Screenshot: Private networks in private cloud
Screenshot: Private networks in public cloud (AWS)
In the Networks list, to view the pool and allocation of IPs:
You can then:
To create a private network:
Create private network
Create private network Amazon
Name of the network (VLAN). The name can contain up to 128 characters
Select checkbox for IPv6 network
Private address range of the network
|Netmask||For IPv4 a network mask with an integer value of between 16 and 30|
Gateway of the VLAN. Must be an IP within the range of the network address and mask
|Internet gateway||In AWS, select this option to create a public subnet with a route to an internet gateway|
|Availability zone||In AWS, optionally select an Availability zone for high availability. To deploy a group of VMs separately, use a different availability zone for each VM. To assign a VM to an availability zone, assign a private IP address in the network belonging to the required availability zone|
The primary DNS
The secondary DNS
The DNS suffix. The Abiquo NSX-T integration does not use this attribute but you can enter it for information purposes.
|Excluded from firewall||Select Excluded from firewall to define a network where VM firewalls will not apply|
In supported providers, optionally select Define to create static routes. See Configure Static Routes using DHCP
Select to make this network the default network, replacing the existing default network
You can configure static routes when you create or edit a network. However, you should check with your systems administrator about when your VM will receive changes to static routes.
Destination network mask
Destination network or host
Next hop (on your network)
Name of the VLAN. The name can contain up to 128 characters
|IPv6||Select checkbox for IPv6 network|
|Strict||IPv6 only. If you select Strict, Abiquo will automatically generate the network address (ULA) and also the IP addresses. If you do not select strict, you can enter the network address and IP addresses.|
|Netmask||Network mask of 48, 56 or 64.|
Private address range of the network. Only for non-strict networks
The primary DNS
The secondary DNS
The DNS suffix
Make this network the default network. In a datacenter, this will override the existing default network
Or you can add an IP directly to a VM. To do this:
When you add IPv6 addresses on strict networks, you don't need to set the starting address. On non-strict IPv6 networks, Abiquo recommends that you create an automatic IP address, or you can enter a From IP address manually.
The new settings will apply to all VMs deployed after you save the network.
To delete a private network:
To display onboarded external networks
If an onboarded network has been deleted in the provider, its name will display in light gray text. If a VM is using an IP from this network, then you cannot deploy the VM.
If there are no VMs using the IPs of an external network that was already deleted in the provider, to delete the network in the platform, select it and click the delete button.
To set a network as the default, you will require privileges to access this network in the virtual infrastructure.
To assign a network as the default for a virtual datacenter do these steps:
To add new public IP addresses to your virtual datacenter:
The platform will add the IPs to your VDC
You can also reserve public IPs directly from the Edit VM dialog.
The provider may charge for public IP addresses as soon as you reserve them for your virtual datacenter. Therefore you should reserve your IP addresses just before you deploy and check they are deleted when you undeploy your VMs. Remember that your provider may also limit the number of public IP addresses that you can use per virtual datacenter.
To add public IP addresses to your virtual datacenter, so that you can later assign them to your VMs:
Now when you edit a VM in the VDC and go to Network → Public, the platform will display the public IP address and you can add it to your VM.
To obtain a public IP directly for a VM, click Purchase public IPs.
In private cloud, to release a public IP that belongs to a public network, select the IP in the IP list and click the delete button.
In public cloud, click the link to Remove from VDC and then click the delete button.
This feature applies to public IPs in infrastructure and managed by NSX in vCenter and vCenter clusters.
When you upgrade the platform or create a virtual datacenter, the public IPs bandwidth limit is disabled. To enable the limit for the public IPs of the VDC, edit the bandwidth limit.
To edit the bandwidth limit and enable it in the platform:
|Enabled||To enable traffic shaping in a specific direction, select this checkbox|
|Average||The average amount of bandwidth, in bits per second, that each public IP in the virtual datacenter can use|
|Peak||The maximum bandwidth in bits per second that each public IP in the virtual datacenter can use|
|Burst size||The amount of data that can be transmitted at the peak bandwidth rate in bytes. A burst bonus accumulates when traffic is below the Average value and this bandwidth can be used for bursts|
To register changes that were made outside the platform, save existing public IP bandwidth values. In the API, to register changes, send a POST request with the existing values.
