ZStack Cloud Documentation
All
All
ZStack 3.10.0>Product Manuals>CLI Command Manual>Network Service>Overview
Get PDF

Network Service


Overview

ZStack provides VM instances with multiple network resources, including VPC firewall, security group, virtual IP address (VIP), elastic IP address (EIP), port forwarding, IPsec tunnel, load balancing, and flow monitoring.

ZStack supports the following three network models:
  • Flat network
  • vRouter network
  • VPC

Network Service Module

Network Service Module provides a group of network services. Note that this module has been hidden on the UI.

Network Service Module has the following four types:
  1. Virtual Router Network Service Module (Not recommended)

    Provides various network services: DNS, SNAT, load balancing, port forwarding, EIP, and DHCP.

  2. Flat Network Service Module (Flat Network Service Provider)
    Provides the following network services:
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • EIP: Is realized by distributed EIP to access private networks through public networks.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
      Note: The DHCP service includes the DNS feature.
    • VIP QoS: Adjusts the upstream bandwidth and downstream bandwidth, and can only be applied to EIPs.
  3. vRouter Network Service Module
    Provides the following network services:
    • IPsec: Achieves VPN connections.
    • vRouter route table: Manages custom routes.
    • Centralized DNS: Is provided when the DHCP service is enabled.
    • VIP QoS: Adjusts the upstream bandwidth and downstream bandwidth.
    • DNS: Uses vRouters to provide the DNS service.
    • SNAT: Enables VM instances to access directly the Internet.
    • Load balancing: Distributes inbound traffics from a VIP to a group of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • EIP: Uses vRouters to access private networks of VM instances through public networks.
    • DHCP: Provides the centralized DHCP service.
  4. Security Group Network Service Module
    Provides the following network service:
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

Flat Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • EIP: Is realized by distributed EIP can access private networks through public networks.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
      Note: The DHCP service includes the DNS feature.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

vRouter Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • DHCP: DHCP allows you to dynamically obtain an IP address.
  • vRouter Network Service Module
    • DNS: Uses vRouters to provide the DNS service.
    • SNAT: Allows VM instances to access directly the Internet.
    • vRouter route table: Manages custom routes.
    • EIP: Uses vRouters to access private networks of VM instances through public networks.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
    • IPsec: Achieves VPN connections.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

VPC Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
  • vRouter Network Service Module
    • DNS: Uses VPC vRouters to provide DNS services.
    • SNAT: Allows VM instances to access directly the Internet.
    • vRouter route table: Manages custom routes.
    • EIP: Uses VPC vRouters to access private networks of VM instances through public networks.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances, and unavailable VM instances will be detected and isolated automatically.
    • IPsec: Achieves VPN connections.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

Advanced Network Services

  • Dynamic routing: Uses the Open Shortest Path First (OSPF) routing protocol to distribute routing information within a single autonomous system. This service applies to VPC network scenarios.
  • Multicast routing: Forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side. This service applies to VPC network scenarios.
  • VPC firewall: Filters the south-north traffic on the VPC vRouter ports, effectively protecting the VPC communication security and VPC vRouter security. This service applies to VPC network scenarios.
  • Port mirroring: Copies and sends network traffics of VM NICs from a port to another port, and analyzes the business packets on the ports, better monitoring and managing the network data. This service applies to flat network, vRouter network, and VPC network scenarios.
  • Netflow: Monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output formats are supported: Netflow V5 and Netflow V9. This service applies to VPC network scenarios.

VPC Firewall

A VPC firewall manages the south-north traffics of VPC networks, and allows you to manage the access control policies by configuring rule sets and rules.

