Abiquo 5.0

Skip to end of metadata
Go to start of metadata


1. Manage networks

1.1. Display virtual datacenter networks

To display the networks available to a virtual datacenter:

Privileges: Manage virtual network elements, Access external networks tab, Access public networks tab


  1. Go to Virtual datacenters → select virtual datacenter → Network.
  • The default network is highlighted with a star symbol
  • A network with an internet gateway is highlighted with a globe symbol
  • In public cloud, to synchronize networks and IP addresses, click the round arrows synchronize button 

API Features

Virtual datacenter networks are available in the Abiquo API. For example, see VirtualDatacentersResource and PrivateNetworksResource.

Screenshot: Private networks in private cloud

Screenshot: Private networks in public cloud (AWS)


In the Networks list, to view the pool and allocation of IPs:

  • To display all the IPs in the virtual datacenter, click the All button at the top of the list
  • To display the IPs in a network, click the Network name

You can then:

  • Use the slider at the bottom of the list to move through the pages 
  • Filter the list by entering text in the Search box. The filter works with all the columns of the table including:
    • IP Address
    • MAC address
    • Network name
    • Virtual appliance using the IP
    • VM using the IP
    • Provider ID of the entity using the IP (for example, a load balancer)




1.2. Create a private network

Private networks are only available within a virtual datacenter. However, your cloud provider may configure an external gateway for your virtual datacenter.

To create a private network:

  1. Go to Virtual datacenters → select virtual datacenter Network Private
  2. Click the + add button  and complete the dialog


Create private network

Create private network Amazon



Button

Action

Name

Name of the network (VLAN). The name can contain up to 128 characters

IPv6Select checkbox for IPv6 network

Network Address

Private address range of the network

NetmaskFor IPv4 a network mask with an integer value of between 16 and 30

Gateway

Gateway of the VLAN. Must be an IP within the range of the network address and mask

Availability zoneIn AWS, optionally select an Availability zone for high availability. To deploy a group of VMs separately, use a different availability zone for each VM. To assign a VM to an availability zone, assign a private IP address in the network belonging to the required availability zone

Primary DNS

The primary DNS

Secondary DNS

The secondary DNS

DNS suffix

The DNS suffix

Excluded from firewallSelect Excluded from firewall to define a network where VM firewalls will not apply

Static Routes

In supported providers, optionally select Define to create static routes. See Configure Static Routes using DHCP

Default network

Select to make this network the default network, replacing the existing default network

You can configure static routes when you create or edit a network. However, you should check with your systems administrator about when your VM will receive changes to static routes.

Field

Description

Example

Netmask

Destination network mask

255.255.255.0

Network ID

Destination network or host

1.1.1.0

Gateway IP

Next hop (on your network)

10.10.10.100

 Click here to show/hide IPv6 networks

Strict network

 

Non-strict network

FieldDescription

Name

Name of the VLAN. The name can contain up to 128 characters

IPv6Select checkbox for IPv6 network
StrictIPv6 only. If you select Strict, Abiquo will automatically generate the network address (ULA) and also the IP addresses. If you do not select strict, you can enter the network address and IP addresses.
NetmaskNetwork mask of 48, 56 or 64.

Network Address

Private address range of the network. Only for non-strict networks

Primary DNS

The primary DNS

Secondary DNS

The secondary DNS

DNS suffix

The DNS suffix

Default network

Make this network the default network. In a datacenter, this will override the existing default network



1.3. Create IP addresses in private networks

To create new IP addresses in a private network do these steps.

  1. Go to Virtual datacenters → optionally select a virtual datacenter
  2. Go to NetworksPrivate → select a private network
  3. On the Private IPs page, click the add + button and enter details

Or you can add an IP directly to a VM. To do this:

  1. Go to Virtual datacenters → Edit VM → Network
  2. Click the add + button and enter details (or drag the Auto-generated IP label into the Network pane)

Enter the Number of IPs to create and the From IP address (the first in the range). The From IP address must be a new address that does not already exist in the network. After creating the first IP address, the platform will try to create the other IPs and it will skip any existing IP addresses. 


