Network Service

Overview

ZStack Cloud provides VM instances with multiple network resources, including VPC firewall, security group, virtual IP address (VIP), elastic IP address (EIP), port forwarding, IPsec tunnel, load balancing, and flow monitoring.

ZStack Cloud supports the following three network models:

Flat network
vRouter network
VPC

Network Service Module

Network Service Module provides a group of network services. Note that this module has been hidden on the UI.

Network Service Module has the following four types:

Virtual Router Network Service Module (Not recommended)
Provides various network services: DNS, SNAT, load balancing, port forwarding, EIP, and DHCP.
Flat Network Service Module (Flat Network Service Provider)
Provides the following network services:
- User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
- EIP: Is realized by distributed EIP to access private networks through public networks.
- DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
  Note: The DHCP service includes the DNS feature.
- VIP QoS: Adjusts the upstream bandwidth and downstream bandwidth, and can only be applied to EIPs.
vRouter Network Service Module
Provides the following network services:
- IPsec: Achieves VPN connections.
- vRouter route table: Manages custom routes.
- Centralized DNS: Is provided when the DHCP service is enabled.
- VIP QoS: Adjusts the upstream bandwidth and downstream bandwidth.
- DNS: Uses vRouters to provide the DNS service.
- SNAT: Enables VM instances to access directly the Internet.
- Load balancing: Distributes inbound traffics from a VIP to a group of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
- Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
- EIP: Uses vRouters to access private networks of VM instances through public networks.
- DHCP: Provides the centralized DHCP service.
Security Group Network Service Module
Provides the following network service:
- Security group: Manipulates securities of VM instance firewalls by using iptables.

Flat Network Practice

In your production environments, we recommend that you use the following combination of network services:

Flat Network Service Module
- User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
- EIP: Is realized by distributed EIP can access private networks through public networks.
- DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
  Note: The DHCP service includes the DNS feature.
Security Group Network Service Module
- Security group: Manipulates securities of VM instance firewalls by using iptables.

vRouter Network Practice

In your production environments, we recommend that you use the following combination of network services:

Flat Network Service Module
- User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
- DHCP: DHCP allows you to dynamically obtain an IP address.
vRouter Network Service Module
- DNS: Uses vRouters to provide the DNS service.
- SNAT: Allows VM instances to access directly the Internet.
- vRouter route table: Manages custom routes.
- EIP: Uses vRouters to access private networks of VM instances through public networks.
- Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
- Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
- IPsec: Achieves VPN connections.
Security Group Network Service Module
- Security group: Manipulates securities of VM instance firewalls by using iptables.

VPC Network Practice

In your production environments, we recommend that you use the following combination of network services:

Flat Network Service Module
- User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
- DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
vRouter Network Service Module
- DNS: Uses VPC vRouters to provide DNS services.
- SNAT: Allows VM instances to access directly the Internet.
- vRouter route table: Manages custom routes.
- EIP: Uses VPC vRouters to access private networks of VM instances through public networks.
- Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
- Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances, and unavailable VM instances will be detected and isolated automatically.
- IPsec: Achieves VPN connections.
Security Group Network Service Module
- Security group: Manipulates securities of VM instance firewalls by using iptables.

Advanced Network Services

Dynamic routing: Uses the Open Shortest Path First (OSPF) routing protocol to distribute routing information within a single autonomous system. This service applies to VPC network scenarios.
Multicast routing: Forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side. This service applies to VPC network scenarios.
VPC firewall: Filters the south-north traffic on the VPC vRouter ports, effectively protecting the VPC communication security and VPC vRouter security. This service applies to VPC network scenarios.
Port mirroring: Copies and sends network traffics of VM NICs from a port to another port, and analyzes the business packets on the ports, better monitoring and managing the network data. This service applies to flat network, vRouter network, and VPC network scenarios.
Netflow: Monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output formats are supported: Netflow V5 and Netflow V9. This service applies to VPC network scenarios.

VPC Firewall

A firewall is an access control policy that monitors ingress and egress traffic of VPC vRouters and decides whether to allow or block specific traffic based on the associated rule sets and rules.

