How to allow your VM to access the public Internet network

Introduction
Viewing the egress rules for a network
Adding an egress rule
Enabling egress for ping messages from a VM
Using CIDR notation

 

Introduction

Egress rules control Internet network traffic out of VDC, via the firewall of a 'Local with Internet Gateway' network. Each egress rule specifies a range of allowed ports for outward communication, and the virtual machines that are allowed to make use of that egress, by specifying the private IP addresses that are granted the egress.

Important

A new 'Local with Internet Gateway' network has no egress connections set up by default.

 

The VDC egress rules are based on VDC's native virtual router. If you wish instead to deploy a dedicated virtual machine running a firewall application, then you should use a Public Direct Connect network which offers direct connection to the Internet without an additional firewall.

To make an inbound connection so that your VM can be accessed from the public Internet, you need to configure the firewall rules for a 'Local with Internet Gateway' network. See How to manage firewall rules for your VDC.

Viewing the egress rules for a network

Click Network on the left-hand menu. Then click the name of the network you wish to modify. Then click the tab Egress rules to show the panel:

The input boxes above the table provide inputs for adding a new egress rule. See below for explanation.

The information for each rule comprises:

  • Source CIDR: the private IP address(es) which are granted egress (specified using CIDR notation);

  • Protocol: one of TCP, UDP, ICMP or All (that is, all of the protocols);

  • Start Port and End Port (for TCP or UDP): the port range which is granted egress by this rule, or

  • ICMP type and ICMP code (for ICMP) which are enabled for egress.

If Protocol is set to 'All', then all ports and all ICMP types/codes are included.

The only action for a rule is Delete egress rule . You cannot edit the content of the rule, if a change is required you need to delete the rule and Add a new one.

Adding an egress rule

In the Egress rules panel, use the Add row at the top and specify:

  • Source CIDR: the private IP addresses which will be granted egress, using CIDR notation (see below). Note that you must use the CIDR notation form for a single IP address (that is, the IP adddress plus '/31')

  • Protocol: TCP (default), UDP, ICMP or All (that is, all of the protocols)

  • For TCP or UDP, enter the Start Port and End Port, either a single port (the port numbers are equal) or a range of ports.

  • For ICMP, enter the ICMP Type and ICMP Code.

Click the Add button to create the firewall rule. It should appear in the list of firewall rules.

If you need to change the rule, you must delete it and Add a new rule.

Enabling egress for ping messages from a VM

A common way to test that virtual machines are running and responsive is to use 'ping' messages. These are also commonly used to measure network latency.

The 'Local with Internet Gateway' firewall does not enable ping egress by default. To enable it for VMs to send outward ping messages, create an egress rule as follows:

  • Source CIDR: 0.0.0.0/0

  • Protocol: ICMP

  • ICMP Type: 8, ICMP Code: 0

You can restrict the ping egress to particular VMs by setting the Source CIDR input — see below.

Note: ping messages within the Interoute fibre backbone private network — that is, via Private Direct Connect networks — are not restricted by any firewalls. Firewall controls can be turned on for virtual machines within their operating system; for example, Ubuntu and Centos have firewall controls built-in, which are not turned on for the standard VDC machine templates.

Using CIDR notation

CIDR (Classless Inter-Domain Routing) notation is a compact way to write continuous ranges of IP addresses. Here are some typical values:

'0.0.0.0/0': all IP addresses in the 'Local' network (use this for an unrestricted egress rule, for all VMs in the Local network)

'192.168.101.54/31': a single IP address

'192.168.101.0/26': addresses in the range 192.168.101.0 to 192.168.101.63

'192.168.101.128/25': addresses in the range 192.168.101.128 to 192.168.101.255