ZStack Cloud Documentation
All
All
ZStack 3.10.0>Product Manuals>User Guide>Cloud Operations Guide>Network Service
Get PDF

Network Service

ZStack provides VM instances with multiple network resources, including VPC firewall, security group, virtual IP address (VIP), elastic IP address (EIP), port forwarding, IPsec tunnel, load balancing, and flow monitoring.

ZStack supports the following three network models:
  • Flat network
  • vRouter network
  • VPC

Network Service Module

Network Service Module provides a group of network services. Note that this module has been hidden on the UI.

Network Service Module has the following four types:
  1. Virtual Router Network Service Module (Not recommended)

    Provides various network services: DNS, SNAT, load balancing, port forwarding, EIP, and DHCP.

  2. Flat Network Service Module (Flat Network Service Provider)
    Provides the following network services:
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • EIP: Is realized by distributed EIP to access private networks through public networks.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
      Note: The DHCP service includes the DNS feature.
    • VIP QoS: Adjusts the upstream bandwidth and downstream bandwidth, and can only be applied to EIPs.
  3. vRouter Network Service Module
    Provides the following network services:
    • IPsec: Achieves VPN connections.
    • vRouter route table: Manages custom routes.
    • Centralized DNS: Is provided when the DHCP service is enabled.
    • VIP QoS: Adjusts the upstream bandwidth and downstream bandwidth.
    • DNS: Uses vRouters to provide the DNS service.
    • SNAT: Enables VM instances to access directly the Internet.
    • Load balancing: Distributes inbound traffics from a VIP to a group of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • EIP: Uses vRouters to access private networks of VM instances through public networks.
    • DHCP: Provides the centralized DHCP service.
  4. Security Group Network Service Module
    Provides the following network service:
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

Flat Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • EIP: Is realized by distributed EIP can access private networks through public networks.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
      Note: The DHCP service includes the DNS feature.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

vRouter Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • DHCP: DHCP allows you to dynamically obtain an IP address.
  • vRouter Network Service Module
    • DNS: Uses vRouters to provide the DNS service.
    • SNAT: Allows VM instances to access directly the Internet.
    • vRouter route table: Manages custom routes.
    • EIP: Uses vRouters to access private networks of VM instances through public networks.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
    • IPsec: Achieves VPN connections.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

VPC Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
  • vRouter Network Service Module
    • DNS: Uses VPC vRouters to provide DNS services.
    • SNAT: Allows VM instances to access directly the Internet.
    • vRouter route table: Manages custom routes.
    • EIP: Uses VPC vRouters to access private networks of VM instances through public networks.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances, and unavailable VM instances will be detected and isolated automatically.
    • IPsec: Achieves VPN connections.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

Advanced Network Services

  • Dynamic routing: Uses the Open Shortest Path First (OSPF) routing protocol to distribute routing information within a single autonomous system. This service applies to VPC network scenarios.
  • Multicast routing: Forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side. This service applies to VPC network scenarios.
  • VPC firewall: Filters the south-north traffic on the VPC vRouter ports, effectively protecting the VPC communication security and VPC vRouter security. This service applies to VPC network scenarios.
  • Port mirroring: Copies and sends network traffics of VM NICs from a port to another port, and analyzes the business packets on the ports, better monitoring and managing the network data. This service applies to flat network, vRouter network, and VPC network scenarios.
  • Netflow: Monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output formats are supported: Netflow V5 and Netflow V9. This service applies to VPC network scenarios.

VPC Firewall

A VPC firewall manages the south-north traffics of VPC networks, and allows you to manage the access control policies by configuring rule sets and rules.

Each rule set only applies to inbound or outbound traffics, not both, in a VPC vRouter. That is, you can only add one inbound or outbound rule set to a VPC vRouter. A rule set contains multiple rules, which effectively secure the entire VPC communication and the VPC vRouter. This complements the security groups that can be applied to VM NICs and mainly protects the east-west communication security.

Firewall rule set:
  • A firewall rule set can be divided into the following two types according to the direction of traffics:
    • Inbound rule set: Manages traffics that come a source through networks to VPC vRouters.
    • Outbound rule: Manages traffics that are sent from VPC vRouters to a destination through networks.
Firewall rule:
  • You can customize the firewall rule priority, which is an integer, as needed. Lower integers indicate higher priorities.
    • System rule: A system rule is a predefined rule that supports system services. Priority range: 1-1000 or 4000-9999.
    • Custom rule: A custom rule is a rule set by users. Priority range: 1001-2999.
  • Firewall rules let you allow or deny incoming and outgoing traffics.
    • The source and destination IP addresses can be a static IP address, an IP range, or a CIDR. A combination of the above three formats is supported.
    • If you enter multiple IP addresses which include one or more CIDR formats, note that the CIDR format supports only the /24 mask range. If only one CIDR is entered, the mask range is not restricted.
    • You can add up to 10 firewall rules at a time. Note that you need to separate each rule by using a comma (,).
The VPC firewall topology is shown in VPC Firewall.
Figure 1. VPC Firewall


