ZStack Cloud Documentation
All
All
ZStack 3.10.0>Product Manuals>Maintenance Manual>Network Service
Get PDF

Network Service

ZStack provides VM instances with multiple network resources, including VPC firewall, security group, virtual IP address (VIP), elastic IP address (EIP), port forwarding, IPsec tunnel, load balancing, and flow monitoring.

ZStack supports the following three network models:
  • Flat network
  • vRouter network
  • VPC

Network Service Module

Network Service Module provides a group of network services. Note that this module has been hidden on the UI.

Network Service Module has the following four types:
  1. Virtual Router Network Service Module (Not recommended)

    Provides various network services: DNS, SNAT, load balancing, port forwarding, EIP, and DHCP.

  2. Flat Network Service Module (Flat Network Service Provider)
    Provides the following network services:
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • EIP: Is realized by distributed EIP to access private networks through public networks.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
      Note: The DHCP service includes the DNS feature.
    • VIP QoS: Adjusts the upstream bandwidth and downstream bandwidth, and can only be applied to EIPs.
  3. vRouter Network Service Module
    Provides the following network services:
    • IPsec: Achieves VPN connections.
    • vRouter route table: Manages custom routes.
    • Centralized DNS: Is provided when the DHCP service is enabled.
    • VIP QoS: Adjusts the upstream bandwidth and downstream bandwidth.
    • DNS: Uses vRouters to provide the DNS service.
    • SNAT: Enables VM instances to access directly the Internet.
    • Load balancing: Distributes inbound traffics from a VIP to a group of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • EIP: Uses vRouters to access private networks of VM instances through public networks.
    • DHCP: Provides the centralized DHCP service.
  4. Security Group Network Service Module
    Provides the following network service:
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

Flat Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • EIP: Is realized by distributed EIP can access private networks through public networks.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
      Note: The DHCP service includes the DNS feature.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

vRouter Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • DHCP: DHCP allows you to dynamically obtain an IP address.
  • vRouter Network Service Module
    • DNS: Uses vRouters to provide the DNS service.
    • SNAT: Allows VM instances to access directly the Internet.
    • vRouter route table: Manages custom routes.
    • EIP: Uses vRouters to access private networks of VM instances through public networks.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
    • IPsec: Achieves VPN connections.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

VPC Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
  • vRouter Network Service Module
    • DNS: Uses VPC vRouters to provide DNS services.
    • SNAT: Allows VM instances to access directly the Internet.
    • vRouter route table: Manages custom routes.
    • EIP: Uses VPC vRouters to access private networks of VM instances through public networks.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances, and unavailable VM instances will be detected and isolated automatically.
    • IPsec: Achieves VPN connections.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

Advanced Network Services

  • Dynamic routing: Uses the Open Shortest Path First (OSPF) routing protocol to distribute routing information within a single autonomous system. This service applies to VPC network scenarios.
  • Multicast routing: Forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side. This service applies to VPC network scenarios.
  • VPC firewall: Filters the south-north traffic on the VPC vRouter ports, effectively protecting the VPC communication security and VPC vRouter security. This service applies to VPC network scenarios.
  • Port mirroring: Copies and sends network traffics of VM NICs from a port to another port, and analyzes the business packets on the ports, better monitoring and managing the network data. This service applies to flat network, vRouter network, and VPC network scenarios.
  • Netflow: Monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output formats are supported: Netflow V5 and Netflow V9. This service applies to VPC network scenarios.

VPC Firewall

The VPC firewall topology is shown in VPC Firewall.
Figure 1. VPC Firewall


  • Assume that VM-1 attempts to access VM-3: The traffic from VM-1 will match the inbound rule set of the public NIC on the VPC vRouter. If malicious traffics are detected, the access is denied.
  • Assume that VM-2 attempts to access VM-4: The traffic from VM-2 will match the inbound rule set of the public NIC on the VPC vRouter, and then will match the outbound rule set of the private NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.
  • Assume that Server-2 attempts to access Server-1: The traffic from Sever-2 will match the inbound rule set of the private NIC on the VPC vRouter, and then will match the outbound rule set of the public NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.

VPC Firewall Operations

You can perform the following operations on a VPC firewall:
  • Create VPC firewall: Create a VPC firewall.
  • Update configuration: Modify the configurations of the VPC firewall.
    Note: When you add a new network service, such as OSPF, to a VPC vRouter, some firewall rules will be created at the same time. However, these rules will not be displayed in the UI. To display the rules in the UI, click the update configuration button, and then the rules will be synchronized from the VPC vRouter to the database of the Cloud.
  • Add rule set: Add a rule set to the VPC firewall.
  • Add rule: Select a rule set and add a rule to it.
  • Delete: Delete the VPC firewall.