The VPC firewall topology is shown in VPC Firewall.
Figure 1. VPC Firewall


  • Assume that VM-1 attempts to access VM-3: The traffic from VM-1 will match the inbound rule set of the public NIC on the VPC vRouter. If malicious traffics are detected, the access is denied.
  • Assume that VM-2 attempts to access VM-4: The traffic from VM-2 will match the inbound rule set of the public NIC on the VPC vRouter, and then will match the outbound rule set of the private NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.
  • Assume that Server-2 attempts to access Server-1: The traffic from Sever-2 will match the inbound rule set of the private NIC on the VPC vRouter, and then will match the outbound rule set of the public NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.
Difference between a VPC firewall and a security group: A VPC firewall manages the south-north traffic, and can be applied to the entire VPC. On the contrary, a security group mainly manages the east-west traffic, and can be applied to VM NICs. They can complement each other. The detailed differences are as follows.
Comparison Security Group VPC Firewall
Application scope VM NIC The entire VPC network
Deployment mode Distributed Centralized
Deployment location VM instance VPC vRouter
Configuration policy Supports only allowed policies Enables you to customize the accept policy, drop policy, or reject policy as needed
Priority Takes effect according to the configuration sequence Enables you to customize priorities
Matching rules Source IP address, source port, and source protocol Source IP address, source port, destination IP address, destination port, protocol, and packet status

Notice

When you use a VPC firewall, note the following:
  • One VPC vRouter can be used to create only one VPC firewall.
  • One NIC includes an inbound direction and an outbound direction. You can configure only one rule set for each direction.
  • The control mechanism of a VPC vRouter will restrict external access to VM instances without an EIP. If you are using static routing or OSPF, note that the static routing and OSPF will not be available when the firewall with the priority 9999 is disabled. If you still want to use static routing and OSPF, add an inbound rule to the public network NIC.
When you use a rule set, note the following:
  • One rule set can have up to 9999 rules attached.
  • Only outbound rule sets can be created. Outbound rule sets apply to the outbound direction of the NIC.
  • Exercise caution. The inbound and outbound directions of a rule set are designed for VPC vRouters.
  • The inbound rule sets are created by the system by default. You can customize your rules in an inbound rule set, but you cannot delete inbound rule sets.
  • The rule sets of the same outbound direction can be reused on multiple NICs.
When you use a rule, note the following:
  • A rule is a part of a rule set, and cannot be reused on multiple rule sets.
  • A system rule is a preconfigured rule that supports system services. The system rule has two priority ranges: 1-1000 and 4000-9999. The priority range of a custom rule is 1001-2999. The system reserved priority range is 3000-3999. Lower integers indicate higher priorities.
  • System rules cannot be added, modified, or deleted.

Security Group

A security group provides L3 network security controls over VM instances, and controls TCP, UDP, and ICMP data packets for effective filtering. You can use a security group to effectively control specified VM instances on specified networks according to specified security rules.
  • Flat networks, vRouter networks, and VPC support the security group service. The security group service is provided by the security group network service module. By using iptables, you can perform security controls over VM instances. This method also applies to flat networks, vRouter networks, and VPC.
  • A security group is actually a distributed firewall. When you modify a rule, or when you add or delete a NIC, note that firewall rules in VM instances are updated as well.
Security group rule:
  • A security group rule has the following two types of traffic according the direction of data packets:
    • Ingress: Represents inbound data packets that access a VM instance.
    • Egress: Represents outbound data packets that are sent from a VM instance.
  • A security group rule supports the following protocol types:
    • ALL: Includes all protocol types, indicating that you cannot specify a port.
    • TCP: Supports ports 1-65535.
    • UDP: Supports ports 1-65535.
    • ICMP: By default, both the start port and end port are all -1, indicating that all ICMP protocols are supported.
  • A security group rule can limit data sources that comes either from inside or outside of VM instances. Currently, sources can be set as source CIDR or source security group.
    • Source CIDR: Allows only the specified CIDR.
    • Source security group: Allows only the VM instances in a specified security group.
    Note: If you set both CIDR and the security group, note that only the intersection of them can take effect.
A security group topology is shown in Figure 1.
Figure 1. Security Group



