en-US/vpc.xml - cloudstack-docs - Git at Google

 <?xml version='1.0' encoding='utf-8' ?>
 <!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
 %BOOK_ENTITIES;
 ]>
 <!-- Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at
     http://www.apache.org/licenses/LICENSE-2.0
     Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.
 -->
 <section id="vpc">
   <title>About Virtual Private Clouds</title>
   <para>&PRODUCT; Virtual Private Cloud is a private, isolated part of &PRODUCT;. A VPC can have its
     own virtual network topology that resembles a traditional physical network. You can launch VMs
     in the virtual network that can have private addresses in the range of your choice, for example:
     10.0.0.0/16. You can define network tiers within your VPC network range, which in turn enables
     you to group similar kinds of instances based on IP address range.</para>
   <para>For example, if a VPC has the private range 10.0.0.0/16, its guest networks can have the
     network ranges 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, and so on.</para>
   <formalpara>
     <title>Major Components of a VPC:</title>
     <para>A VPC is comprised of the following network components:</para>
   </formalpara>
   <itemizedlist>
     <listitem>
       <para><emphasis role="bold">VPC</emphasis>: A VPC acts as a container for multiple isolated
         networks that can communicate with each other via its virtual router.</para>
     </listitem>
     <listitem>
       <para><emphasis role="bold">Network Tiers</emphasis>: Each tier acts as an isolated network
         with its own VLANs and CIDR list, where you can place groups of resources, such as VMs. The
         tiers are segmented by means of VLANs. The NIC of each tier acts as its gateway.</para>
     </listitem>
     <listitem>
       <para><emphasis role="bold">Virtual Router</emphasis>: A virtual router is automatically
         created and started when you create a VPC. The virtual router connect the tiers and direct
         traffic among the public gateway, the VPN gateways, and the NAT instances. For each tier, a
         corresponding NIC and IP exist in the virtual router. The virtual router provides DNS and
         DHCP services through its IP.</para>
     </listitem>
     <listitem>
       <para><emphasis role="bold">Public Gateway</emphasis>: The traffic to and from the Internet
         routed to the VPC through the public gateway. In a VPC, the public gateway is not exposed to
         the end user; therefore, static routes are not support for the public gateway.</para>
     </listitem>
     <listitem>
       <para><emphasis role="bold">Private Gateway</emphasis>: All the traffic to and from a private
         network routed to the VPC through the private gateway. For more information, see <xref
           linkend="add-gateway-vpc"/>.</para>
     </listitem>
     <listitem>
       <para><emphasis role="bold">VPN Gateway</emphasis>: The VPC side of a VPN connection.</para>
     </listitem>
     <listitem>
       <para><emphasis role="bold">Site-to-Site VPN Connection</emphasis>: A hardware-based VPN
         connection between your VPC and your datacenter, home network, or co-location facility. For
         more information, see <xref linkend="site-to-site-vpn"/>.</para>
     </listitem>
     <listitem>
       <para><emphasis role="bold">Customer Gateway</emphasis>: The customer side of a VPN
         Connection. For more information, see <xref linkend="create-vpn-customer-gateway"/>.</para>
     </listitem>
     <listitem>
       <para><emphasis role="bold">NAT Instance</emphasis>: An instance that provides Port Address
         Translation for instances to access the Internet via the public gateway. For more
         information, see <xref linkend="enable-disable-static-nat-vpc"/>.</para>
     </listitem>
     <listitem>
       <para><emphasis role="bold">Network ACL</emphasis>:  Network ACL is a group of Network ACL
         items. Network ACL items are nothing but numbered rules that are evaluated in order,
         starting with the lowest numbered rule. These rules determine whether traffic is allowed in
         or out of any tier associated with the network ACL. For more information, see <xref linkend="configure-acl"/>.</para>
     </listitem>
   </itemizedlist>
   <formalpara>
     <title>Network Architecture in a VPC</title>
     <para>In a VPC, the following four basic options of network architectures are present:</para>
   </formalpara>
   <itemizedlist>
     <listitem>
       <para>VPC with a public gateway only</para>