Concepts

Firewall rule set: A firewall rule set is a set of rules that a firewall uses to defend against network attacks. You need to associate a rule set with the egress or ingress flow direction of VPC vRouter NICs to make the rule set take effect.
- You can associate a rule set with the egress or ingress flow direction of VPC vRouter NICs:
  - Ingress: applies to the traffic that flows into the specified VPC vRouter via a network.
  - Egress: applies to the traffic that flows out of the specified VPC vRouter via a network.
Firewall rule: A firewall rule is an access control entry associated with the egress or ingress flow direction of VPC vRouter NICs to defend against network attacks. A firewall rule includes rule priority, match condition, and behavior.
- You can associate a rule with the egress or ingress flow direction of VPC vRouter NICs:
  - Ingress: applies to the traffic that flows into the specified VPC vRouter via a network.
  - Egress: applies to the traffic that flows out of the specified VPC vRouter via a network.
- Firewall rules can be categorized into custom rules and system rules:
  - Custom rules: rules that you customize. You can select the ingress or egress direction that the rules take effect and configure the rule priorities, match conditions, and behaviors.
    - Rule priority: the priority of a rule to be matched and take effect when compared with other firewall rules. Valid values: 1001 to 2999.
      - Generally, a rule with a higher priority is primarily matched when compared to a rule with a lower priority. Priorities are represented by using numbers. A smaller number indicates a higher priority.
      - Generally, the more specific the match condition that you configure for a rule is, the higher priority you shall configure for the rule.
    - Match condition: the condition based on which traffic flowing into or out of a VPC network is matched. It includes source IP address, destination IP address, source port, destination port, packet status, and protocol.
      - You can specify one or more source and destination IP addresses. These IP addresses can be static IP addresses, IP ranges, CIDR blocks, or a mix of the three.
      - If you specify multiple entries, which include one or more CIDR blocks, the netmask of the CIDR block must be 24. If you specify only one CIDR block, the netmask of the CIDR block is not limited.
      - You can enter a maximum of ten entries, with each entry separated by a comma (,).
    - Behavior: the action to be applied to traffic that meets the match condition. Valid values: accept, drop, and reject.
      - Accept: accepts the traffic that flows in or out of the specified VPC vRouter.
      - Drop: drops the traffic that flows in or out of the specified VPC vRouter and does not respond to the client.
      - Reject: rejects the traffic that flows in or out of the specified VPC vRouter and responds to the client.
  - System rules: rules predefined to support system services. The system predefines the direction that the rules take effect, and the priority, match condition, and behavior of the rules.
    - The priority of system rules ranges from 1 to 1000 or from 4000 to 9999.
    - ZStack Cloud has predefined the following system rules:
      - Firewall rules that take effect on the ingress direction of VPC vRouter NICs:
        
        Rule 1: The priority is 4000, and the behavior and match condition combination determines to allow established or related data packets from any IP address/port, with any protocol, or to any IP address/port, to flow into the specified VPC vRouter via a network.
        
        Rule 2: The priority is 9999, and the behavior and match condition combination determines to allow new data packets from any IP address/port, with any protocol, or to any IP address/port, to flow into the specified VPC vRouter via a network.
        
        Rule 3: the default rule with a priority of 10000. The behavior and match condition combination determines to reject data packets from any IP address/port, with any protocol, in any status, or to any IP address/port, from flowing into the specified VPC vRouter via a network. You can modify the behavior of the rule. Valid values: accept, drop, and reject.
      - Firewall rules that take effect on the egress direction of VPC vRouter NICs:
        
        Rule 1: the default rule with a priority of 10000. The behavior and match condition combination determines to reject data packets from any IP address/port, with any protocol, in any status, or to any IP address/port, from flowing into the specified VPC vRouter via a network. You can modify the behavior of the rule. Valid values: accept, drop, and reject.
      - System rules cannot be modified, except the behavior of the default rule.
      - System rules cannot be created or deleted.
Rule template: A rule template is a template that you can select when you add rules to a rule set or a firewall.
IP/Port set: An IP or port set is a set of IP addresses or ports that you can select when you add rules to a rule set or a firewall.

Fundamentals

ZStack Cloud allows you to associate rule sets and rules with the ingress and egress direction of VPC vRouter NICs. Then traffics that flow in or out of the VPC vRouter NICs are filtered based on the rule priority, match condition, behavior, and the effect direction. This ensures the security of data communications across VPC networks, of VPC vRouters, and of user business operations.

Assume that a server and two VM instances are deployed in a VPC network to run significant business applications. To ensure business security, firewall rule sets and rules are associated with the ingress or egress direction of VPC vRouters, so that only trustful traffics from the public network are allowed to access VM data in the VPC network and that the server in the VPC network can access the server data in the public network.