For example, if you have IP addresses in network 30.30.30.30, which are 30, 33, and 34 and then you request 3 new IPs from 30.30.30.31. The new IPs created should be as follows: 31, 32, 35. 
IP Addresses
30.30.30.30
30.30.30.31
30.30.30.32
30.30.30.33
30.30.30.34
30.30.30.35

When you add IPv6 addresses on strict networks, you don't need to set the starting address. On non-strict IPv6 networks, Abiquo recommends that you create an automatic IP address, or you can enter a From IP address manually.



1.4. Edit a private network

To edit a private network
  1. Go to Virtual datacenters → select a virtual datacenter → Network
  2. Select the network
  3. Click the pencil edit button below the Networks list
  4. You can change the network Name, Gateway, DNS settings, and optionally make the network the new default for this virtual datacenter.
  5. Click Save

The new settings will apply to all VMs deployed after you save the network.




1.5. Delete a private network

You can delete a private network if no VMs are using its IPs and it is not the default network for the virtual datacenter.

To delete a private network:

  1. Go to Virtual datacenters → select a virtual datacenter → NetworkPrivate
  2. Select the network and click the delete button below the networks list. 




1.6. Display onboarded external networks

The platform automatically onboards external networks when you onboard virtual datacenters from vCloud Director.

Privileges: Manage virtual network elements, Access external networks tab, Manage external network elements


To display onboarded external networks

  1. Go to Virtual datacentersNetwork → Select vCloud VDC → External




1.7. Delete an onboarded external network

If an onboarded network has been deleted in the provider, its name will display in light gray text. If a VM is using an IP from this network, then you cannot deploy the VM.

If there are no VMs using the IPs of an external network that was already deleted in the provider, to delete the network in the platform, select it and click the delete button.



1.8. Set default virtual datacenter networks

The platform always requires a default network for a virtual datacenter to ensure that if you deploy a VM without assigning a NIC, the platform will be able to add one from the default network.

Privileges: Manage virtual datacenter network elements, Access public network tab, Manage public network elements, Access external network tab, Manage external network elements

To set a new or existing network as the default:

  1. When you create or edit the network, select the Default network checkbox. The new default network will apply to all VMs deployed after you set it.  

In private cloud, if you set a public network as the default, remember to obtain IP addresses for your VMs before you deploy!



1.9. Obtain IP addresses from public networks

In public networks you can reserve or purchase public IP addresses for your VMs. Reserved IPs may be charged while they are reserved, even if they are not used in VMs. 

Privilege: Manage public IPs, Access public networks tab, Manage public network elements

To add new public IP addresses to your virtual datacenter:

  1. Click the + Add button on the Public IPs page to display the list of available public IPs
    1. To move between pages, use pagination controls such as arrows and page numbers
    2. To filter your search, enter an IP address or Network name in the Search filter box
  2. Select IP addresses to add them to your virtual datacenter 
  3. Click Add to reserve the IPs

The platform will add the IPs to your VDC

You can also reserve public IPs directly from the Edit VM dialog.




1.10. Obtain public IP addresses in public cloud

During onboarding from public cloud, the platform will onboard existing public IP addresses in providers that support them, such as AWS and Azure. You can obtain them from the provider and assign them to your virtual datacenters and VMs.

Amazon may charge for Elastic IP addresses as soon as you reserve them for your virtual datacenter. Therefore you should reserve your IP addresses just before you deploy and check they are deleted when you undeploy your VMs. Remember that your provider may also limit the number of public IP addresses that you can use per virtual datacenter.


To add public IP addresses to your virtual datacenter, so that you can later assign them to your VMs:

Privileges: Manage virtual network elements, Manage floating IPs, Access public networks tab, Manage public network elements

  1. Go to Virtual datacenters → Select a public cloud virtual datacenter → Network → Public
  2. Click the + add button on the Public IPs page
  3. To add the public IP to a virtual datacenter, click the Add to VDC link near the IP address

Now when you edit a VM in the VDC and go to Network → Public, the platform will display the public IP address and you can add it to your VM.



1.11. Synchronize public IP addresses with the cloud provider

To onboard any public IP addresses that were already created in your cloud provider, or update changes made directly in the provider:

Privileges: Manage virtual network elements, Manage floating IPs, Access public networks tab, Manage public network elements

  1. Go to Virtual datacenters → select a public cloud virtual datacenter → Network → Public
  2. Click the double arrow synchronize public IPs button (beside the + add button)




1.12. Release a reserved public IP address

You can release a public IP if it is not assigned to a VM.