     </listitem>
     <listitem>
       <para>VPC with public and private gateways</para>
     </listitem>
     <listitem>
       <para>VPC with public and private gateways and site-to-site VPN access</para>
     </listitem>
     <listitem>
       <para>VPC with a private gateway only and site-to-site VPN access</para>
     </listitem>
   </itemizedlist>
   <formalpara>
     <title>Connectivity Options for a VPC</title>
     <para>You can connect your VPC to:</para>
   </formalpara>
   <itemizedlist>
     <listitem>
       <para>The Internet through the public gateway.</para>
     </listitem>
     <listitem>
       <para>The corporate datacenter by using a site-to-site VPN connection through the VPN
         gateway.</para>
     </listitem>
     <listitem>
       <para>Both the Internet and your corporate datacenter by using both the public gateway and a
         VPN gateway.</para>
     </listitem>
   </itemizedlist>
   <formalpara>
     <title>VPC Network Considerations</title>
     <para>Consider the following before you create a VPC:</para>
   </formalpara>
   <itemizedlist>
     <listitem>
       <para>A VPC, by default, is created in the enabled state.</para>
     </listitem>
     <listitem>
       <para>A VPC can be created in Advance zone only, and can't belong to more than one zone at a
         time.</para>
     </listitem>
     <listitem>
       <para>The default number of VPCs an account can create is 20. However, you can change it by
         using the max.account.vpcs global parameter, which controls the maximum number of VPCs an
         account is allowed to create.</para>
     </listitem>
     <listitem>
       <para>The default number of tiers an account can create within a VPC is 3. You can configure
         this number by using the vpc.max.networks parameter.</para>
     </listitem>
     <listitem>
       <para>Each tier should have an unique CIDR in the VPC. Ensure that the tier's CIDR should be
         within the VPC CIDR range.</para>
     </listitem>
     <listitem>
       <para>A tier belongs to only one VPC. </para>
     </listitem>
     <listitem>
       <para>All network tiers inside the VPC should belong to the same account.</para>
     </listitem>
     <listitem>
       <para>When a VPC is created, by default, a SourceNAT IP is allocated to it. The Source NAT IP
         is released only when the VPC is removed.</para>
     </listitem>
     <listitem>
       <para>A public IP can be used for only one purpose at a time. If the IP is a sourceNAT, it
         cannot be used for StaticNAT or port forwarding.</para>
     </listitem>
     <listitem>
       <para>The instances can only have a private IP address that you provision. To communicate with
         the Internet, enable NAT to an instance that you launch in your VPC.</para>
     </listitem>
     <listitem>
       <para>Only new networks can be added to a VPC. The maximum number of networks per VPC is
         limited by the value you specify in the vpc.max.networks parameter. The default value is
         three.</para>
     </listitem>
     <listitem>
       <para>The load balancing service can be supported by only one tier inside the VPC.</para>
     </listitem>
     <listitem>
       <para>If an IP address is assigned to a tier:</para>
       <itemizedlist>
         <listitem>
           <para>That IP can't be used by more than one tier at a time in the VPC. For example, if
             you have tiers A and B, and a public IP1, you can create a port forwarding rule by using
             the IP either for A or B, but not for both.</para>
         </listitem>
         <listitem>
           <para>That IP can't be used for StaticNAT, load balancing, or port forwarding rules for
             another guest network inside the VPC.</para>
         </listitem>
       </itemizedlist>
     </listitem>
     <listitem>
       <para>Remote access VPN is not supported in VPC networks.</para>
     </listitem>
   </itemizedlist>
 </section>
	<?xml version='1.0' encoding='utf-8' ?>
	<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
	<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
	%BOOK_ENTITIES;
	]>
	<!-- Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	http://www.apache.org/licenses/LICENSE-2.0
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->
	<section id="vpc">
	<title>About Virtual Private Clouds</title>
	<para>&PRODUCT; Virtual Private Cloud is a private, isolated part of &PRODUCT;. A VPC can have its
	own virtual network topology that resembles a traditional physical network. You can launch VMs
