How to create a network for your VDC

Introduction
Types of network in VDC
Creating a 'Local with Internet Gateway' network
Creating a 'Local Private' network
Creating a 'Public Direct Connect' network
Creating a 'Direct Connect Group' and 'Private Direct Connect' networks
Private Direct Connect network with gateway services egress (outbound Internet)
Deleting networks

 

Introduction

This document describes how to use the VDC Control Centre graphical interface to create networks. For a guide to using the API interface to create networks, see VDC API: How to create a network.

Types of network in VDC

There are five types of network available in VDC. You may see alternative names for these in other information about VDC, or other Interoute products. Alternative names are noted in each case.

The types can be categorised as 'Local' or 'Direct Connect'.

  • Local with Internet Gateway: A network with internet connection and related services for firewall, NAT (port forwarding), load balancing and IPSEC VPN.

  • Local Private: A local network with no internet connection or services. This type of network has no virtual router: please note that this has some effects you may not expect for setting up and configuring virtual machines.

  • Public Direct Connect: A network which contains a range of public IP addresses that are directly accessible from the Internet. This is used for example if you want to connect a virtual firewall appliance directly into the Internet.

  • Private Direct Connect network in a Direct Connect Group (alternative name: 'MPLS IPVPN network'): Private networks between VDC zones are provided free to all VDC customers; these networks use Interoute's global fibre network to offer fast and high-capacity networks which can connect your VMs in any of the VDC zones. Each Private Direct Connect network (within one zone) must belong to a Direct Connect Group, which enables the inter-connection between the zones.

  • Private Direct Connect network with gateway services egress: Private MPLS network (same functionality as the previous type) with additional egress-only connection to the Internet; this is useful, for example, in a case where you have server or container host virtual machines which require always-on outbound Internet access to software repositories.

Direct Connect networks may take up to 24 hours to activate, although they will appear to be available in VDC. The listNetworks API command has an 'isprovisioned' response which will be set to 'true' when a network is active and available for use. Please contact Interoute support if you have any queries about the availability of a new network.

The main place for information about networks is accessed by clicking the Network button on the main left-hand menu. There is a Select view dropdown box at the top where you can switch between a listing of Networks or Direct Connect Groups.

The network types are known by various names in VDC, as shown in the following table. The column headings show the parameter/response names used in the VDC API.





displayednetworktype networkofferingname type subtype
Internet Gateway PrivateWithGatewayServices Isolated internetgateway
Private Isolated Isolated private
Direct Connect (public) IPAC/IPVPN Shared publicdirectconnect
Direct Connect (private) IPAC/IPVPN Shared privatedirectconnect
Direct Connect (private with GW services) SharedWithGatewayServicesEgress Shared privatedirectconnectwithgatewayservicesegress
Unknown IPAC/IPVPN Shared unknown

In the VDC Control Centre, 'Type' is shown in the details view with the value shown in the 'displayednetworktype' column, but note that 'Type' in the network list view is abbreviated to 'Direct Connect' without the subtype in parentheses.

The type 'Unknown' usually applies to a system network (such as those used by vTools) and it should not appear for customer-controlled networks.

Creating a 'Local with Internet Gateway' network

Local with Internet Gateway is the standard network type for connecting virtual machines to the Internet, and to each other within the same zone. The network has a 'virtual router' (VR) which provides a firewall, load balancing, and NAT port-forwarding. The VR is also used to communicate information to each VM, notably DHCP services for the VM to automatically set its own IP network configuration.

In a new VDC account you will find a 'default network' of this type already created in each zone. When created, the network has a completely closed firewall. You have full control over the inbound and outbound traffic of the network: you can add egress rules for outbound traffic, and port forwarding or load balancing rules for inbound traffic.

Another service provided by this network type is an IPSEC VPN (virtual private network). This allows remote client computers to use the Internet to make an encrypted connection by 'tunneling' in to become part of your VDC network. You will need suitable client software on your own computers; for example, you can use the built-in clients provided for Windows or Mac OS.

