en-US/add-gateway-vpc.xml

<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements.  See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership.  The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License.  You may obtain a copy of the License at
	http://www.apache.org/licenses/LICENSE-2.0
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied.  See the License for the
	specific language governing permissions and limitations
	under the License.
-->
<section id="add-gateway-vpc">
  <title>Adding a Private Gateway to a VPC</title>
  <para>A private gateway can be added by the root admin only. The VPC private network has 1:1
    relationship with the NIC of the physical network. You can configure multiple private gateways
    to a single VPC. No gateways with duplicated VLAN and IP are allowed in the same data
    center.</para>
  <orderedlist>
    <listitem>
      <para>Log in to the &PRODUCT; UI as an administrator or end user.</para>
    </listitem>
    <listitem>
      <para>In the left navigation, choose Network.</para>
    </listitem>
    <listitem>
      <para>In the Select view, select VPC.</para>
      <para>All the VPCs that you have created for the account is listed in the page.</para>
    </listitem>
    <listitem>
      <para>Click the Configure button of the VPC to which you want to configure load balancing
        rules.</para>
      <para>The VPC page is displayed where all the tiers you created are listed in a
        diagram.</para>
    </listitem>
    <listitem>
      <para>Click the Settings icon.</para>
      <para>The following options are displayed.</para>
      <itemizedlist>
        <listitem>
          <para>Internal LB</para>
        </listitem>
        <listitem>
          <para>Public LB IP</para>
        </listitem>
        <listitem>
          <para>Static NAT</para>
        </listitem>
        <listitem>
          <para>Virtual Machines</para>
        </listitem>
        <listitem>
          <para>CIDR</para>
        </listitem>
      </itemizedlist>
      <para>The following router information is displayed:</para>
      <itemizedlist>
        <listitem>
          <para>Private Gateways</para>
        </listitem>
        <listitem>
          <para>Public IP Addresses</para>
        </listitem>
        <listitem>
          <para>Site-to-Site VPNs</para>
        </listitem>
        <listitem>
          <para>Network ACL Lists</para>
        </listitem>
      </itemizedlist>
    </listitem>
    <listitem>
      <para>Select Private Gateways.</para>
      <para>The Gateways page is displayed.</para>
    </listitem>
    <listitem>
      <para>Click Add new gateway:</para>
      <mediaobject>
        <imageobject>
          <imagedata fileref="./images/add-new-gateway-vpc.png"/>
        </imageobject>
        <textobject>
          <phrase>add-new-gateway-vpc.png: adding a private gateway for the VPC.</phrase>
        </textobject>
      </mediaobject>
    </listitem>
    <listitem>
      <para>Specify the following:</para>
      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">Physical Network</emphasis>: The physical network you have
            created in the zone.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">IP Address</emphasis>: The IP address associated with the VPC
            gateway.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Gateway</emphasis>: The gateway through which the traffic is
            routed to and from the VPC.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Netmask</emphasis>: The netmask associated with the VPC
            gateway.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">VLAN</emphasis>: The VLAN associated with the VPC
            gateway.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">Source NAT</emphasis>: Select this option to enable the source
            NAT service on the VPC private gateway.</para>
          <para>See <xref linkend="sourcenat-private-gateway"/>.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">ACL</emphasis>: Controls both ingress and egress traffic on a
            VPC private gateway. By default, all the traffic is blocked.</para>
          <para>See <xref linkend="acl-private-gateway"/>.</para>
        </listitem>
      </itemizedlist>
      <para>The new gateway appears in the list. You can repeat these steps to add more gateway for
        this VPC.</para>
    </listitem>
  </orderedlist>
  <section id="sourcenat-private-gateway">
    <title>Source NAT on Private Gateway</title>
    <para>You might want to deploy multiple VPCs with the same super CIDR and guest tier CIDR.
      Therefore, multiple guest VMs from different VPCs can have the same IPs to reach a enterprise
      data center through the private gateway. In such cases, a NAT service need to be configured on
      the private gateway to avoid IP conflicts. If Source NAT is enabled, the guest VMs in VPC
      reaches the enterprise network via private gateway IP address by using the NAT service. </para>
    <para>The Source NAT service on a private gateway can be enabled while adding the private
      gateway. On deletion of a private gateway, source NAT rules specific to the private gateway
      are deleted.</para>
    <para>To enable source NAT on existing private gateways, delete them and create afresh with
      source NAT. </para>
  </section>
  <section id="acl-private-gateway">
    <title>ACL on Private Gateway</title>
    <para>The traffic on the VPC private gateway is controlled by creating both ingress and egress
      network ACL rules. The ACLs contains both allow and deny rules. As per the rule, all the
      ingress traffic to the private gateway interface and all the egress traffic out from the
      private gateway interface are blocked. </para>
    <para>You can change this default behaviour while creating a private gateway. Alternatively, you
      can do the following:</para>
    <orderedlist>
      <listitem>
        <para>In a VPC, identify the Private Gateway you want to work with.</para>
      </listitem>
      <listitem>
        <para>In the Private Gateway page, do either of the following:</para>
        <itemizedlist>
          <listitem>
            <para>Use the Quickview. See <xref linkend="quickview"/>.</para>
          </listitem>
          <listitem>
            <para>Use the Details tab. See <xref linkend="details-tab"/> through .</para>
          </listitem>
        </itemizedlist>
      </listitem>
      <listitem id="quickview">
        <para>In the Quickview of the selected Private Gateway, click Replace ACL, select the ACL
          rule, then click OK</para>
      </listitem>
      <listitem id="details-tab">
        <para>Click the IP address of the Private Gateway you want to work with.</para>
      </listitem>
      <listitem>
        <para>In the Detail tab, click the Replace ACL button. <inlinemediaobject>
            <imageobject>
              <imagedata fileref="./images/replace-acl-icon.png"/>
            </imageobject>
            <textobject>
              <phrase>replace-acl-icon.png: button to replace the default ACL behaviour.</phrase>
            </textobject>
          </inlinemediaobject></para>
        <para>The Replace ACL dialog is displayed.</para>
      </listitem>
      <listitem>
        <para>select the ACL rule, then click OK.</para>
        <para>Wait for few seconds. You can see that the new ACL rule is displayed in the Details
          page.</para>
      </listitem>
    </orderedlist>
  </section>
  <section id="static-route">
    <title>Creating a Static Route</title>
    <para>&PRODUCT; enables you to specify routing for the VPN connection you create. You can enter
      one or CIDR addresses to indicate which traffic is to be routed back to the gateway.</para>
    <orderedlist>
      <listitem>
        <para>In a VPC, identify the Private Gateway you want to work with.</para>
      </listitem>
      <listitem>
        <para>In the Private Gateway page, click the IP address of the Private Gateway you want to
          work with.</para>
      </listitem>
      <listitem>
        <para>Select the Static Routes tab.</para>
      </listitem>
      <listitem>
        <para>Specify the CIDR of destination network.</para>
      </listitem>
      <listitem>
        <para>Click Add.</para>
        <para>Wait for few seconds until the new route is created.</para>
      </listitem>
    </orderedlist>
  </section>
  <section id="blacklist-route">
    <title>Blacklisting Routes</title>
    <para>&PRODUCT; enables you to block a list of routes so that they are not assigned to any of
      the VPC private gateways. Specify the list of routes that you want to blacklist in the
        <code>blacklisted.routes</code> global parameter. Note that the parameter update affects
      only new static route creations. If you block an existing static route, it remains intact and
      continue functioning. You cannot add a static route if the route is blacklisted for the zone.
    </para>
  </section>
</section>