Network Service

ZStack Cloud provides VM instances with multiple network services, including VPC firewall, security group, virtual IP address (VIP), elastic IP address (EIP), port forwarding, IPsec tunnel, load balancing, OSPF area, Netflow, port mirror, and route table.

ZStack Cloud supports the following two network models:

Flat network
VPC network

Network Service Module

The Network Service Module provides a group of network services. Note that this module has been hidden on the UI.

The Network Service Module has the following four types:

Virtual Router Network Service Module (Not recommended)
Provides various network services: DNS, SNAT, load balancing, port forwarding, EIP, and DHCP.
Flat Network Service Module (Flat Network Service Provider)
Provides the following network services:
- User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
- EIP: Allows you to access private networks through public networks.
- DHCP: Dynamically obtains an IP address.
  Note: The DHCP service includes the DNS feature.
- VIP QoS: Limits the upstream and downstream bandwidth. This applies only to EIPs.
VPC vRouter Network Service Module
Provides the following network services:
- IPsec: Achieves VPN connections.
- vRouter route table: Manages custom routes.
- Centralized DNS: Provides the DNS service when the distributed DHCP service is enabled.
- VIP QoS: Limits the upstream and downstream bandwidth of a virtual IP address.
- DNS: Uses VPC vRouters to provide the DNS service.
- SNAT: Enables VM instances to access the Internet directly.
- Load balancing: Distributes inbound traffics from a VIP to a group of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
- Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
- EIP: Uses VPC vRouters to access private networks of VM instances through public networks.
- DHCP: Provides the centralized DHCP service.
Security Group Network Service Module
Provides the following network service:
- Security group: Manipulates securities of VM instance firewalls by using iptables.

Flat Network Practice

In your production environments, we recommend that you use the following combination of network services:

Flat Network Service Module
- User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
- EIP: Allows you to access private networks through public networks.
- DHCP: Dynamically obtains an IP address.
  Note: The DHCP service includes the DNS feature.
Security Group Network Service Module
- Security group: Manipulates securities of VM instance firewalls by using iptables.

VPC Network Practice

In your production environments, we recommend that you use the following combination of network services:

Flat Network Service Module
- User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
- DHCP: Dynamically obtains an IP address.
vRouter Network Service Module
- DNS: Uses vRouters to provide the DNS service.
- SNAT: Allows VM instances to access directly the Internet.
- vRouter route table: Manages custom routes.
- EIP: Uses vRouters to access private networks of VM instances through public networks.
- Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
- Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
- IPsec: Achieves VPN connections.
Security Group Network Service Module
- Security group: Manipulates securities of VM instance firewalls by using iptables.

Advanced Network Services

Dynamic routing: Uses the Open Shortest Path First (OSPF) routing protocol to distribute routing information within a single autonomous system. This service applies to VPC network scenarios.
Multicast routing: Forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side. This service applies to VPC network scenarios.
VPC firewall: Filters the south-north traffic on the VPC vRouter ports, effectively protecting the VPC communication security and VPC vRouter security. This service applies to VPC network scenarios.
Port mirroring: Copies and sends network traffics of VM NICs from a port to another port, and analyzes the business packets on the ports, better monitoring and managing the network data. This service applies to flat network, vRouter network, and VPC network scenarios.
Netflow: Monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output formats are supported: Netflow V5 and Netflow V9. This service applies to VPC network scenarios.

Security Group

What is Security Group?

A security group provides security control services for VM NICs. It filters the ingress or egress TCP, UDP, and ICMP packets of VM NICs based on the specified security rules.

Characteristics

Security Group and Security Rule

A security group relies on security rules to filter flows accessing or out of VM NICs. You can add one or more security rules to a security group.

Security rules filter flows based on the flow source or flow destination. They can be categorized into the following two types based on the direction of flows they control:
- Ingress Rule: Ingress rules take effect on flows accessing VM NICs. They are responsible for filtering ingress flow sources.
- Egress Rule: Egress rules take effect on flows out of VM NICs. They are responsible for filtering egress flow destinations.
You can set IP addresses or other security group as flow sources/destinations of security rules.
- IP address as source: A source IP is filtered by ingress rules. The rules may allow or reject the flows from this IP address to access VM NICs.
- Security group as source: A source security group is filtered by ingress rules. The rules may allow or reject the flows from this security group to access VM NICs.
- IP address as destination: A destination IP is filtered by egress rules. The rules may allow or reject VM NICs to access this IP address.
- Security group as destination：A destination security group is filtered by egress rules. The rules may allow or reject VM NICs to access this security group.
You can set priorities for rules on the same direction. The highest rule take effect when a conflict occurs in such a scenario as you set more than one rule, especially an allow rule and a reject rule, on the same source or destination.
By default, mutual communications among NICs in the same security group are allowed and the system automatically add corresponding ingress/egress rules to the security group to ensure these mutual communication. These default rules cannot be modified or deleted. If you want to cancel the mutual communications, just disable these rules.