Use the + Add network button to create a network with the following inputs, all of which are required:

  • Identifier: description text for the network

  • Network Type = 'Local Network'

  • Local Type = 'Internet Gateway'

  • Zone: Select the required zone

  • CIDR: the CIDR of the IP address range for the network, for example '192.168.10.0/24'

  • Gateway: the IP address of the network gateway, for example '192.168.10.254'

Note: the network 'name' is not user-defined and it will be set using the pattern: 'Network Local VDC_ACCOUNT_NAME NUM' (where NUM is a number that increments with each new network of the given type).

Important

It is your own responsibility to check that the CIDR you choose is unique for this Local network in this region. VDC will not raise an error if you use the same CIDR range for more than one network.

 

The 'gateway' address can be chosen anywhere in the CIDR range, but '.254' or '.1' are conventional choices.

Creating a 'Local Private' network

A Local Private network functions as a Local network without the virtual router which provides Internet connection and network-related services. Hence it can be used as a 'private' network, for example the network architecture for a web-based application will typically place database server VMs on a private network.

The lack of a virtual router does have the following consequences for VM deployment and configuration which you will need to deal with:

  • There is no DHCP service on the network, therefore a deployed VM cannot query the network to configure its network interface. You will need to login via the VM console and manually configure the VM's network, hostname, etc.

  • VDC cannot set or reset a VM root password. The password set at deployment will be the default root password for the operating system. However VDC will incorrectly report that it has installed a randomised password.

  • VDC cannot bootstrap a VM by the passing of 'userdata' to initialisation scripts on the VM.

Use the + Add network button to create a network with the following inputs, all of which are required:

  • Identifier: description text for the network

  • Network Type = 'Local Network'

  • Local Type = 'Private'

  • Zone: Select the required zone

  • CIDR: the CIDR of the IP address range for the network, for example '192.168.11.0/24'

The network 'name' is not user-defined and it will be set using the pattern: 'Network Local VDC_ACCOUNT_NAME NUM' (where NUM is a number that increments with each new network of the given type).

Important

It is your own responsibility to check that the CIDR you choose is unique for this Local network in this region. VDC will not raise an error if you use the same CIDR range for more than one network.

 

Creating a 'Public Direct Connect' network

This type of network consists of a range of public IP addresses that are directly connected to the Internet. When you attach a VM to this type of network it must be configured with appropriate firewall software and be 'hardened' for Internet use.

This network type is intended for use with VMs running dedicated firewall or load balancer applications. A range of open source and enterprise applications are available in the Interoute Cloudstore.

Use the + Add network button to create a network with the following inputs, all of which are required:

  • Identifier: description text for the network

  • Network Type = 'Direct Connect (public)'

  • Zone: Select the required zone

  • Subnet size: the CIDR suffix to specify the network size (/29 only available)

The network 'name' is not user-defined and it will be set using the pattern: 'Network Public Direct Connect VDC_ACCOUNT_NAME NUM' (where NUM is a number that increments with each new network of the given type).

The available network size is currently restricted to '/29' only; that is, eight network addresses of which six are reserved for system use, so you get 2 usable IP addresses. If you require a larger network please submit a request ticket to Interoute support.

The created network might be assigned, for example, the public IP addresses '213.251.9.208/29', that is the eight addresses from 213.251.9.208 to 213.251.9.215. However only two of these are available to the user. Here is what you will typically get:

213.251.9.208: network address
213.251.9.209: USER AVAILABLE
213.251.9.210: VDC virtual router
213.251.9.211: USER AVAILABLE
213.251.9.212: Interoute backbone router 1
213.251.9.213: Interoute backbone router 2
213.251.9.214: gateway address
213.251.9.215: broadcast address

A '/28' network would be allocated a range of 16 IP addresses. Six of these would be reserved, as above, so you would have 10 usable addresses.

Important

Public Direct Connect networks may take up to 24 hours to activate, although they will appear to be available in VDC. The listNetworks API command has an 'isprovisioned' response which will be set to 'true' when a network is active and available for use. Please contact Interoute support if you have any queries about the availability of a new network.