  • Assume that VM-1 attempts to access VM-3: The traffic from VM-1 will match the inbound rule set of the public NIC on the VPC vRouter. If malicious traffics are detected, the access is denied.
  • Assume that VM-2 attempts to access VM-4: The traffic from VM-2 will match the inbound rule set of the public NIC on the VPC vRouter, and then will match the outbound rule set of the private NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.
  • Assume that Server-2 attempts to access Server-1: The traffic from Sever-2 will match the inbound rule set of the private NIC on the VPC vRouter, and then will match the outbound rule set of the public NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.
Difference between a VPC firewall and a security group: A VPC firewall manages the south-north traffic, and can be applied to the entire VPC. On the contrary, a security group mainly manages the east-west traffic, and can be applied to VM NICs. They can complement each other. The detailed differences are as follows.
Comparison Security Group VPC Firewall
Application scope VM NIC The entire VPC network
Deployment mode Distributed Centralized
Deployment location VM instance VPC vRouter
Configuration policy Supports only allowed policies Enables you to customize the accept policy, drop policy, or reject policy as needed
Priority Takes effect according to the configuration sequence Enables you to customize priorities
Matching rules Source IP address, source port, and source protocol Source IP address, source port, destination IP address, destination port, protocol, and packet status
To use a VPC firewall rule
  • Create a VPC firewall.
  • Add an inbound/outbound rule set to a VPC firewall.
  • Add a corresponding rule to a rule set.

Create VPC Firewall

In the navigation pane of the ZStack Private Cloud UI, choose Network Service > VPC Firewall. On the VPC Firewall page, click Create VPC Firewall. On the displayed Create VPC Firewall page, set the following parameters:
  • Name: Enter a name for the VPC firewall.
  • Description: Optional. Enter a description for the VPC firewall.
  • VPC vRouter: Select the VPC vRouter that needs to be protected.
    Note: When you create a VPC firewall, make sure that the corresponding VPC vRouter is in the running state, and is not attached to any firewall.
You can create a VPC firewall, as shown in Figure 2.
Figure 2. Create VPC Firewall


Add Rule Set

On the VPC Firewall page, select the target VPC firewall, and choose Actions > Add Rule Set. On the displayed Add Rule Set page, set the following parameters:
  • Name: Enter a name for the rule set.
  • Default Action: Select the action to handle network requests. Options: Accept | Drop | Reject.
    • Accept: Network requests sent to the VPC vRouter are allowed.
    • Drop: Network requests sent to the VPC vRouter are not allowed, and no feedback is sent to the request endpoint.
    • Reject: Network requests sent to the VPC vRouter are not allowed, and a feedback is sent to the request endpoint.
  • Network: Select the network to which the rule set is added.
    Note:
    • Only outbound rule sets can be created. Outbound rule sets apply to the outbound direction of the NIC.
    • The inbound rule sets are created by the system by default. You can customize your rules in an inbound rule set.
    • Inbound rule sets cannot be deleted.
You can create a rule set, as shown in Figure 3.
Figure 3. Add Rule Set


Add Rule

On the Rule Set tab page, select a rule set of the target network, and choose Actions > Add Rule. On the displayed Add Rule page, set the following parameters:
  • Rule Set: Select the target rule set to add a rule.
  • Priority: Set the priority of the rule.
    Note:
    • The priority is an integer from 1001 to 2999, inclusive. Lower integers indicate higher priorities.
    • Rules with the priority range 1-1000 and 4000-9999 are preconfigured rules that support system services. Note that system rules cannot be added, modified, or deleted.
    • The rule priorities cannot be identical in the same rule set.
  • Action: Select an action to handle network requests. Options: Accept | Drop | Reject.
    • Accept: Allows network requests sent to the VPC vRouter.
    • Drop: Disallows network requests sent to the VPC vRouter, and does not relay feedback to the request endpoint.
    • Reject: Disallows network requests sent to the VPC vRouter, and relays feedback to the request endpoint.
  • Packet State: Optional. Select the packet whose state is to be matched by the VPC firewall. For example, if you select new, all packets in the new state will be handled according to the current rule.
    • new: new connection
    • established: established connection
    • invalid: unknown connection
    • related: related connection. The current connection is a new request and belongs to an existing connection.
  • Protocol: Required. Select the protocol to be used by the VPC firewall to match rules. For example, if you select TCP, all TCP requests will be handled according to the current rule.
  • Source IP/Destination IP: Optional. Set the source IP address and the destination IP address to be matched by the current rule.
    • You can enter a fixed IP address, an IP range, or a CIDR. If you enter an IP range, use an en dash (-) to connect the source IP address and the destination IP address, for example, 192.168.0.1-192.168.0.100.
    • You can add up to 10 single formats or a combination of the 10 formats, and use a comma (,) to separate them.
    • If you enter multiple IP addresses which include one or more CIDR formats, note that the CIDR format supports only the /24 mask range. If only one CIDR is entered, the mask range is not restricted.
  • Apply immediately: If selected, the rule will take effect immediately after you add it. If cleared, the rule will be in the disabled state after you create it. You need to enable it manually for it to take effect.
You can add a rule, as shown in Figure 4.
Figure 4. Add Rule




