VR/Haproxy
HTTP/2 support
lb.http2=true/falsealpn h2,http/1.1

Customized SSL configuration

Starting from CloudStack 4.7.1-leaseweb21, we support customized SSL configuration for load balancers with ssl offloading (see above) in a network.

    • Restart network with clean up (Optional)

It is recommended to restart network with cleanup, so virtual routers will be created with systemvm template with haproxy 1.8.17 and openssl 1.0.2l .

Virtual routers which are created before 4.7.1-leaseweb21 do not support customized SSL configuration.

Please refer to "Restarting isolated network" .

    • Add a network tag
CategoryNetwork tagLoad balancer tagSettings in CloudStack VR/Haproxy
Customized SSL configuration
lb.ssl.configuration=none/old/intermediate

if 'none', no SSL configurations will be added. (Default tag for existing isolated networks created before 4.7.1-leaseweb21)

if 'old', refer to https://ssl-config.mozilla.org/#server=haproxy&server-version=1.8.17&config=old&openssl-version=1.0.2l

if 'intermediate', refer to https://ssl-config.mozilla.org/#server=haproxy&server-version=1.8.17&config=intermediate&openssl-version=1.0.2l (Default tag for new isolated networks created after 4.7.1-leaseweb21)

You may get more information about haproxy configurations on https://cbonte.github.io/haproxy-dconv/1.8/configuration.html

To get the haproxy stats, please allow 8081 port in the firewall rules and then access the page with the username/password specified in lb.stats.auth
http://<Source NAT IP>:8081/admin?stats

Releasing an IP Address

When you release an IP address from an isolated network, it returns to the pool of available public IP addresses. This allows the IP address to be used in a different network.

Perform the following steps to release an IP address for an isolated network:

  1. From the Network section, drill down to a specific network and IP address range


  2. Select the IP address that you want to release from the isolated network.
     

  3. Select the Release IP icon and confirm the release.


Setting up sticky sessions on your load balancer in CloudStack

CloudStack supports sticky sessions through its default load balancer feature for isolated networks. With these sticky sessions you can ensure a persistent state for user sessions across multiple requests.

Any load balancer rule defined in CloudStack can have a stickiness policy. The policy consists of a name, method, and additional parameters. The parameters are name-value pairs or flags, which are defined by HAProxy.

In CloudStack there are three sticky methods supported: load balancer-generated cookie, application-generated cookie, or source-based. The cookie generated by the load balancer or application is included in request and response URLs to create persistency. In the source-based method, the source IP address is used to identify the user and locate the user’s stored data.

To setup sticky sessions go to Network > Choose you isolated network > click on Public IP addresses > click on your NAT IP address > go to the Configuration tab > click on View all under Load Balancing > under Stickiness, click Configure.

In the Configure Sticky Policy screen, based on the Stickiness method you select, you will see the following details below. There are 3 different Stickiness method to choose from.

Load balancer-generated cookie (LbCookie)

By selecting LbCookie you enable cookie-based persistency in your backend environment. Used by default to have the load balancer (HAProxy) insert the cookie in the HTTP response header. It is also possible to use modes  “Rewrite” when the server is already providing the cookie and HAProxy only needs to modify it with the server id, or “Prefix” when you don’t want a dedicated cookie, but the cookie prefixed with the server id and a delimiter in between.

ModesDescription
Insert

Used by default. Allows HAProxy to insert cookie in HTTP response

Rewrite

Allows HAProxy to modify the cookie that has been set by application

Prefix

Allows HAProxy to prefix cookie with server id that send the HTTP response

  1. From the Stickiness method drop-down menu, choose LBCookie.
  2. Fill in a Sticky Name that will be displayed in the dashboard for this rule
  3. Fill in a Cookie name that will be used as cookie to insert in the HTTP response headers
  4. Choose the preferred Mode from the options in the table above
  5. Optionally select No cache checkbox to prevent caching of responses and reuse of the same cookie by different clients. This option will tag responses as non-cacheable in an environment that is using response caching.
  6. Optionally select Indirect checkbox to instruct HAProxy to insert the cookie if the client does not already have one
  7. Optionally select Post only checkbox to insert cookie only for POST-request responses
  8. Optionally add a Domain to tell HAProxy to insert a cookie only for this domain specified

For more information on the different directives that are supported, please read the following HAProxy instruction: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-cookie

Application-generated cookie (AppCookie)

By selecting AppCookie you can manage session stickiness on an existing application provided cookie.

  1. From the Stickiness method drop-down menu, choose AppCookie.
  2. Fill in a Sticky Name that will be displayed in the dashboard for this rule
  3. Fill in a Cookie name  that will be used as cookie to insert in the HTTP response headers
  4. Choose the preferred Mode:
    1. Use Mode path-parameter if the parser should for the appsession in the path parameter (e.g. /path/file123)
    2. Use query-string when returning a query string (e.g. /path?user=id).
  5. Optionally set the max character that will be checked by HAProxy
  6. Optionally set the Hold time (defined with suffixes ms, s, m, h etc.), the time an unused cookie is removed from memory

For more information on the different directives that are supported, please read the following HAProxy instruction: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-appsession

Source based cookie (SourceBased)

When you want to track users based on IP address, the source-based cookie is the easiest option to go with.