To release a public IP that belongs to a public network, select the IP in the IP list and click the delete button.

In public cloud, click the link to Remove from VDC and then click the delete button.

2. Manage NAT

2.1. Display NAT rules

When the Network Address Translation (NAT) integration is available in your environment, to display NAT IPs and NAT rules:
  1. Go to Virtual datacenters → select virtual datacenterNetworkNAT

To display NAT rules for a VM:

  1. Go to Virtual datacenters → select VM → go to VM control panel → select NAT

To manage or display NAT rules for a VM:

  1. Go to Virtual datacenters → edit VM → Networks → NAT

2.2. Create a NAT rule for DNAT

To enable VMs outside your VDC to connect to a VM with a private IP address, after you obtain a NAT IP, create a destination NAT rule, which is also called a DNAT rule. 

To create a DNAT rule:

  1. Go to Virtual datacenters → Virtual appliances → edit VM
  2. If your VM does not yet have an IP, go to Network → NICs and add a private IP
  3. Go to Network → DNAT
  4. Click the + add button on the top right-hand side of the tab
  5. Enter the details of the DNAT rule

    Unable to render {include} The included page could not be found.

  6. Click Add
  7. Save the VM

2.3. Create a NAT rule for SNAT

To send outgoing traffic through a NAT IP that is not the default one, add an additional SNAT rule with these steps:

To create an SNAT rule:

  1. Go to Virtual datacenters → Virtual appliances → edit VM
  2. If your VM does not yet have an IP, go to NetworkNICs and add a private IP
  3. Go to Network → SNAT
  4. Click the + add button on the top right-hand side of the tab
  5. Enter the addresses of the SNAT rule

    FieldDescription
    OriginalSelect the IP that is attached to the VM
    Translated (NAT IP)

    Select the IP address for outgoing connections

  6. Click Add
  7. Save the VM

2.4. Use a NAT IP for a load balancer

To use a NAT IP address as a public IP address for a load balancer:

  1. Use the virtual datacenter's NAT IP address or obtain an additional NAT IP address. See Obtain an additional NAT IP address for a virtual datacenter
  2. Create the load balancer and select the NAT IP

The platform will automatically create a NAT rule to match the port mappings of the routing rule of the load balancer.

2.5. Obtain an additional NAT IP for your virtual datacenter

In addition to the NAT IP address assigned to the virtual datacenter, you can obtain NAT IP addresses for creating additional NAT rules.

To obtain an additional NAT IP address:

  1. Go to Virtual datacenters Network → NAT
  2. Click the + add button on the top right-hand side of the screen
  3. Select the NAT network and click Accept

The platform will reserve an IP address and allocate it to your virtual datacenter.

You can then use the NAT IP address as the public IP address for a load balancer or to provide access to a private IP address.

2.6. Limit NAT IP bandwidth for a VDC

You can use Quality of Service (QoS) traffic shaping parameters to limit the bandwidth for all the NSX NAT IPs in a virtual datacenter. 

Privileges: Manage NAT bandwidth limit

When you create a virtual datacenter, the new "natbandwidthlimit" attribute is present but you must edit the virtual datacenter to enable it in the platform and in the NSX. 

To edit the bandwidth limit and apply it in the NSX:

  1. Select the virtual datacenter and go to Network → QoS
  2. Click the pencil edit button 
    1. To enable the bandwidth limit in a specific direction, select the Enabled checkbox for that direction
    2. Set QoS values for your virtual datacenter. Be sure to allow enough bandwidth to share between all the NAT IPs in the virtual datacenter.


    FieldDescription
    Provider IDRead only
    EnabledTo enable traffic shaping in a specific direction, select this checkbox
    AverageThe average amount of bandwidth, in bits per second, that the virtual datacenter can use
    PeakThe maximum bandwidth in bits per second that the virtual datacenter can use
    Burst sizeThe amount of data that can be transmitted at the peak bandwidth rate in bytes. A burst bonus accumulates when traffic is below the Average value and this bandwidth can be used for bursts.

