Networking in the cloud and network connectivity with the cloud

    Networking in the cloud and network connectivity with the cloud

    Hello dear cloud computing lovers.

    Today I was forced to write a post about networks - about those networks that are used in our cloud . I will try my best to explain how everything is organized here, and also talk about how you can connect to our cloud.



    So, for starters: if you take a virtual machine in our cloud , you will automatically be given an external routed network with a / 29 mask. This means that you do not immediately have two, not three, not four, but as many as 5 WHITE ADDRESSES! One address is left for us to use on the router. But then begins customization for the client. This means that we can:

    1. issue an external routable network with more addresses
    2. issue an isolated network for communication between virtual machines
    3. combine different options for providing these networks
    • issue both internal and external networks
    • issue 2 or more external networks or internal networks.

    Everything is limited by your imagination and desire to work with our technical support service. Let us dwell on each case.

    Case 1 (easy):
    You are purchasing a cloud hosting service for your virtual machine. We create a resource pool and give you a network with 5 addresses. You configure the virtual machine in accordance with the instructions received and (THERE!) It works (who would doubt it?). You wanted to save money and instead of taking another car for a new site, you just hung up another address with an alias. And (THERE!) - it also works. Case 2 (even easier, because I have not yet met):

    image

    image



    image



    You are a developer. Moreover, such a developer who is comfortable working in the VMware console. You need to organize a test stand to check out another HelloWorld project. Excellent! We upload our cars to the cloud (which has already been rented), connect them to a dedicated internal network, turn on and check everything we want. Bonus: you can use any addressing inside such a VLAN. Case 3 (pairwise, but not very strong, because it requires approximately 5 clicks of the mouse more than in 1 case):

    image

    image


    You went on about the “system” and decided not to get out of the general mass of those who use frontend / backend topology. For example, you have a web server with some important content and a database that this server accesses. The database should be inaccessible from the Internet, because it is awash with all kinds of marginals trying to steal / hack / add this database yourself. The easiest protection option is to protect it (database, database server) from communicating with the raging Internet at the 2nd level of the OSI network model. And this is also within our power. We issue 2 networks: a rich (as many as 5 IP addresses) external network and a dimensionless internal network. We connect the WEB server to these two networks with different adapters (YES, IT IS ALSO POSSIBLE!), We connect the database server only to the internal network. You get something like this topology:

    Networking in the Cloud: Isolated VLAN

    image

    After these manipulations, we separated the north of the databases from the Internet and various malicious programs won’t get to it (but we know that this problem is only the tip of the iceberg, because we need to finish the frontend, because through it the malware can still get onto our defenseless server with a database).

    Case 4:
    VMware has a product called vShield manager . In short: this is a regular firewall / router, implemented as a virtual machine. In addition to all this, its interface integrates with vCloud and you can manage settings (rules, routing, IPSec, etc. things) directly from the cloud. Something like case 3. However, now you can add NAT rules and configure firewall policies for yourself from the graphical interface: Case 4a:

    Configuring firewall policies from the GUI


    This case is very similar to the previous version, but unlike it, the router / firewall is not using vShield, but another solution (for example, MS TMG, Vyatta, or a specially configured distribution with an open source system). Those. we also select organizations in the cloud 2 networks: internal and external, and connect them to this router.

    Now I’ll talk a little about how you can configure secure connections to your clouds. As you may have guessed, there are 2 connection options: at level 2 of the OSI model and at level 3 of the same model.

    Connection at level 2: you either pull the wire into our data center or rent a VLAN from your provider, which is represented in our data center. We forward this link to your cloud and voila.

    Connection at level 3 is carried out through the public Internet via tunneling. This is the easiest way. It is also implemented on the basis of vShield, or any other specialized distribution. vShiled provides only IPsec tunnels. Below is an example of an operational tunnel of one of our clients:

    image

    Now you know how networks work in the IT-GRAD cloud; how to connect to your cloud and what you need for this. If you are really interested - ask your questions, I will try to help.

    Also popular now: