| <?xml version='1.0' encoding='utf-8' ?> |
| <!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ |
| <!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent"> |
| %BOOK_ENTITIES; |
| ]> |
| <!-- Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| http://www.apache.org/licenses/LICENSE-2.0 |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| <section id="add-gateway-vpc"> |
| <title>Adding a Private Gateway to a VPC</title> |
| <para>A private gateway can be added by the root admin only. The VPC private network has 1:1 |
| relationship with the NIC of the physical network. You can configure multiple private gateways |
| to a single VPC. No gateways with duplicated VLAN and IP are allowed in the same data |
| center.</para> |
| <orderedlist> |
| <listitem> |
| <para>Log in to the &PRODUCT; UI as an administrator or end user.</para> |
| </listitem> |
| <listitem> |
| <para>In the left navigation, choose Network.</para> |
| </listitem> |
| <listitem> |
| <para>In the Select view, select VPC.</para> |
| <para>All the VPCs that you have created for the account is listed in the page.</para> |
| </listitem> |
| <listitem> |
| <para>Click the Configure button of the VPC to which you want to configure load balancing |
| rules.</para> |
| <para>The VPC page is displayed where all the tiers you created are listed in a |
| diagram.</para> |
| </listitem> |
| <listitem> |
| <para>Click the Settings icon.</para> |
| <para>The following options are displayed.</para> |
| <itemizedlist> |
| <listitem> |
| <para>Internal LB</para> |
| </listitem> |
| <listitem> |
| <para>Public LB IP</para> |
| </listitem> |
| <listitem> |
| <para>Static NAT</para> |
| </listitem> |
| <listitem> |
| <para>Virtual Machines</para> |
| </listitem> |
| <listitem> |
| <para>CIDR</para> |
| </listitem> |
| </itemizedlist> |
| <para>The following router information is displayed:</para> |
| <itemizedlist> |
| <listitem> |
| <para>Private Gateways</para> |
| </listitem> |
| <listitem> |
| <para>Public IP Addresses</para> |
| </listitem> |
| <listitem> |
| <para>Site-to-Site VPNs</para> |
| </listitem> |
| <listitem> |
| <para>Network ACL Lists</para> |
| </listitem> |
| </itemizedlist> |
| </listitem> |
| <listitem> |
| <para>Select Private Gateways.</para> |
| <para>The Gateways page is displayed.</para> |
| </listitem> |
| <listitem> |
| <para>Click Add new gateway:</para> |
| <mediaobject> |
| <imageobject> |
| <imagedata fileref="./images/add-new-gateway-vpc.png"/> |
| </imageobject> |
| <textobject> |
| <phrase>add-new-gateway-vpc.png: adding a private gateway for the VPC.</phrase> |
| </textobject> |
| </mediaobject> |
| </listitem> |
| <listitem> |
| <para>Specify the following:</para> |
| <itemizedlist> |
| <listitem> |
| <para><emphasis role="bold">Physical Network</emphasis>: The physical network you have |
| created in the zone.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">IP Address</emphasis>: The IP address associated with the VPC |
| gateway.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">Gateway</emphasis>: The gateway through which the traffic is |
| routed to and from the VPC.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">Netmask</emphasis>: The netmask associated with the VPC |
| gateway.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">VLAN</emphasis>: The VLAN associated with the VPC |
| gateway.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">Source NAT</emphasis>: Select this option to enable the source |
| NAT service on the VPC private gateway.</para> |
| <para>See <xref linkend="sourcenat-private-gateway"/>.</para> |
| </listitem> |
| <listitem> |
| <para><emphasis role="bold">ACL</emphasis>: Controls both ingress and egress traffic on a |
| VPC private gateway. By default, all the traffic is blocked.</para> |
| <para>See <xref linkend="acl-private-gateway"/>.</para> |
| </listitem> |
| </itemizedlist> |
| <para>The new gateway appears in the list. You can repeat these steps to add more gateway for |
| this VPC.</para> |
| </listitem> |
| </orderedlist> |
| <section id="sourcenat-private-gateway"> |
| <title>Source NAT on Private Gateway</title> |
| <para>You might want to deploy multiple VPCs with the same super CIDR and guest tier CIDR. |