To register changes that were made outside the platform, save existing NAT bandwidth values. In the API, to register changes, send a POST request with the existing values.

3. Manage firewalls

3.1. Introduction to firewalls

The platform provides a unified interface to firewalls in varied cloud environments. 

This section describes firewall policies, which are similar to security groups. The platform supports firewall policies in private cloud with network managers (NSX, Neutron) and in public cloud (AWS, Azure). In Oracle Cloud, the platform enables users to onboard classic firewalls and assign them to VMs.

In vCloud Director, the platform supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). The platform does not support security groups for VMs in vCloud Director. See Manage Classic Firewalls


3.2. Display firewall policies

You can display and manage firewalls in the platforms at the level of the virtual datacenter or the location (public cloud region or datacenter).

To display firewalls that exist in a virtual datacenter in the provider:

  1. Go to Virtual datacenters → select a virtual datacenter → NetworkFirewalls

To display all firewalls in a location (public cloud region or datacenter), including those that only exist in the platform and not in the provider:

  1. In the Virtual datacenters list, select All
  2. On the Firewalls tab, select the location (public cloud region or datacenter)

To filter firewalls, enter text in the Search box to search by the NameDescription, and Provider ID in the Firewalls list.

3.3. Synchronize firewall policies

The synchronization process will onboard firewalls and it will update the platform's information about firewalls that already exist in the cloud provider. The platform synchronizes automatically when you onboard virtual resources from public cloud. Depending on the provider, the platform may support synchronization at the level of the location (public cloud region) or virtual datacenter.

To synchronize firewalls do these steps:

  1. Select All virtual datacenters and the location, or a single virtual datacenter
  2. Click the double-arrow synchronize button 

To synchronize a firewall before you add new firewall rules:

  1. Select the firewall and click the double-arrow synchronize button

3.4. Create a firewall policy


The platform can create firewall policies in virtual datacenters in the provider, or in the platform only, for later use in providers, depending on provider support.

Privilege: Manage firewall

To create a new firewall, do these steps:

  1. Go to Virtual datacentersNetworkFirewalls
  2. Click the Add button
  3. Enter the firewall details

    Field

    Description

    Name

    Name of the firewall policy.

    LocationPublic cloud region
    Virtual datacenter
    • Virtual datacenter: The platform will create your firewall in the cloud provider. It will add a provider-ID that will display on the main Firewalls page. The platform will synchronize rules with the provider
    • No virtual datacenter: If allowed by the provider. The platform will create the firewall in the platform only, for your enterprise in the public cloud region. The platform will not synchronize rules with the provider. The platform will create the firewall in the provider when you select a virtual datacenter.
    DefaultOptional. Select to make the firewall the default for the virtual datacenter

    Description

    Description of the firewall policy

  4. Click Save to create the firewall
  5. Add Firewall rules as described below

If you entered a virtual datacenter, the platform created your firewall in the provider. The platform will display a Provider-ID and a Virtual datacenter ID for the firewall. 

If you selected No virtual datacenter, the firewall will be created in the platform in the public cloud region for your enterprise. The synchronize process will not update this firewall. The platform will not create it in the provider until you select a virtual datacenter.


Related links:

3.5. Edit firewall rules

You can define firewall rules for inbound and outbound traffic in your firewall policy.

To add a new firewall rule:

  1. Select the virtual datacenter or location
  2. Select the firewall
  3. On the Firewall rules panel, click the pencil Edit button
  4. Select the Inbound or Outbound tab for the traffic direction you wish to control
  5. Enter the details of a rule
    1. Protocol
      • Select from Common protocols, OR
      • Select and enter a Custom protocol
    1. Port range with the Start port and End port that this rule will apply to. To enter one port, enter the same value twice, or optionally apply the rule to a number of ports at the same time
    2. Sources or Targets as a network address and netmask
  6. Click Add. The firewall rule will be added to the Firewall rules list
  7. Enter more rules as required, then click Save

3.6. Move firewall policies

To move a firewall to another virtual datacenter:

  • In Neutron, edit the firewall in Abiquo and change the VDC

  • In Azure ARM, edit the firewall and change or remove the virtual datacenter
  • In AWS, delete the firewall directly in the provider, then synchronize so the provider ID will be removed from the firewall in Abiquo. Now you can edit the firewall and change the virtual datacenter. This is because you are not allowed to edit firewalls or move them from one VPC to another in AWS but you can do this in Abiquo. The following screenshot shows a firewall after the AWS security group was deleted. The firewall rules are preserved for you to edit or apply to another virtual datacenter. 