VPC Firewall Operations

You can perform the following operations on a VPC firewall:
  • Create VPC firewall: Create a VPC firewall.
  • Update configuration: Modify the configurations of the VPC firewall.
    Note: When you add a new network service, such as OSPF, to a VPC vRouter, some firewall rules will be created at the same time. However, these rules will not be displayed in the UI. To display the rules in the UI, click the update configuration button, and then the rules will be synchronized from the VPC vRouter to the database of the Cloud.
  • Add rule set: Add a rule set to the VPC firewall.
  • Add rule: Select a rule set and add a rule to it.
  • Delete: Delete the VPC firewall.

Rule Set Operations

You can perform the following operations on a rule set:
  • Add rule set: Add the rule set to your current VPC firewall.
  • Add rule: Add a rule to the rule set.
  • Bind network: Bind a network to the rule set.
  • Delete: Delete the rule set.
    Note: Inbound rule sets cannot be deleted.

Notice

When you use a VPC firewall, note the following:
  • One VPC vRouter can be used to create only one VPC firewall.
  • One NIC includes an inbound direction and an outbound direction. You can configure only one rule set for each direction.
  • The control mechanism of a VPC vRouter will restrict external access to VM instances without an EIP. If you are using static routing or OSPF, note that the static routing and OSPF will not be available when the firewall with the priority 9999 is disabled. If you still want to use static routing and OSPF, add an inbound rule to the public network NIC.
When you use a rule set, note the following:
  • One rule set can have up to 9999 rules attached.
  • Only outbound rule sets can be created. Outbound rule sets apply to the outbound direction of the NIC.
  • Exercise caution. The inbound and outbound directions of a rule set are designed for VPC vRouters.
  • The inbound rule sets are created by the system by default. You can customize your rules in an inbound rule set, but you cannot delete inbound rule sets.
  • The rule sets of the same outbound direction can be reused on multiple NICs.
When you use a rule, note the following:
  • A rule is a part of a rule set, and cannot be reused on multiple rule sets.
  • A system rule is a preconfigured rule that supports system services. The system rule has two priority ranges: 1-1000 and 4000-9999. The priority range of a custom rule is 1001-2999. The system reserved priority range is 3000-3999. Lower integers indicate higher priorities.
  • System rules cannot be added, modified, or deleted.

Security Group

A security group provides L3 network security controls over VM instances, and controls TCP, UDP, and ICMP data packets for effective filtering. You can use a security group to effectively control specified VM instances on specified networks according to specified security rules.
  • Flat networks, vRouter networks, and VPC support the security group service. The security group service is provided by the security group network service module. By using iptables, you can perform security controls over VM instances. This method also applies to flat networks, vRouter networks, and VPC.
  • A security group is actually a distributed firewall. When you modify a rule, or when you add or delete a NIC, note that firewall rules in VM instances are updated as well.
Security group rule:
  • A security group rule has the following two types of traffic according the direction of data packets:
    • Ingress: Represents inbound data packets that access a VM instance.
    • Egress: Represents outbound data packets that are sent from a VM instance.
  • A security group rule supports the following protocol types:
    • ALL: Includes all protocol types, indicating that you cannot specify a port.
    • TCP: Supports ports 1-65535.
    • UDP: Supports ports 1-65535.
    • ICMP: By default, both the start port and end port are all -1, indicating that all ICMP protocols are supported.
  • A security group rule can limit data sources that comes either from inside or outside of VM instances. Currently, sources can be set as source CIDR or source security group.
    • Source CIDR: Allows only the specified CIDR.
    • Source security group: Allows only the VM instances in a specified security group.
    Note: If you set both CIDR and the security group, note that only the intersection of them can take effect.
A security group topology is shown in Figure 1.
Figure 1. Security Group


Security Group Usage

The basic workflow of using a security group is as follows: Select an L3 network, set the corresponding security group rule, and add specified VM instances to the rule.