Rule Set Operations

You can perform the following operations on a rule set:
  • Add rule set: Add the rule set to your current VPC firewall.
  • Add rule: Add a rule to the rule set.
  • Bind network: Bind a network to the rule set.
  • Delete: Delete the rule set.
    Note: Inbound rule sets cannot be deleted.

Notice

When you use a VPC firewall, note the following:
  • One VPC vRouter can be used to create only one VPC firewall.
  • One NIC includes an inbound direction and an outbound direction. You can configure only one rule set for each direction.
  • The control mechanism of a VPC vRouter will restrict external access to VM instances without an EIP. If you are using static routing or OSPF, note that the static routing and OSPF will not be available when the firewall with the priority 9999 is disabled. If you still want to use static routing and OSPF, add an inbound rule to the public network NIC.
When you use a rule set, note the following:
  • One rule set can have up to 9999 rules attached.
  • Only outbound rule sets can be created. Outbound rule sets apply to the outbound direction of the NIC.
  • Exercise caution. The inbound and outbound directions of a rule set are designed for VPC vRouters.
  • The inbound rule sets are created by the system by default. You can customize your rules in an inbound rule set, but you cannot delete inbound rule sets.
  • The rule sets of the same outbound direction can be reused on multiple NICs.
When you use a rule, note the following:
  • A rule is a part of a rule set, and cannot be reused on multiple rule sets.
  • A system rule is a preconfigured rule that supports system services. The system rule has two priority ranges: 1-1000 and 4000-9999. The priority range of a custom rule is 1001-2999. The system reserved priority range is 3000-3999. Lower integers indicate higher priorities.
  • System rules cannot be added, modified, or deleted.

Security Group

A security group serves as a virtual firewall for your VM instances to allow or deny incoming network traffic to, or outgoing network traffic from, multiple types of cloud resources. L3 network security controls are provided over your VM instances, and TCP, UDP, or ICMP data packets are managed for effective filtering. With the security group, you can effectively control specified VM instances on specified networks according to specified security rules.
  • Flat networks, vRouter networks, and VPC support the security group service. The security group service is provided by the security group network service module. By using iptables, you can perform security controls over VM instances. This method also applies to flat networks, vRouter networks, and VPC.
  • A security group is actually a distributed firewall. When you modify a rule, or when you add or delete a NIC, note that firewall rules in VM instances are updated as well.
Security group rule:
  • A security group rule has the following two types of traffics according the direction of data packets:
    • Ingress: Represents inbound data packets that access a VM instance.
    • Egress: Represents outbound data packets that are sent from a VM instance.
  • A security group rule supports the following protocol types:
    • ALL: Includes all protocol types, indicating that you cannot specify a port.
    • TCP: Supports ports 1-65535.
    • UDP: Supports ports 1-65535.
    • ICMP: By default, both the start port and end port are all -1, indicating that all ICMP protocols are supported.
  • A security group rule can limit data sources that comes either from inside or outside of VM instances. Currently, sources can be set as source CIDR or source security group.
    • Source CIDR: Allows only the specified CIDR.
    • Source security group: Allows only the VM instances in a specified security group.
    Note: If you set both CIDR and the security group, note that only the intersection of them can take effect.
A security group topology is shown in Figure 1.
Figure 1. Security Group


Constraints

The constraints of a security group are as follows:
  • A security group can be attached to more than one VM instance. These VM instances will share the same security group rules.
  • A security group can be attached to more than one L3 network. These L3 networks will share the same security group rules.
  • A security group supports whitelists. That is, you can set all security group rules to Allow. Once you set an allow rule for a port, other ports will not be allowed.
  • When you create a security group, the system automatically configures two rules (an inbound rule and an outbound rule whose protocol types are both ALL) for communications in the security group. You can delete these two default rules to cancel the intra-group communication.
  • When you create a security group, if you did not set any rule, incoming traffics are not allowed to access VM instances in the security group. However, outgoing traffics from VM instances in the security group are allowed.
  • If you are using simultaneously the security group with other network services, such as load balancing and vRouter table, make sure that the corresponding rules required by these network services are added to the security group.









Products

Solutions

Help & Support

Contact Us

© 2023, Shanghai Yunzhou Information and Technology Ltd (云轴科技). All Rights Reserved.

Back to Top

Download

Already filled the basic info?Click here.

Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

An email with a verification code will be sent to you. Make sure the address you provided is valid and correct.

Download

Not filled the basic info yet? Click here.

Invalid email address or mobile number.

Email Us

contact@zstack.io
ZStack Training and Certification
Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

Email Us

contact@zstack.io
Request Trial
Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

Email Us

contact@zstack.io

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder. After receiving the email, click the URL to download the documentation.

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder.
Or click on the URL below. (For Internet Explorer, right-click the URL and save it.)

Thank you for using ZStack products and services.

Submit successfully.

We'll connect soon.

Thank you for using ZStack products and services.