VIP

In a bridged networking environment, virtual IP addresses (VIPs) are used to provide a group of network services such as elastic IP address (EIP), port forwarding, load balancing, and IPsec tunnel. Packets will be sent to VIPs and then routed to the VM networks.
  • The VIP created from a public network can be used to provide network services such as EIP and load balancing for flat networks.
  • The VIP created from a public network can be used to provide network services, such as EIP, port forwarding, load balancing, and IPsec tunnel, for vRouter networks and VPC networks.
  • The VIP created from a VPC network can be used to provide load balancing services for VPC networks.
  • The VIP created from a flat network can be used to provide network services, such as EIP and load balancing, for flat networks.
The following is an example of providing the load balancing service by using a VIP, as shown in Provide Load Balancing by Using VIP.
Figure 1. Provide Load Balancing by Using VIP


Definitions related to VIP:
  • Public VIP: The VIP created from a public network. A public VIP can be created manually, or created automatically by the Cloud after a vRouter is created.
    • A public VIP can provide network services, such as EIP and load balancing, for flat networks. A public VIP can also provide network services, such as EIP, port forwarding, load balancing, and IPsec tunnel, for vRouter networks and VPC networks.
    • A public VIP can be simultaneously applied to services such as port forwarding, load balancing, and IPsec tunnel, and supports multiple instances of the same service type. Note that different types of services cannot use the same port No.
    • A public VIP supports QoS, monitoring data, performance TOP 5, performance analysis, alarm, and other features.
  • VPC VIP: The VIP created from a VPC network. A VPC VIP can only be created manually.
    • A private VPC VIP can provide load balancing services for VPC networks.
    • Currently, private VPC VIPs do not support QoS, monitoring data, performance TOP 5, performance analysis, and alarm features.
  • Private VIP: The VIP created from a flat network. A private VIP can be created manually, or created automatically by the Cloud after a vRouter is created.
    • A private VIP provides network services, such as EIP and load balancing, for flat networks.
    • A private VIP supports QoS, monitoring data, performance TOP 5, performance analysis, alarm, and other features.
  • Custom VIP: The VIP manually created by a user. Public VIPs, VPC VIPs, and private VIPs can be created manually.
    • One custom public VIP is only applied to one EIP service instance.
    • Custom VIPs cannot be used across normal vRouters or VPC vRouters.
    • When you use the EIP, port forwarding, load balancing, or IPsec tunnel services, you can select Create new IP to create a new VIP, or you can select Use existing IP to provide corresponding services.
  • System VIP: The VIP automatically created by the Cloud by using the L3 network attached by a vRouter (a normal vRouter or VPC vRouter) after the vRouter is successfully created. Both public VIPs and private VIPs can be created automatically by the Cloud after a vRouter is created.
    • A system VIP has a one-to-one relationship with a vRouter or VPC vRouter. Each time a vRouter attaches a public network, the Cloud will automatically create a system VIP. In addition, the system VIP is the same as the default IP address of the vRouter or VPC vRouter.
    • By default, the system VIPs created from public networks are used to provide the source network address translation service.
    • When you use the EIP, port forwarding, load balancing, or IPsec tunnel service, you can select Use existing IP to provide corresponding services.




Products

Solutions

Help & Support

Contact Us

© 2023, Shanghai Yunzhou Information and Technology Ltd (云轴科技). All Rights Reserved.

Back to Top

Download

Already filled the basic info?Click here.

Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

An email with a verification code will be sent to you. Make sure the address you provided is valid and correct.

Download

Not filled the basic info yet? Click here.

Invalid email address or mobile number.

Email Us

contact@zstack.io
ZStack Training and Certification
Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

Email Us

contact@zstack.io
Request Trial
Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

Email Us

contact@zstack.io

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder. After receiving the email, click the URL to download the documentation.

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder.
Or click on the URL below. (For Internet Explorer, right-click the URL and save it.)

Thank you for using ZStack products and services.

Submit successfully.

We'll connect soon.

Thank you for using ZStack products and services.