Create Security Group

In the navigation pane of the ZStack Private Cloud UI, choose Network Service > Security Group. On the Security Group page, click Create Security Group. On the displayed Create Security Group page, set the following parameters:
  • Name: Enter a name for the security group.
  • Description: Optional. Enter a description for the security group.
  • Network: Select an existing L3 network. Different types of L3 network are supported, including public network, private network, and VPC network.
    Note: You can add more than one L3 network of the same type at a time, but cannot add multiple L3 networks of different types.
  • Rule: Optional. You can set a security group rule when or after you create a security group.
  • NIC: Optional. Select a VM instance to add its NIC to the security group. You can add a VM NIC when or after you create a security group.
Click OK to finish creating a security group, as shown in Figure 2.
Figure 2. Create Security Group


Set Security Group Rule

Assume that you set a security group rule directly when you create a security group. On the Create Security Group page, click the Plus sign (+) in the Rule section. On the displayed Set Rules page, set the following parameters:
  • Type: Select the type (direction) of the security group rule, for example, ingress.
  • Protocol: Select a protocol, for example, TCP.
  • Start Port: Enter a port between 1 and 65535 as the start port, for example, 23.
  • End Port: Enter a port between 1 and 65535 as the end port, for example, 1024.
  • IP Address Type: Select an IP address type. Options: IPv4 | IPv6.
  • CIDR: Optional. If specified, only the specified CIDR is allowed.
  • Source Security Group: Optional. If specified, only VM instances in the specified security group are allowed.
You can set a rule for a security group, as shown in Figure 3.
Figure 3. Set Rule


Add VM NIC to Security Group

Assume that you add a VM NIC directly when you create a security group. On the Create Security Group page, click the Plus sign (+) in the NIC section. On the displayed Select NIC page, select the target VM instance.

You can add VM NICs to a security group, as shown in Figure 4.
Figure 4. Add VM NIC to Security Group


Security Group Operations

You can perform the following operations on a security group.
  • Enable: Enable the security group. After you enable a security group, all the associated security group rules and services will also be enabled.
  • Disable: Disable the security group. After you disable a security group, all the associated security group rules and services will be unavailable.
  • Modify name and description: Modify the name and description of the security group rule.
  • Attach L3 network: Attach the security group to one or more L3 networks. Note that these L3 networks will share the same security group rule.
  • Detach L3 network: Detach an L3 network from the security group.
  • Add rule: Add a rule to the security group.
  • Delete rule: Delete a rule from the security group.
  • Bind VM NIC: Bind the security group to a VM NIC. Note that you can bind a security group to multiple VM instances. NICs of these VM instances will share the same security group rules.
  • Unbind VM NIC: Unbind the security group from a VM NIC.
  • Delete: Delete the security group. Deleting a security group will also delete the associated security group rules and services.
  • Audit: View related operations supported by the security group.

Constraints

The constraints of a security group are as follows:
  • A security group can be attached to more than one VM instance. These VM instances will share the same security group rules.
  • A security group can be attached to more than one L3 network. These L3 networks will share the same security group rules.
  • A security group supports whitelists. That is, you can set all security group rules to "Allow". Once you set an allow rule for a port, other ports will not be allowed.
  • When you create a security group, the system automatically configures two rules (an inbound rule and an outbound rule whose protocol types are both ALL) for communications in the security group. You can delete these two default rules to cancel the intra-group communication.
  • When you create a security group, if you did not set any rule, incoming traffics are not allowed to access VM instances in the security group. However, outgoing traffics from VM instances in the security group are allowed.
  • If you are using simultaneously the security group with other network services, such as load balancing and vRouter table, make sure that the corresponding rules required by these network services are added to the security group.









Products

Solutions

Help & Support

Contact Us

© 2023, Shanghai Yunzhou Information and Technology Ltd (云轴科技). All Rights Reserved.

Back to Top

Download

Already filled the basic info?Click here.

Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

An email with a verification code will be sent to you. Make sure the address you provided is valid and correct.

Download

Not filled the basic info yet? Click here.

Invalid email address or mobile number.

Email Us

contact@zstack.io
ZStack Training and Certification
Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

Email Us

contact@zstack.io
Request Trial
Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

Email Us

contact@zstack.io

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder. After receiving the email, click the URL to download the documentation.

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder.
Or click on the URL below. (For Internet Explorer, right-click the URL and save it.)

Thank you for using ZStack products and services.

Submit successfully.

We'll connect soon.

Thank you for using ZStack products and services.