3.7. Troubleshooting firewalls

Q: Does my firewall exist in the provider? Which VDC does it belong to?

A: In the Abiquo API, the firewall object contains a link to the virtual datacenter it belongs to.

  • In AWS or Azure ARM, if a firewall has a provider ID, then it exists in the cloud provider. The provider ID is the AWS security group ID or the Azure firewall name.
  • Neutron assigns a provider ID to the firewall and it remains the same. In Neutron, the provider ID does not indicate if the firewall is assigned to a VDC or not. This means that the firewall can have a provider ID even when it does not exist in the provider.

3.8. Delete a firewall policy

To delete a firewall policy:

  1. Edit each VM that is using the firewall policy to remove the firewall policy
  2. Select the firewall policy
  3. Click the Delete button

4. Manage classic firewalls

4.1. Onboard classic firewalls

Abiquo enables you to onboard and edit Classic firewalls from vCloud Director. A classic firewall is the firewall service in the orgVdc Edge. Users work with classic firewalls at the public cloud region level. In the platform there is no association between classic firewalls and virtual datacenters or classic firewalls and VMs, so you may need to onboard classic firewalls separately.

To onboard classic firewalls:

  1. Go to Virtual datacenters → Select All → Select a region → Network → Classic firewalls
  2. At the bottom of the Classic firewalls list, click the double-arrow synchronize button
  3. For each classic firewall that you want to onboard, select the classic firewall and click the double-arrow synchronize button next to the firewall name. The platform will retrieve the classic firewall and its rules.

To synchronize a firewall that you onboarded earlier, click the synchronize double-arrow button beside the firewall name.

Troubleshooting: If the classic firewall tab does not display as expected, check that your platform has the correct UI configuration for this feature

4.2. Edit a classic firewall

To edit a classic firewall:
  1. Go to Virtual datacenters → All → Network → Classic firewalls 
  2. Select the firewall and click the pencil edit button.

Change the name and description as required, then click Save.

4.2.1. View the provider ID of a classic firewall

To view the provider ID of a classic firewall, edit the firewall.

4.3. Change the sequence of rules in a classic firewall

In vCloud Director, when traffic arrives at the firewall, the Edge will attempt to match the rules from rule 0 to the end of the list of rules. The Edge will use the last rule (with the highest sequence number) as the default rule. The default rule must cover all ports from any source or destination and you cannot move an invalid rule into the last position.

The platform will maintain the rules in order with no gaps.

To change the order of rules, click the pencil edit button beside a Sequence number, then enter a new Sequence number and click ok. The platform will move the other rules to fit around the changed rule.

For example, to move a rule from position 1 to position 2, enter 2 and click "ok".

The platform will now move the rule that was in position 2 to position 1. 

4.4. Create and edit the rules of a classic firewall

You can edit existing rules and create new rules for classic firewalls. 

The last rule in the sequence is the default rule in the Edge. In vCloud Director, If you disable the default rule, this will disable the firewall service in the Edge. This will mean that the rules will exist in the Edge but they will not be active.

To create a firewall rule, click the + add button and complete the following dialog.

Field

Description

SequencePosition in the order of evaluation of rules, which is from lowest to highest. You should create rules using existing sequence numbers. The platform will reorder the rules to fit around the new rule. If you create a new rule at the end of the sequence, then it will be the default rule. If you disable the default rule, then the platform will disable the firewall in the Edge.

Protocols

Optionally select from the list of common protocols

Source portsThe firewall rule will apply to this inclusive range of ports

Source

Source can be in the following formats: IP address, CIDR, IP range, 'any', 'internal', and 'external'

Destination portsThe firewall rule will apply to this inclusive range of ports
DestinationDestination can be in the following formats: IP address, CIDR, IP range, 'any', 'internal', and 'external'
DescriptionDescribe the classic firewall rule
ActionSelect "Allow" or "Deny".
LoggedSelect to use logging. Optional
EnabledSelect to enable the rule. If this rule is in the last position, then it is the default rule. If you disable the default rule, then you will disable the firewall in the Edge. The rules will still be present, but the Edge will not apply them

4.5. Manage classic firewalls with the API

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource ClassicFirewallsResource.


