Screenshot: Private networks in private cloud
Screenshot: Private networks in public cloud (AWS)
In the Networks list, to view the pool and allocation of IPs:
You can then:
Private networks are only available within a virtual datacenter. However, your cloud provider may configure an external gateway for your virtual datacenter.
To create a private network:
Create private network
Create private network Amazon
Name of the network (VLAN). The name can contain up to 128 characters
|IPv6||Select checkbox for IPv6 network|
Private address range of the network
|Netmask||For IPv4 a network mask with an integer value of between 16 and 30|
Gateway of the VLAN. Must be an IP within the range of the network address and mask
|Availability zone||In AWS, optionally select an Availability zone for high availability. To deploy a group of VMs separately, use a different availability zone for each VM. To assign a VM to an availability zone, assign a private IP address in the network belonging to the required availability zone|
The primary DNS
The secondary DNS
The DNS suffix
|Excluded from firewall||Select Excluded from firewall to define a network where VM firewalls will not apply|
In supported providers, optionally select Define to create static routes. See Configure Static Routes using DHCP
Select to make this network the default network, replacing the existing default network
You can configure static routes when you create or edit a network. However, you should check with your systems administrator about when your VM will receive changes to static routes.
Destination network mask
Destination network or host
Next hop (on your network)
Name of the VLAN. The name can contain up to 128 characters
|IPv6||Select checkbox for IPv6 network|
|Strict||IPv6 only. If you select Strict, Abiquo will automatically generate the network address (ULA) and also the IP addresses. If you do not select strict, you can enter the network address and IP addresses.|
|Netmask||Network mask of 48, 56 or 64.|
Private address range of the network. Only for non-strict networks
The primary DNS
The secondary DNS
The DNS suffix
Make this network the default network. In a datacenter, this will override the existing default network
To create new IP addresses in a private network do these steps.
Or you can add an IP directly to a VM. To do this:
When you add IPv6 addresses on strict networks, you don't need to set the starting address. On non-strict IPv6 networks, Abiquo recommends that you create an automatic IP address, or you can enter a From IP address manually.
The new settings will apply to all VMs deployed after you save the network.
To delete a private network:
To display onboarded external networks
If an onboarded network has been deleted in the provider, its name will display in light gray text. If a VM is using an IP from this network, then you cannot deploy the VM.
If there are no VMs using the IPs of an external network that was already deleted in the provider, to delete the network in the platform, select it and click the delete button.
To set a new or existing network as the default:
In private cloud, if you set a public network as the default, remember to obtain IP addresses for your VMs before you deploy!
To add new public IP addresses to your virtual datacenter:
The platform will add the IPs to your VDC
You can also reserve public IPs directly from the Edit VM dialog.
During onboarding from public cloud, the platform will onboard existing public IP addresses in providers that support them, such as AWS and Azure. You can obtain them from the provider and assign them to your virtual datacenters and VMs.
Amazon may charge for Elastic IP addresses as soon as you reserve them for your virtual datacenter. Therefore you should reserve your IP addresses just before you deploy and check they are deleted when you undeploy your VMs. Remember that your provider may also limit the number of public IP addresses that you can use per virtual datacenter.
To add public IP addresses to your virtual datacenter, so that you can later assign them to your VMs:
Now when you edit a VM in the VDC and go to Network → Public, the platform will display the public IP address and you can add it to your VM.
To onboard any public IP addresses that were already created in your cloud provider, or update changes made directly in the provider:
You can release a public IP if it is not assigned to a VM.
To release a public IP that belongs to a public network, select the IP in the IP list and click the delete button.
In public cloud, click the link to Remove from VDC and then click the delete button.
To display NAT rules for a VM:
To manage or display NAT rules for a VM:
To enable VMs outside your VDC to connect to a VM with a private IP address, after you obtain a NAT IP, create a destination NAT rule, which is also called a DNAT rule.
To create a DNAT rule:
Enter the details of the DNAT rule
To send outgoing traffic through a NAT IP that is not the default one, add an additional SNAT rule with these steps:
To create an SNAT rule:
Enter the addresses of the SNAT rule
|Original||Select the IP that is attached to the VM|
|Translated (NAT IP)|
Select the IP address for outgoing connections
To use a NAT IP address as a public IP address for a load balancer:
The platform will automatically create a NAT rule to match the port mappings of the routing rule of the load balancer.
To obtain an additional NAT IP address:
The platform will reserve an IP address and allocate it to your virtual datacenter.
You can then use the NAT IP address as the public IP address for a load balancer or to provide access to a private IP address.
