mirror of
https://github.com/apache/cloudstack.git
synced 2025-11-02 20:02:29 +01:00
190 lines
8.9 KiB
XML
190 lines
8.9 KiB
XML
<?xml version='1.0' encoding='utf-8' ?>
|
|
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
|
|
%BOOK_ENTITIES;
|
|
]>
|
|
<!-- Licensed to the Apache Software Foundation (ASF) under one
|
|
or more contributor license agreements. See the NOTICE file
|
|
distributed with this work for additional information
|
|
regarding copyright ownership. The ASF licenses this file
|
|
to you under the Apache License, Version 2.0 (the
|
|
"License"); you may not use this file except in compliance
|
|
with the License. You may obtain a copy of the License at
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
Unless required by applicable law or agreed to in writing,
|
|
software distributed under the License is distributed on an
|
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
KIND, either express or implied. See the License for the
|
|
specific language governing permissions and limitations
|
|
under the License.
|
|
-->
|
|
<section id="vpc">
|
|
<title>About Virtual Private Clouds</title>
|
|
<para>&PRODUCT; Virtual Private Cloud is a private, isolated part of &PRODUCT;. A VPC can have its
|
|
own virtual network topology that resembles a traditional physical network. You can launch VMs
|
|
in the virtual network that can have private addresses in the range of your choice, for example:
|
|
10.0.0.0/16. You can define network tiers within your VPC network range, which in turn enables
|
|
you to group similar kinds of instances based on IP address range.</para>
|
|
<para>For example, if a VPC has the private range 10.0.0.0/16, its guest networks can have the
|
|
network ranges 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, and so on.</para>
|
|
<formalpara>
|
|
<title>Major Components of a VPC:</title>
|
|
<para>A VPC is comprised of the following network components:</para>
|
|
</formalpara>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">VPC</emphasis>: A VPC acts as a container for multiple isolated
|
|
networks that can communicate with each other via its virtual router.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Network Tiers</emphasis>: Each tier acts as an isolated network
|
|
with its own VLANs and CIDR list, where you can place groups of resources, such as VMs. The
|
|
tiers are segmented by means of VLANs. The NIC of each tier acts as its gateway.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Virtual Router</emphasis>: A virtual router is automatically
|
|
created and started when you create a VPC. The virtual router connect the tiers and direct
|
|
traffic among the public gateway, the VPN gateways, and the NAT instances. For each tier, a
|
|
corresponding NIC and IP exist in the virtual router. The virtual router provides DNS and
|
|
DHCP services through its IP.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Public Gateway</emphasis>: The traffic to and from the Internet
|
|
routed to the VPC through the public gateway. In a VPC, the public gateway is not exposed to
|
|
the end user; therefore, static routes are not support for the public gateway.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Private Gateway</emphasis>: All the traffic to and from a private
|
|
network routed to the VPC through the private gateway. For more information, see <xref
|
|
linkend="add-gateway-vpc"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">VPN Gateway</emphasis>: The VPC side of a VPN connection.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Site-to-Site VPN Connection</emphasis>: A hardware-based VPN
|
|
connection between your VPC and your datacenter, home network, or co-location facility. For
|
|
more information, see <xref linkend="site-to-site-vpn"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Customer Gateway</emphasis>: The customer side of a VPN
|
|
Connection. For more information, see <xref linkend="create-vpn-customer-gateway"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">NAT Instance</emphasis>: An instance that provides Port Address
|
|
Translation for instances to access the Internet via the public gateway. For more
|
|
information, see <xref linkend="enable-disable-static-nat-vpc"/>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Network ACL</emphasis>: Network ACL is a group of Network ACL
|
|
items. Network ACL items are nothing but numbered rules that are evaluated in order,
|
|
starting with the lowest numbered rule. These rules determine whether traffic is allowed in
|
|
or out of any tier associated with the network ACL. For more information, see <xref linkend="configure-acl"/>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<formalpara>
|
|
<title>Network Architecture in a VPC</title>
|
|
<para>In a VPC, the following four basic options of network architectures are present:</para>
|
|
</formalpara>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>VPC with a public gateway only</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>VPC with public and private gateways</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>VPC with public and private gateways and site-to-site VPN access</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>VPC with a private gateway only and site-to-site VPN access</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<formalpara>
|
|
<title>Connectivity Options for a VPC</title>
|
|
<para>You can connect your VPC to:</para>
|
|
</formalpara>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The Internet through the public gateway.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The corporate datacenter by using a site-to-site VPN connection through the VPN
|
|
gateway.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Both the Internet and your corporate datacenter by using both the public gateway and a
|
|
VPN gateway.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<formalpara>
|
|
<title>VPC Network Considerations</title>
|
|
<para>Consider the following before you create a VPC:</para>
|
|
</formalpara>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>A VPC, by default, is created in the enabled state.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>A VPC can be created in Advance zone only, and can't belong to more than one zone at a
|
|
time.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The default number of VPCs an account can create is 20. However, you can change it by
|
|
using the max.account.vpcs global parameter, which controls the maximum number of VPCs an
|
|
account is allowed to create.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The default number of tiers an account can create within a VPC is 3. You can configure
|
|
this number by using the vpc.max.networks parameter.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Each tier should have an unique CIDR in the VPC. Ensure that the tier's CIDR should be
|
|
within the VPC CIDR range.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>A tier belongs to only one VPC. </para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>All network tiers inside the VPC should belong to the same account.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>When a VPC is created, by default, a SourceNAT IP is allocated to it. The Source NAT IP
|
|
is released only when the VPC is removed.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>A public IP can be used for only one purpose at a time. If the IP is a sourceNAT, it
|
|
cannot be used for StaticNAT or port forwarding.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The instances can only have a private IP address that you provision. To communicate with
|
|
the Internet, enable NAT to an instance that you launch in your VPC.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Only new networks can be added to a VPC. The maximum number of networks per VPC is
|
|
limited by the value you specify in the vpc.max.networks parameter. The default value is
|
|
three.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The load balancing service can be supported by only one tier inside the VPC.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>If an IP address is assigned to a tier:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>That IP can't be used by more than one tier at a time in the VPC. For example, if
|
|
you have tiers A and B, and a public IP1, you can create a port forwarding rule by using
|
|
the IP either for A or B, but not for both.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>That IP can't be used for StaticNAT, load balancing, or port forwarding rules for
|
|
another guest network inside the VPC.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Remote access VPN is not supported in VPC networks.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|