To reserve private IPs:
The platform will list the VMs in the virtual datacenter. Optionally select VMs to indicate where the IPs might be used. Note that you must check that the VMs are able to use these IPs. This selection does not assign the IPs to VMs.
The platform will display a padlock symbol and the reason beside the IP reserved addresses.
To display NAT rules for a VM:
To manage or display NAT rules for a VM:
To create a DNAT rule:
Enter the details of the DNAT rule
|Original (NAT IP)||Select the IP address for external connections|
|Protocol||Select the protocol for the connection, which can include TCP, UDP, any, ICMP|
|Translated||Select the private IP that is attached to the VM|
|Use all ports||Mark this checkbox to create a NAT rule for all ports|
|Original port||Enter the port for external connections. You cannot use the Original port for the NAT IP in more than one NAT rule. The platform will display the ports that are already used in other rules for the selected NAT IP.|
|Translated port||Enter the port on the VM|
To create an SNAT rule:
Enter the addresses of the SNAT rule
|Original||Select the IP that is attached to the VM|
|Translated (NAT IP)|
Select the IP address for outgoing connections
The platform will automatically create a NAT rule to match the port mappings of the routing rule of the load balancer.
To obtain an additional NAT IP address:
The platform will reserve an IP address and allocate it to your virtual datacenter.
You can then use the NAT IP address as the public IP address for a load balancer or to provide access to a private IP address.
When you create a virtual datacenter, the new "natbandwidthlimit" attribute is present but you must edit the virtual datacenter to enable it in the platform and in the NSX.
To edit the bandwidth limit and apply it in the NSX:
|Provider ID||Read only|
|Enabled||To enable traffic shaping in a specific direction, select this checkbox|
|Average||The average amount of bandwidth, in bits per second, that the virtual datacenter can use|
|Peak||The maximum bandwidth in bits per second that the virtual datacenter can use|
|Burst size||The amount of data that can be transmitted at the peak bandwidth rate in bytes. A burst bonus accumulates when traffic is below the Average value and this bandwidth can be used for bursts.|
To register changes that were made outside the platform, save existing NAT bandwidth values. In the API, to register changes, send a POST request with the existing values.
This section describes firewall policies, which are similar to security groups. The platform supports firewall policies in private cloud with network managers (NSX, NSX-T) and in public cloud.
Abiquo firewall policies represent.
For more details, please see the public cloud features table for each provider.
In vCloud Director, the platform also supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). See Manage classic firewalls.
To display firewalls in a virtual datacenter in a provider:
To display all firewalls in Google Cloud Platform
To display all firewalls in a location (public cloud region or datacenter):
To filter firewalls, enter text in the Search box to search by the Name, Description, and Provider ID in the Firewalls list.
To display firewalls in an Azure Resource Group:
To synchronize firewalls do these steps:
To synchronize a firewall in AWS before you add new firewall rules:
To create a new firewall, do these steps:
Name of the firewall policy.
|Location||Public cloud region or datacenter|
|Default||Optional. Select to make the firewall the default for the virtual datacenter|
Description of the firewall policy
If you entered a virtual datacenter, the platform created your firewall in the provider. The platform will display a Provider-ID and a Virtual datacenter ID for the firewall.
If you selected No virtual datacenter, the firewall will be created in the platform in the public cloud region for your enterprise. The synchronize process will not update this firewall. The platform will not create it in the provider until you select a virtual datacenter.
To add a new firewall rule:
Before you edit firewall rules in AWS, synchronize the firewall to update the rules because AWS will not allow you to create a rule that already exists in the security group. Remember that it may take some time for firewall rules to propagate throughout AWS. Until the rules have propagated, the platform will not be able to detect them. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#eventual-consistency
To move a firewall to another virtual datacenter
To delete a firewall policy:
In AWS, Abiquo supports Application load balancers (see Manage Application Load Balancers) and Classic load balancers (described on this page).
Please refer to cloud provider documentation as the definitive guide to the load balancing features. And remember to check your cloud provider's pricing before you begin.
In vCloud Director, load balancers belong to a public cloud region, not a virtual datacenter. This means that in vCloud Director, you can attach VMs from more than one virtual datacenter to the same load balancer, and these load balancers do not work with private networks, which belong to only one virtual datacenter.
To display load balancers in virtual datacenters:
Select a virtual datacenter
Go to Network → Load balancers.