  1. From the
  2. Stickiness method drop-down menu, choose SourceBased.
  3. Fill in a Sticky Name  that will be displayed in the dashboard for this rule
  4. Fill in the Table sizedefined in binary (2^10, 2^20, 2^30) with suffix k, m or g, ‘1k’ is 1024 bytes and ‘1m’ is 1.048.576 bytes etc.). With this option you can manage how many entries can fit in the table, this value has direct impact on memory usage.
  5. In the Expires field, fill in the desired expiration time. This defines the maximum duration (defined with suffixes ms, s, m, h, etc.) of an entry in the table since it was last created, refreshed or matched.

See for more information: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#stick-table

Editing an Isolated Network

Perform the following steps to edit an isolated network:

  1. From the Network section select the network you wish to edit.


  2. Select the Edit icon.
    The editable fields allow you to enter/select new values. 


  3. Update the values and select Apply.

    Editable fields: Name, Description, Network Offering, CIDR, and Network Domain

Restarting an Isolated Network

If any of the services within your network are failing, restarting your network might resolve it. On restarting the network, all services offered through the virtual router are restarted. The virtual router will be destroyed and recreated. All virtual machines within the network will lose public connectivity during this process.

When services within the network are unavailable or broken, you can restart the network. Please check the 'cleanup' checkbox.

You can only restart a network when the state of the network is either "Implemented" or "Setup". You can view the state of the network in the Details page of the network. If an isolated network is in the "Allocated" state, it means that the network was created, but there was never any running instance assigned to it yet. After assigning the first running instance to it, the network state would change to "implemented".

Perform the following steps to restart an isolated network:

  1. On the left panel, select Network.
    The Guest network page displays.

  2. Select the network that you want to restart.
    The Details tab displays.


  3. Select the Restart network icon.
    The Restart network dialog box displays.
     

  4. Select OK to confirm.

    Clean up: On selecting this check box and confirming restart of the network, all unassigned IP address configurations will be removed.

Deleting an Isolated Network

You can delete a network if no virtual machines are in that network. To remove a virtual machine from the network, you must remove the NIC for that network on the instance, or destroy the instance.

When you delete a network, it is completely removed from the platform. 

 Perform the following steps to delete an isolated network: 

  1. On the left panel, select Network.
    The Guest network page displays.

  2. Select the network that you want to delete.
    The Details tab displays.


  3. Select the Delete Network icon.
    A Confirmation dialog box displays.

  4. Click Yes to delete the network.

Updating isolated network/VPC from single VR to redundant VR

If you created an isolated network of VPC with single VR, we offer you the way to update it to redundant VR.

For isolated networks, please follow "Editing an Isolated Network" part and choose another network offerings with redundant VR.

For example, if you are using Default Isolated Network Offering With Source Nat Service (Offering for Isolated networks with Source Nat service enabled with No Redundancy (Egress traffic is blocked)), please choose the network offering: Isolated Network with Source Nat and Dual VR (Egress traffic is blocked), see below.  Then your network will have redundant VRs after about 5~10 minutes (depends on setting in your network). There will be 3~10 seconds downtime with your isolated network (depends on setting in your network).

For VPC, Please go to the VPC details page, and click Restart VPC

A dialog will be shown.

Select the Make redundant check box in the dialog and click OK

Your VPC will have redundant VRs after about 5~10 minutes (depends on setting in your VPC). There will be 3~10 seconds downtime with your VPC (depends on setting in your VPC).

Configuring private network between private cloud and a dedicated server

After receiving the private network to your dedicated server you should see it as a separate virtual network in your cloud dashboard:

IP addressing in private networks

Private networks between dedicated servers and cloud always have DHCP server providing internal IP addresses. However, obtaining the address via DHCP it is up to you: you can statically assign any IP address instead.

Private network throughput

Private networks between dedicated servers and cloud servers have throughput 100Mbit per second per virtual machine.


To configure private network on a virtual machine please follow these steps:

  1. navigate to Instances page, click on the virtual machine you are going to add to the private network, then switch to NICs tab:


  2. Press Add network to VM button. In the pop-up dialog select the private network and press OK:


  3. The new network interface should appear in your virtual machine operating system. 

Creating a site-to-site VPN

The below tutorial show you how to create a site-to-site VPN from your off-site location to our cloud. This way you can establish a permanent secure connection.

We also refer to the CloudStack documentation for this subject.


https://wiki.ocom.com/display/TEK/.Network%3A+CloudStack+v1#SSL-picture


Get Support

Need Technical Support?

Have a specific challenge with your setup?

Create a Ticket