5. Manage load balancers

The load balancer feature aims to simplify the creation of load balancers across all cloud platforms, providing a unified interface. You can create a load balancer in the enterprise for the location and later assign it to a virtual datacenter, and then the platform will create it in the provider. You can also reuse load balancer configurations.

Please refer to cloud provider documentation as the definitive guide to the load balancing features.  And remember to check your cloud provider pricing before you begin.

In vCloud Director, load balancers belong to a public cloud region, not a virtual datacenter. This means that in vCloud Director, you can attach VMs from more than one virtual datacenter to the same load balancer, and these load balancers do not work with private networks, which belong to only one virtual datacenter.


5.1. Display load balancers

You can display and manage loadbalancers in the platform at the level of the virtual datacenter or the location (public cloud region or datacenter).

To display load balancers in a region, including those that are not assigned to a virtual datacenter in a provider

  1. Go to Virtual datacenters
  2. In the Virtual datacenters list, select All
  3. Go to Network → Load balancers
  4. In the Regions pull-down list, select the Region name

To display load balancers in virtual datacenters:

  1. Go to Virtual datacenters
  2. Select a virtual datacenter

  3. Go to Network → Load balancers.

5.2. Create load balancers

Before you begin:
  • Synchronize your virtual datacenters (including VMs, networks, firewalls, firewall rules, and load balancers)
  • If required by your provider, create firewalls for your VMs to allow your load balancers to access the VMs
  • In Azure make sure that your VMs belong to availability sets


Privilege: Manage load balancers, Assign load balancers


To create a load balancer:

  1. Go to Virtual datacenters → select a virtual datacenter → NetworkLoad balancers 
    1. For vCloud, select All virtual datacentersNetworkLoad balancersRegion
  2. Click the + add button and complete the following dialogs according to your cloud provider's documentation

5.2.1. Load balancer general information

The following screenshots are from AWS.


Field

Value

Name

The name of the load balancer.

  • Amazon will only accept the following characters: A-Z, a-z, 0-9 and "-", and you cannot modify the name
  • Azure will not accept names with white space

Subnets

In providers that support subnets, the subnets to which the load balancer will connect

Algorithm

See cloud provider documentation for more information

Addresses

  • AWS: private or public IP
    Rackspace: private or public IP
    Azure ARM: private or public IP
    Neutron: private IP, or private and public IPs
    NSX: private IP, or private and public IPs
    vCloud Director: private or public IP (IPs on external networks)

  • You may be able to change the address to another one in the same VDC by editing the load balancer


5.2.2. Load balancer routing rules

Field

Value

Common protocols

Select one of the common protocols to load presets

Protocol in

The incoming protocol to the load balancer. See cloud provider documentation for accepted values.

Port in

The incoming port to the load balancer. See cloud provider documentation for accepted values.

Protocol out

The outgoing protocol from the load balancer.

Port outThe outgoing port from the load balancer
SSL CerftificateFor secure connections (e.g. HTTPS), you can add an SSL certificate.
  • The platform will never store or validate the SSL certificate 
  • The platform will pass the certificate directly to the provider
Select an existing certificate or add a new one. Cannot be used in platform-only load balancers
AddClick Add to save a routing rule for the load balancer

To delete a routing rule, click the delete button beside the name of the routing rule in the list

5.2.3. Load balancer SSL certificate

Field

Value

Name

Name of the certificate

Certificate

The certificate contents

Intermediate certificate

An intermediate certificate can be issued by a provider to support older browsers that may not have all of the trusted root certificates for that provider, so that users will not receive invalid SSL warnings. If you have an intermediate certificate, add it at the same time as the certificate to ensure that a trusted-chain certificate is configured.