To display load balancers in a region, including those that do not exist in the provider.
To display load balancers in an Azure Resource Group:
To create a load balancer:
Click the + add button and complete the following dialogs according to your cloud provider's documentation
The following screenshots are from AWS or Azure
The name of the load balancer.
In Azure, select the SKU, which can be standard or basic
See cloud provider documentation for more information
|Resource group||The platform will create the load balancer in the selected resource group|
In providers that support subnets, the subnets to which the load balancer will connect
Select one of the common protocols to load presets
The incoming protocol to the load balancer. See cloud provider documentation for accepted values.
The incoming port to the load balancer. See cloud provider documentation for accepted values.
The outgoing protocol from the load balancer.
|Port out||The outgoing port from the load balancer|
|SSL Cerftificate||For secure connections (e.g. HTTPS), you can add an SSL certificate.|
|Add||Click Add to save a routing rule for the load balancer|
To delete a routing rule, click the delete button beside the name of the routing rule in the list
Name of the certificate
The certificate contents
An intermediate certificate can be issued by a provider to support older browsers that may not have all of the trusted root certificates for that provider, so that users will not receive invalid TLS warnings. If you have an intermediate certificate, add it at the same time as the certificate to ensure that a trusted-chain certificate is configured.
The RSA private key for the certificate
Select one of the most common protocols to load presets
Name of the health check
The protocol with which the health check will be performed
The port to which the health check will be performed
|Path||The server path to ping (for supported protocols)|
|Interval (sec)||The interval in seconds between health checks|
|Timeout (sec)||The timeout in seconds after which an attempted health check will be considered unsuccessful|
|Attempts||The number of attempts before the health check will be considered unsuccessful|
|Add||Add the current health check to the load balancer|
If your provider supports firewalls, to add a firewall to your load balancer, select your firewall from the list of Firewalls that are in your provider.
If a firewall is not on the list, it may not have been properly synchronized. In this case, click Cancel, synchronize firewalls, then start again to create a new load balancer.
To assign your load balancer to VMs, drag and drop the VMs them from the Available Nodes list into the Attached Nodes list.
The platform will display the Status of the load balancer nodes on the Nodes tab, if status information is available from the provider.
You can also check the status using the Abiquo API.
The cloud provider determines which elements of a load balancer that you can modify. Due to different provider support for load balancer features, it may be possible to make modifications in the platform that will later be rejected by the cloud provider, triggering an error. Check your cloud provider documentation for supported modifications.
This feature is available in datacenters using VMware with NSX-NAT or NSX-gateway.
To manage VPNs, go to Virtual datacenters → select a virtual datacenter → Network → VPN
Initial support for VPNs is per VDC, which means you need to create a separate VPN site for each connected virtual datacenter. Both sites of a VPN must have the same encryption and authentication settings, and inverse local and remote network configurations.
The following table describes VPN functionality in the providers.
|Encryption||AES||AES, AES256, Triple DES, AES-GCM||AES128_SHA1, AES128_SHA256, AES256_SHA1, |
AES256_SHA256, _3DES_SHA1, _3DES_SHA256
|Perfect forward secrecy enabled||always enabled||optional||always disabled|
|DH group||DH2||DH2, DH5, DH14||DH2, DH14|
|Authentication||PSK (mandatory)||PSK (mandatory)||PSK (mandatory)|
To connect private cloud with public cloud, define the VPN site in private cloud first.
To create the VPN site for site1:
The platform will create the VPN site.
Name of the VPN
Select the encryption algorithm
|Perfect forward secrecy enabled||Select to enable perfect forward secrecy to protect your session keys|
Diffie-Hellman group for the VPN
Select to authentication. Preshared key authentication may be mandatory in some providers
Enter preshared key to be used for this session. Click the link beside the text entry box to show or hide the value of the key.
NAT IP in the VDC or an automatically generated address in public cloud
|Local networks||Select VDC networks. We recommend that you do not use the default private network addresses for both sides of a VPN|
NAT IP in the remote VDC
|Remote networks||Add network addresses using CIDR notation. Click x beside a network to remove it from the VPN configuration|
To create the VPN site for site2 in another VDC:
After you have created both VPN sites, on the VPNs tab, to check the connection in the network virtualization system, click the Check link in the VPN Status column, or when you edit a VPN site.