When VM-1 attempts to access VM-3: The traffic from VM-1 will match the inbound rule set of the public NIC on the VPC vRouter. If malicious traffics are detected, the access is denied.
When VM-2 attempts to access VM-4: The traffic from VM-2 will match the inbound rule of the public NIC on the VPC vRouter, and then will match the outbound rule set of the private NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.
When Server-2 attempts to access Server-1: The traffic from Sever-2 will match the inbound rule set of the private NIC on the VPC vRouter, and then will match the outbound rule set of the public NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.

Firewall vs Security

A firewall manages the south-north traffic of VPC networks. A security group manages the east-west traffic of VPC networks and is applied to VM NICs. The two services complement with each other. The following table compares the two services from three aspects.

Item	Security Group	Firewall
Application scope	VM NIC	The entire VPC network
Deployment mode	Distributed	Centralized
Deployment location	VM instance	VPC vRouter
Configuration policy	Supports only Allow policies	Allows you to customize Accept, Drop, or Reject policies as needed
Priority	Takes effect based on the predefined rule sequence	Allows you to customize priorities
Match condition	Source IP address, source port, and protocol	Source IP address, source port, destination IP address, destination port, protocol, and packet status

Security Group

A security group provides security control services for VM NICs. It filters the ingress or egress TCP, UDP, and ICMP packets of VM NICs based on the specified security rules.

Characteristics

Security Group and Security Rule

A security group relies on security rules to filter flows accessing or out of VM NICs. You can add one or more security rules to a security group.

Security rules filter flows based on the flow source or flow destination. They can be categorized into the following two types based on the direction of flows they control:
- Ingress Rule: Ingress rules take effect on flows accessing VM NICs. They are responsible for filtering ingress flow sources.
- Egress Rule: Egress rules take effect on flows out of VM NICs. They are responsible for filtering egress flow destinations.
You can set IP addresses or other security group as flow sources/destinations of security rules.
- IP address as source: A source IP is filtered by ingress rules. The rules may allow or reject the flows from this IP address to access VM NICs.
- Security group as source: A source security group is filtered by ingress rules. The rules may allow or reject the flows from this security group to access VM NICs.
- IP address as destination: A destination IP is filtered by egress rules. The rules may allow or reject VM NICs to access this IP address.
- Security group as destination：A destination security group is filtered by egress rules. The rules may allow or reject VM NICs to access this security group.
You can set priorities for rules on the same direction. The highest rule take effect when a conflict occurs in such a scenario as you set more than one rule, especially an allow rule and a reject rule, on the same source or destination.
By default, mutual communications among NICs in the same security group are allowed and the system automatically add corresponding ingress/egress rules to the security group to ensure these mutual communication. These default rules cannot be modified or deleted. If you want to cancel the mutual communications, just disable these rules.

Security Group and VM NIC

A security group provide security controls to VM NICs attached to it. A security group can be attached to one or more VM NIC, and a VM NIC can be attached to one or more security group.

If you attach more than one security groups to a VM NIC, you can set priorities for these groups. The NIC matches the rules of the group with the highest priority first, and then the group of lower priorities.
Note: By default, all admin security group have higher priority than user security groups.
After attached to security groups, you need to set a default flow policy to process the flows that are not stipulated by security group rules. By default, all ingress rules that are not stipulated are rejected and all egress rules that are not stipulated are allowed.

Security Group and Permission

Security groups are divided into admin security groups and tenant/sub-account security groups. Generally, admin security groups are created and owned by administrators (including admin and platform managers); tenant/sub-account security groups are created and owned by tenants/sub-accounts.

A tenant/sub-account can view and manage security groups owned by itself.
The administrator can view and manage all security group. When attach security groups to NICs, note that an admin security group can be attached to any NIC, while To a tenant/sub-account security group can be attached to only NICs owned by the same tenant/sub-account.

Considerations

If you use a security group along with other network services, such as load balancing and route table, make sure that the security group rules required by these network services are added to the security group.
Public networks, flat networks, and VPC networks support the security group service. It is provided by the security group network service module, which uses iptables to implement security control.
A security group is a distributed firewall. Each security rule change, NIC association or disassociation will cause the security group rule to be updated on all associated VM instances.

Network Service

Overview

Network Service Module

Flat Network Practice

vRouter Network Practice

VPC Network Practice

Advanced Network Services

VPC Firewall

Concepts

Fundamentals

Firewall vs Security

Security Group

Characteristics

Considerations

Products

Solutions

Help & Support

Contact Us