Private key

The RSA private key for the certificate

5.2.4. Load balancer health check

 

Field

Value

Common protocols

Select one of the most common protocols to load presets

Name

Name of the health check

Protocol

The protocol with which the health check will be performed

Port

The port to which the health check will be performed

PathThe server path to ping (for supported protocols)
Interval (sec)The interval in seconds between health checks
Timeout (sec)The timeout in seconds after which an attempted health check will be considered unsuccessful
AttemptsThe number of attempts before the health check will be considered unsuccessful
AddAdd the current health check to the load balancer

5.2.5. Load balancer firewalls

If your provider supports firewalls, to add a firewall to your load balancer, select your firewall from the list of Firewalls that were created in your provider. Rackspace does not display a firewall selection list.

If a firewall is not on the list, it may not have been properly synchronized. In this case, you will need to click Cancel, synchronize firewalls and start again to create a new load balancer.

5.2.6. Assign load balancer nodes

To assign your load balancer to VMs, drag and drop the VMs them from the Available Nodes list into the Attached Nodes list.

  • The VMs to be load balanced can be in the same or different virtual appliances in the same virtual datacenter
  • You can also attach VMs by selecting load balancers when configuring the VM. 

The platform will display the Status of the load balancer nodes on the Nodes tab, if status information is available from the provider.

You can also check the status using the Abiquo API.


5.3. Edit load balancers

The cloud provider determines which elements of a load balancer that you can modify. Due to different provider support for load balancer features, it may be possible to make modifications in the platform that will later be rejected by the cloud provider, triggering an error. Check your cloud provider documentation for supported modifications.


6. Manage VPNs

The platform enables you to create site-to-site VPNs between virtual datacenters and other virtual datacenters or other entities. 

This feature is available in datacenters using VMware with NSX-NAT or NSX-gateway.

To manage VPNs, go to Virtual datacenters → select a virtual datacenter → Network → VPN

Initial support for VPNs requires you to create a VPN site for each connected virtual datacenter. Both sites of a VPN must have the same encryption and authentication settings, and inverse local and remote network configurations.

The following table describes VPN functionality in the providers.


AWSVMware NSXAzure
EncryptionAESAES, AES256, Triple DES, AES-GCMAES128_SHA1, AES128_SHA256, AES256_SHA1,
AES256_SHA256, _3DES_SHA1, _3DES_SHA256
Perfect forward secrecy enabledalways enabledoptionalalways disabled
DH groupDH2DH2, DH5, DH14DH2, DH14
AuthenticationPSK (mandatory)PSK (mandatory)PSK (mandatory)

To connect private cloud with public cloud, define the VPN site in private cloud first. 

  • In Azure you can create a VPN using a dummy address for the local gateway (site 1) and edit it after you create the Azure VPN site
  • Azure may automatically select a compatible encryption type
  • In AWS you must supply the IP address of site 1 and you cannot edit it, so you must create site 1 first and the VPN site in AWS will always be site 2

To create the VPN site for site1:

  1. Go to Virtual datacenters → select a virtual datacenter → Network → VPN
  2. Click the + add button and enter the VPN details

The platform will create the VPN site.

Button

Action

Name

Name of the VPN

Encryption algorithm

Select the encryption algorithm

Perfect forward secrecy enabledSelect to enable perfect forward secrecy to protect your session keys

DH group

Diffie-Hellman group for the VPN

Authentication

Select to authentication. Preshared key authentication may be mandatory in some providers

Preshared key

Enter preshared key to be used for this session. Click the link beside the text entry box to show or hide the value of the key. For AWS the PSK must be alphanumeric or "." or"_", between 8 and 64 characters, and cannot start with 0.

Local endpoint

NAT IP in the VDC or an automatically generated address in public cloud

Local networksSelect VDC networks. We recommend that you do not use the default private network addresses for both sides of a VPN

Remote endpoint

NAT IP in the remote VDC

Remote networksAdd network addresses using CIDR notation. Click x beside a network to remove it from the VPN configuration

To create the VPN site for site2 in another VDC:

  1. Select the Virtual datacenter
  2. Add another VPN site using the same encryption and authentication settings, and the remote network configuration of the first VPN site as the local values. 

After you have created both VPN sites, on the VPNs tab, to check the connection in the network virtualization system, click the Check link in the VPN Status column, or when you edit a VPN site.

  • No labels