When you create a virtual datacenter, the new "natbandwidthlimit" attribute is present but you must edit the virtual datacenter to enable it in the platform and in the NSX.
To edit the bandwidth limit and apply it in the NSX:
|Provider ID||Read only|
|Enabled||To enable traffic shaping in a specific direction, select this checkbox|
|Average||The average amount of bandwidth, in bits per second, that the virtual datacenter can use|
|Peak||The maximum bandwidth in bits per second that the virtual datacenter can use|
|Burst size||The amount of data that can be transmitted at the peak bandwidth rate in bytes. A burst bonus accumulates when traffic is below the Average value and this bandwidth can be used for bursts.|
To register changes that were made outside the platform, save existing NAT bandwidth values. In the API, to register changes, send a POST request with the existing values.
This section describes firewall policies, which are similar to security groups. The platform supports firewall policies in private cloud with network managers (NSX, Neutron) and in public cloud (AWS, Azure). In Oracle Cloud, the platform enables users to onboard classic firewalls and assign them to VMs.
In vCloud Director, the platform supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). The platform does not support security groups for VMs in vCloud Director. See Manage Classic Firewalls
To display firewalls that exist in a virtual datacenter in the provider:
To display all firewalls in a location (public cloud region or datacenter), including those that only exist in the platform and not in the provider:
To filter firewalls, enter text in the Search box to search by the Name, Description, and Provider ID in the Firewalls list.
To synchronize firewalls do these steps:
To synchronize a firewall before you add new firewall rules:
The platform can create firewall policies in virtual datacenters in the provider, or in the platform only, for later use in providers, depending on provider support.
To create a new firewall, do these steps:
Name of the firewall policy.
|Location||Public cloud region|
|Default||Optional. Select to make the firewall the default for the virtual datacenter|
Description of the firewall policy
If you entered a virtual datacenter, the platform created your firewall in the provider. The platform will display a Provider-ID and a Virtual datacenter ID for the firewall.
If you selected No virtual datacenter, the firewall will be created in the platform in the public cloud region for your enterprise. The synchronize process will not update this firewall. The platform will not create it in the provider until you select a virtual datacenter.
To add a new firewall rule:
To move a firewall to another virtual datacenter:
In Neutron, edit the firewall in Abiquo and change the VDC
A: In the Abiquo API, the firewall object contains a link to the virtual datacenter it belongs to.
To delete a firewall policy:
To onboard classic firewalls:
To synchronize a firewall that you onboarded earlier, click the synchronize double-arrow button beside the firewall name.
Troubleshooting: If the classic firewall tab does not display as expected, check that your platform has the correct UI configuration for this feature
Change the name and description as required, then click Save.
To view the provider ID of a classic firewall, edit the firewall.
The platform will maintain the rules in order with no gaps.
To change the order of rules, click the pencil edit button beside a Sequence number, then enter a new Sequence number and click ok. The platform will move the other rules to fit around the changed rule.
For example, to move a rule from position 1 to position 2, enter 2 and click "ok".
The platform will now move the rule that was in position 2 to position 1.
The last rule in the sequence is the default rule in the Edge. In vCloud Director, If you disable the default rule, this will disable the firewall service in the Edge. This will mean that the rules will exist in the Edge but they will not be active.
To create a firewall rule, click the + add button and complete the following dialog.
|Sequence||Position in the order of evaluation of rules, which is from lowest to highest. You should create rules using existing sequence numbers. The platform will reorder the rules to fit around the new rule. If you create a new rule at the end of the sequence, then it will be the default rule. If you disable the default rule, then the platform will disable the firewall in the Edge.|
Optionally select from the list of common protocols
|Source ports||The firewall rule will apply to this inclusive range of ports|
Source can be in the following formats: IP address, CIDR, IP range, 'any', 'internal', and 'external'
|Destination ports||The firewall rule will apply to this inclusive range of ports|
|Destination||Destination can be in the following formats: IP address, CIDR, IP range, 'any', 'internal', and 'external'|
|Description||Describe the classic firewall rule|
|Action||Select "Allow" or "Deny".|
|Logged||Select to use logging. Optional|
|Enabled||Select to enable the rule. If this rule is in the last position, then it is the default rule. If you disable the default rule, then you will disable the firewall in the Edge. The rules will still be present, but the Edge will not apply them|
Please refer to cloud provider documentation as the definitive guide to the load balancing features. And remember to check your cloud provider pricing before you begin.