 

Creating a 'Direct Connect Group' and 'Private Direct Connect' networks

With Private Direct Connect networks you can create a private inter-zone network, and this will work for any number of VDC zones across the three global VDC regions.

Inter-zone connection is established by membership of a Direct Connect Group (DCG). Networks in the same group are inter-connected. You can remove a network from a group or re-attach the network to a different group; these changes are not possible by user control, you need to raise a request ticket to Interoute support. There is no charge for the setting up of Direct Connect Groups, or for any data transfer on Interoute private networks. It is also possible to create inter-connections in the same DCG with Interoute VPN networks or third-party VPN networks.

Important

You may have a need to create multiple DCGs if you require isolation of network traffic for particular purposes (such as compliance regulations). However one DCG can be sufficient in most cases as it will support multiple sets of VMs communicating for different tasks, and your network traffic is isolated using strong MPLS IPVPN protocols. All network traffic between VDC zones flows entirely via Interoute's private optic fibre network.

 

To check if you have any existing DCG, switch the Select view dropdown box to Direct Connect Groups.

You may see that a DCG named 'Default' has already been created. Sometimes, this will have been done when your account was created.

To create a Direct Connect Group (DCG), click the + Add Direct Connect Group button, which then requires one input:

  • Name: the name to be associated with the DCG, this must be unique for a VDC account

When a DCG exists for your VDC account, you can create a Private Direct Connect network in any zone. Use the + Add network button and insert these inputs into the dialog box:

  • Identifier: description text for the network

  • Network Type: 'Direct Connect (private)'

  • Gateway Services: 'No'

  • Zone: Select the required zone

  • CIDR: the CIDR of the IP address range for the network, for example '10.0.101.0/24'

  • DCG Name: Select the DCG that you wish to use, if there is more than one

  • Gateway: the IP address of the network gateway, for example '10.0.101.254'

Note: the network 'name' is not user-defined and it will be set using the pattern: 'Network Private Direct Connect VDC_ACCOUNT_NAME NUM' (where NUM is a number that increments with each new network of the given type).

It is conventional to use private IP addresses starting with '10.' for private networks, but you are not required to follow this.

The 'gateway' address can be chosen anywhere in the CIDR range, but '.254' or '.1' are conventional choices.

Important

Private Direct Connect networks and Direct Connect Groups may take up to 24 hours to activate, although they will appear to be available in VDC. The listNetworks API command has an 'isprovisioned' response which will be set to 'true' when a network is active and available for use. Please contact Interoute support if you have any queries about the availability of a new network.

 

Private Direct Connect network with gateway services egress (outbound Internet)

To create this type of network requires an existing Direct Connect Group. You create a network in the same way as a standard Private Direct Connect network, but set the 'Gateway Services' selector to 'Yes':

  • Identifier: description text for the network

  • Network Type: 'Direct Connect (private)'

  • Gateway Services: 'Yes'

  • Zone: Select the required zone

  • CIDR: the CIDR of the IP address range for the network, for example '10.0.101.0/24'

  • DCG Name: Select the DCG that you wish to use, if there is more than one

  • Gateway: it must be '.254' in the specified CIDR, for example '10.0.101.254'

For this network type, the Gateway must be '.254' in the chosen CIDR.

(Note: the network 'name' is not user-defined and it will be set using the pattern: 'Network Private Direct Connect VDC_ACCOUNT_NAME NUM'.)

The network will have all of the functionality of 'Private Direct Connect', with the addition of outbound-only Internet connection. The Internet egress is not controllable with firewall egress rules, unlike the case of 'Local with Internet Gateway' networks.

The typical use case for this type of network is where you have virtual machines that require network interconnection across multiple VDC zones, and which also require continuous Internet egress for connection to software repositories, for example the Docker Hub for downloading container images.

Deleting networks

Local networks can be deleted using the Control Centre by selecting the details panel for any network (that is, click the network's name in the listing) and clicking the Delete network button .

This function is also available with the API command deleteNetwork by specifying the network UUID.

Direct Connect networks cannot be deleted by the user. You should submit a request ticket to Interoute support.