| Therefore, multiple guest VMs from different VPCs can have the same IPs to reach a enterprise |
| data center through the private gateway. In such cases, a NAT service need to be configured on |
| the private gateway to avoid IP conflicts. If Source NAT is enabled, the guest VMs in VPC |
| reaches the enterprise network via private gateway IP address by using the NAT service. </para> |
| <para>The Source NAT service on a private gateway can be enabled while adding the private |
| gateway. On deletion of a private gateway, source NAT rules specific to the private gateway |
| are deleted.</para> |
| <para>To enable source NAT on existing private gateways, delete them and create afresh with |
| source NAT. </para> |
| </section> |
| <section id="acl-private-gateway"> |
| <title>ACL on Private Gateway</title> |
| <para>The traffic on the VPC private gateway is controlled by creating both ingress and egress |
| network ACL rules. The ACLs contains both allow and deny rules. As per the rule, all the |
| ingress traffic to the private gateway interface and all the egress traffic out from the |
| private gateway interface are blocked. </para> |
| <para>You can change this default behaviour while creating a private gateway. Alternatively, you |
| can do the following:</para> |
| <orderedlist> |
| <listitem> |
| <para>In a VPC, identify the Private Gateway you want to work with.</para> |
| </listitem> |
| <listitem> |
| <para>In the Private Gateway page, do either of the following:</para> |
| <itemizedlist> |
| <listitem> |
| <para>Use the Quickview. See <xref linkend="quickview"/>.</para> |
| </listitem> |
| <listitem> |
| <para>Use the Details tab. See <xref linkend="details-tab"/> through .</para> |
| </listitem> |
| </itemizedlist> |
| </listitem> |
| <listitem id="quickview"> |
| <para>In the Quickview of the selected Private Gateway, click Replace ACL, select the ACL |
| rule, then click OK</para> |
| </listitem> |
| <listitem id="details-tab"> |
| <para>Click the IP address of the Private Gateway you want to work with.</para> |
| </listitem> |
| <listitem> |
| <para>In the Detail tab, click the Replace ACL button. <inlinemediaobject> |
| <imageobject> |
| <imagedata fileref="./images/replace-acl-icon.png"/> |
| </imageobject> |
| <textobject> |
| <phrase>replace-acl-icon.png: button to replace the default ACL behaviour.</phrase> |
| </textobject> |
| </inlinemediaobject></para> |
| <para>The Replace ACL dialog is displayed.</para> |
| </listitem> |
| <listitem> |
| <para>select the ACL rule, then click OK.</para> |
| <para>Wait for few seconds. You can see that the new ACL rule is displayed in the Details |
| page.</para> |
| </listitem> |
| </orderedlist> |
| </section> |
| <section id="static-route"> |
| <title>Creating a Static Route</title> |
| <para>&PRODUCT; enables you to specify routing for the VPN connection you create. You can enter |
| one or CIDR addresses to indicate which traffic is to be routed back to the gateway.</para> |
| <orderedlist> |
| <listitem> |
| <para>In a VPC, identify the Private Gateway you want to work with.</para> |
| </listitem> |
| <listitem> |
| <para>In the Private Gateway page, click the IP address of the Private Gateway you want to |
| work with.</para> |
| </listitem> |
| <listitem> |
| <para>Select the Static Routes tab.</para> |
| </listitem> |
| <listitem> |
| <para>Specify the CIDR of destination network.</para> |
| </listitem> |
| <listitem> |
| <para>Click Add.</para> |
| <para>Wait for few seconds until the new route is created.</para> |
| </listitem> |
| </orderedlist> |
| </section> |
| <section id="blacklist-route"> |
| <title>Blacklisting Routes</title> |
| <para>&PRODUCT; enables you to block a list of routes so that they are not assigned to any of |
| the VPC private gateways. Specify the list of routes that you want to blacklist in the |
| <code>blacklisted.routes</code> global parameter. Note that the parameter update affects |
| only new static route creations. If you block an existing static route, it remains intact and |
| continue functioning. You cannot add a static route if the route is blacklisted for the zone. |
| </para> |
| </section> |
| </section> |