In vCloud Director, load balancers belong to a public cloud region, not a virtual datacenter. This means that in vCloud Director, you can attach VMs from more than one virtual datacenter to the same load balancer, and these load balancers do not work with private networks, which belong to only one virtual datacenter.
To display load balancers in a region, including those that are not assigned to a virtual datacenter in a provider
To display load balancers in virtual datacenters:
Select a virtual datacenter
Go to Network → Load balancers.
To create a load balancer:
Click the + add button and complete the following dialogs according to your cloud provider's documentation
The following screenshots are from AWS.
The name of the load balancer.
In providers that support subnets, the subnets to which the load balancer will connect
See cloud provider documentation for more information
Select one of the common protocols to load presets
The incoming protocol to the load balancer. See cloud provider documentation for accepted values.
The incoming port to the load balancer. See cloud provider documentation for accepted values.
The outgoing protocol from the load balancer.
|Port out||The outgoing port from the load balancer|
|SSL Cerftificate||For secure connections (e.g. HTTPS), you can add an SSL certificate.|
|Add||Click Add to save a routing rule for the load balancer|
To delete a routing rule, click the delete button beside the name of the routing rule in the list
Name of the certificate
The certificate contents
An intermediate certificate can be issued by a provider to support older browsers that may not have all of the trusted root certificates for that provider, so that users will not receive invalid SSL warnings. If you have an intermediate certificate, add it at the same time as the certificate to ensure that a trusted-chain certificate is configured.
The RSA private key for the certificate
Select one of the most common protocols to load presets
Name of the health check
The protocol with which the health check will be performed
The port to which the health check will be performed
|Path||The server path to ping (for supported protocols)|
|Interval (sec)||The interval in seconds between health checks|
|Timeout (sec)||The timeout in seconds after which an attempted health check will be considered unsuccessful|
|Attempts||The number of attempts before the health check will be considered unsuccessful|
|Add||Add the current health check to the load balancer|
If your provider supports firewalls, to add a firewall to your load balancer, select your firewall from the list of Firewalls that were created in your provider. Rackspace does not display a firewall selection list.
If a firewall is not on the list, it may not have been properly synchronized. In this case, you will need to click Cancel, synchronize firewalls and start again to create a new load balancer.
To assign your load balancer to VMs, drag and drop the VMs them from the Available Nodes list into the Attached Nodes list.
The platform will display the Status of the load balancer nodes on the Nodes tab, if status information is available from the provider.
You can also check the status using the Abiquo API.
The cloud provider determines which elements of a load balancer that you can modify. Due to different provider support for load balancer features, it may be possible to make modifications in the platform that will later be rejected by the cloud provider, triggering an error. Check your cloud provider documentation for supported modifications.
This feature is available in datacenters using VMware with NSX-NAT or NSX-gateway.
To manage VPNs, go to Virtual datacenters → select a virtual datacenter → Network → VPN
Initial support for VPNs requires you to create a VPN site for each connected virtual datacenter. Both sites of a VPN must have the same encryption and authentication settings, and inverse local and remote network configurations.
The following table describes VPN functionality in the providers.
|Encryption||AES||AES, AES256, Triple DES, AES-GCM||AES128_SHA1, AES128_SHA256, AES256_SHA1, |
AES256_SHA256, _3DES_SHA1, _3DES_SHA256
|Perfect forward secrecy enabled||always enabled||optional||always disabled|
|DH group||DH2||DH2, DH5, DH14||DH2, DH14|
|Authentication||PSK (mandatory)||PSK (mandatory)||PSK (mandatory)|
To connect private cloud with public cloud, define the VPN site in private cloud first.
To create the VPN site for site1:
The platform will create the VPN site.
Name of the VPN
Select the encryption algorithm
|Perfect forward secrecy enabled||Select to enable perfect forward secrecy to protect your session keys|
Diffie-Hellman group for the VPN
Select to authentication. Preshared key authentication may be mandatory in some providers
Enter preshared key to be used for this session. Click the link beside the text entry box to show or hide the value of the key. For AWS the PSK must be alphanumeric or "." or"_", between 8 and 64 characters, and cannot start with 0.
NAT IP in the VDC or an automatically generated address in public cloud
|Local networks||Select VDC networks. We recommend that you do not use the default private network addresses for both sides of a VPN|
NAT IP in the remote VDC
|Remote networks||Add network addresses using CIDR notation. Click x beside a network to remove it from the VPN configuration|
To create the VPN site for site2 in another VDC:
After you have created both VPN sites, on the VPNs tab, to check the connection in the network virtualization system, click the Check link in the VPN Status column, or when you edit a VPN site.