Security Group and VM NIC

A security group provide security controls to VM NICs attached to it. A security group can be attached to one or more VM NIC, and a VM NIC can be attached to one or more security group.

If you attach more than one security groups to a VM NIC, you can set priorities for these groups. The NIC matches the rules of the group with the highest priority first, and then the group of lower priorities.
Note: By default, all admin security group have higher priority than user security groups.
After attached to security groups, you need to set a default flow policy to process the flows that are not stipulated by security group rules. By default, all ingress rules that are not stipulated are rejected and all egress rules that are not stipulated are allowed.

Security Group and Permission

Security groups are divided into admin security groups and tenant/sub-account security groups. Generally, admin security groups are created and owned by administrators (including admin and platform managers); tenant/sub-account security groups are created and owned by tenants/sub-accounts.

A tenant/sub-account can view and manage security groups owned by itself.
The administrator can view and manage all security group. When attach security groups to NICs, note that an admin security group can be attached to any NIC, while To a tenant/sub-account security group can be attached to only NICs owned by the same tenant/sub-account.

Considerations

If you use a security group along with other network services, such as load balancing and route table, make sure that the security group rules required by these network services are added to the security group.
Public networks, flat networks, and VPC networks support the security group service. It is provided by the security group network service module, which uses iptables to implement security control.
A security group is a distributed firewall. Each security rule change, NIC association or disassociation will cause the security group rule to be updated on all associated VM instances.

Create a Security Group

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Basic Network Service > Security Group. On the Security Group page, click Create Security Group. Then, the Create Security Group page is displayed.

On the displayed page, set the following parameters:

Name: Enter a name for the security group.
Description: Optional. Enter a description for the security group.
NIC: Optional. Add a NIC to the security group. You can add NICs either here or after the security group is created.
Ingress Rule: Optional. Add rules to filter flows accessing the security group. You can add ingress rules either here or after the security group is created.
Egress Rule: Optional. Add rules to filter flows out of the security group. You can add egress rules either here or after the security group is created.

To add an ingress/egress rule, set the following parameters:

Type: Set the direction of flows that the rule controls.
Priority: Optional. Set a priority to the rule. Valid values: integers from 1 to 100. A smaller number indicates a higher priority.
Note:
- If you do not set a priority manually, the rule is endowed with a priority lower than that of all current rules by default.
- If the priority you set has been occupied, the rule originally occupying it will be pushed back by one automatically. For example, if you set the priority as 2 for the current rule, the rule with the priority 2 originally will be pushed to 3, the original rule 3 will be pushed to 4, and so on.
IP Type: Choose IPv4 or IPv6.
Protocol: Choose a communication protocol that the rule takes effect on. Supported protocols: ALL, TCP, UDP, and ICMP.
Port: Set a port that the rule takes effect on if you choose the protocol as TCP or UDP.
Note:
- You can enter a port range in this format: ${Start_Port}-${End_Port}.
- You can enter more than one (up to 10) port (port range) , with each port (range) separated by a comma (,).
Source: You need to set this parameter for an ingress rule to allow/reject the flows from the specified source. The source can be an IP address/CIDR or another security group.
Note:
- You can enter an IP range as the source in this format: Start IP-End IP.
- If you enter both CIDRs and IP addresses in other formats, make sure that CIDRs use 24-bit netmasks. If you enter CIDRs only, the netmasks are not limited.
- You can enter more than one (up to 10) IP address (range) /CIDR, with each IP address (range) /CIDR separated by a comma (,).
Destination: You need to set this parameter for an egress rule to allow/reject VM NICs to access the specified destination. The destination can be an IP address/CIDR or another security group.
Note:
- You can enter an IP range as the source in this format: Start IP-End IP.
- If you enter both CIDRs and IP addresses in other formats, make sure that CIDRs use 24-bit netmasks. If you enter CIDRs only, the netmasks are not limited.
- You can enter more than one (up to 10) IP address (range) /CIDR, with each IP address (range) /CIDR separated by a comma (,).
Enable: Choose whether to make the rule take effect after the creation. Default: true. If set to false, this rule does not take effect after the creation until you enable it manually.