cloudstack/docs/en-US/add-gateway-vpc.xml

<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements.  See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership.  The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License.  You may obtain a copy of the License at
	http://www.apache.org/licenses/LICENSE-2.0
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied.  See the License for the
	specific language governing permissions and limitations
	under the License.
-->
<section id="add-gateway-vpc">
  <title>Adding a Private Gateway to a VPC</title>
  <para>A private gateway can be added by the root admin only. The VPC private network has 1:1
    relationship with the NIC of the physical network. You can configure multiple private gateways
    to a single VPC. No gateways with duplicated VLAN and IP are allowed in the same data
    center.</para>
  <orderedlist>
    <listitem>
      <para>Log in to the &PRODUCT; UI as an administrator or end user.</para>
    </listitem>
    <listitem>
      <para>In the left navigation, choose Network.</para>
    </listitem>
    <listitem>
      <para>In the Select view, select VPC.</para>
      <para>All the VPCs that you have created for the account is listed in the page.</para>
    </listitem>
    <listitem>
      <para>Click the Configure button of the VPC to which you want to configure load balancing
        rules.</para>
      <para>The VPC page is displayed where all the tiers you created are listed in a
        diagram.</para>
    </listitem>
    <listitem>
      <para>Click the Settings icon.</para>
      <para>The following options are displayed.</para>
      <itemizedlist>
        <listitem>
          <para>Internal LB</para>
        </listitem>
        <listitem>
          <para>Public LB IP</para>
        </listitem>
        <listitem>
          <para>Static NAT</para>
        </listitem>
        <listitem>
          <para>Virtual Machines</para>
        </listitem>
        <listitem>
          <para>CIDR</para>
        </listitem>
      </itemizedlist>
      <para>The following router information is displayed:</para>
      <itemizedlist>
        <listitem>
          <para>Private Gateways</para>
        </listitem>
        <listitem>
          <para>Public IP Addresses</para>
        </listitem>
        <listitem>
          <para>Site-to-Site VPNs</para>
        </listitem>
        <listitem>
          <para>Network ACL Lists</para>
        </listitem>
      </itemizedlist>
    </listitem>
    <listitem>
      <para>Select Private Gateways.</para>
      <para>The Gateways page is displayed.</para>
    </listitem>
    <listitem>
      <para>Click Add new gateway:</para>
      <mediaobject>
        <imageobject>
          <imagedata fileref="./images/add-new-gateway-vpc.png"/>
        </imageobject>
        <textobject>
          <phrase>add-new-gateway-vpc.png: adding a private gateway for the VPC.</phrase>
        </textobject>
      </mediaobject>
    </listitem>
    <listitem>
      <para>Specify the following:</para>
      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">Physical Network</emphasis>: The physical network you have
            created in the zone.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">IP Address</emphasis>: The IP address associated with the VPC
            gateway.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Gateway</emphasis>: The gateway through which the traffic is
            routed to and from the VPC.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Netmask</emphasis>: The netmask associated with the VPC
            gateway.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">VLAN</emphasis>: The VLAN associated with the VPC
            gateway.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Source NAT</emphasis>: Select this option to enable the source
            NAT service on the VPC private gateway.</para>
          <para>See <xref linkend="sourcenat-private-gateway"/>.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">ACL</emphasis>: Controls both ingress and egress traffic on a
            VPC private gateway. By default, all the traffic is blocked.</para>
          <para>See <xref linkend="acl-private-gateway"/>.</para>
        </listitem>
      </itemizedlist>
      <para>The new gateway appears in the list. You can repeat these steps to add more gateway for
        this VPC.</para>
    </listitem>
  </orderedlist>
  <section id="sourcenat-private-gateway">
    <title>Source NAT on Private Gateway</title>
    <para>You might want to deploy multiple VPCs with the same super CIDR and guest tier CIDR.
      Therefore, multiple guest VMs from different VPCs can have the same IPs to reach a enterprise
      data center through the private gateway. In such cases, a NAT service need to be configured on
      the private gateway. If Source NAT is enabled, the guest VMs in VPC reaches the enterprise
      network via private gateway IP address by using the NAT service. </para>
    <para>The Source NAT service on a private gateway can be enabled while adding the private
      gateway. On deletion of a private gateway, source NAT rules specific to the private gateway
      are deleted.</para>
  </section>
  <section id="acl-private-gateway">
    <title>ACL on Private Gateway</title>
    <para>The traffic on the VPC private gateway is controlled by creating both ingress and egress
      network ACL rules. The ACLs contains both allow and deny rules. As per the rule, all the
      ingress traffic to the private gateway interface and all the egress traffic out from the
      private gateway interface are blocked. You can change this default behaviour while creating a
      private gateway.</para>
  </section>
  <section id="static-route">
    <title>Creating a Static Route</title>
    <para>&PRODUCT; enables you to specify routing for the VPN connection you create. You can enter
      one or CIDR addresses to indicate which traffic is to be routed back to the gateway.</para>
  </section>
  <section id="blacklist-route">
    <title>Blacklisting Routes</title>
    <para>&PRODUCT; enables you to block a list of routes so that they are not assigned to any of
      the VPC private gateways. Specify the list of routes that you want to blacklist in the
        <code>blacklisted.routes</code> global parameter. Note that the parameter update affects
      only new static route creations. If you block an existing static route, it remains intact and
      continue functioning. You cannot add a static route if the route is blacklisted for the zone.
    </para>
  </section>
</section>