	in the virtual network that can have private addresses in the range of your choice, for example:
	10.0.0.0/16. You can define network tiers within your VPC network range, which in turn enables
	you to group similar kinds of instances based on IP address range.</para>
	<para>For example, if a VPC has the private range 10.0.0.0/16, its guest networks can have the
	network ranges 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, and so on.</para>
	<formalpara>
	<title>Major Components of a VPC:</title>
	<para>A VPC is comprised of the following network components:</para>
	</formalpara>
	<itemizedlist>
	<listitem>
	<para><emphasis role="bold">VPC</emphasis>: A VPC acts as a container for multiple isolated
	networks that can communicate with each other via its virtual router.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Network Tiers</emphasis>: Each tier acts as an isolated network
	with its own VLANs and CIDR list, where you can place groups of resources, such as VMs. The
	tiers are segmented by means of VLANs. The NIC of each tier acts as its gateway.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Virtual Router</emphasis>: A virtual router is automatically
	created and started when you create a VPC. The virtual router connect the tiers and direct
	traffic among the public gateway, the VPN gateways, and the NAT instances. For each tier, a
	corresponding NIC and IP exist in the virtual router. The virtual router provides DNS and
	DHCP services through its IP.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Public Gateway</emphasis>: The traffic to and from the Internet
	routed to the VPC through the public gateway. In a VPC, the public gateway is not exposed to
	the end user; therefore, static routes are not support for the public gateway.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Private Gateway</emphasis>: All the traffic to and from a private
	network routed to the VPC through the private gateway. For more information, see <xref
	linkend="add-gateway-vpc"/>.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">VPN Gateway</emphasis>: The VPC side of a VPN connection.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Site-to-Site VPN Connection</emphasis>: A hardware-based VPN
	connection between your VPC and your datacenter, home network, or co-location facility. For
	more information, see <xref linkend="site-to-site-vpn"/>.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Customer Gateway</emphasis>: The customer side of a VPN
	Connection. For more information, see <xref linkend="create-vpn-customer-gateway"/>.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">NAT Instance</emphasis>: An instance that provides Port Address
	Translation for instances to access the Internet via the public gateway. For more
	information, see <xref linkend="enable-disable-static-nat-vpc"/>.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Network ACL</emphasis>: Network ACL is a group of Network ACL
	items. Network ACL items are nothing but numbered rules that are evaluated in order,
	starting with the lowest numbered rule. These rules determine whether traffic is allowed in
	or out of any tier associated with the network ACL. For more information, see <xref linkend="configure-acl"/>.</para>
	</listitem>
	</itemizedlist>
	<formalpara>
	<title>Network Architecture in a VPC</title>
	<para>In a VPC, the following four basic options of network architectures are present:</para>
	</formalpara>
	<itemizedlist>
	<listitem>
	<para>VPC with a public gateway only</para>
	</listitem>
	<listitem>
	<para>VPC with public and private gateways</para>
	</listitem>
	<listitem>
	<para>VPC with public and private gateways and site-to-site VPN access</para>
	</listitem>
	<listitem>
	<para>VPC with a private gateway only and site-to-site VPN access</para>
	</listitem>
	</itemizedlist>
	<formalpara>
	<title>Connectivity Options for a VPC</title>
	<para>You can connect your VPC to:</para>
	</formalpara>
	<itemizedlist>
	<listitem>
	<para>The Internet through the public gateway.</para>
	</listitem>
	<listitem>
	<para>The corporate datacenter by using a site-to-site VPN connection through the VPN
	gateway.</para>
	</listitem>
	<listitem>
	<para>Both the Internet and your corporate datacenter by using both the public gateway and a
	VPN gateway.</para>
	</listitem>
	</itemizedlist>
	<formalpara>
	<title>VPC Network Considerations</title>
	<para>Consider the following before you create a VPC:</para>
	</formalpara>
	<itemizedlist>
	<listitem>
	<para>A VPC, by default, is created in the enabled state.</para>
	</listitem>
	<listitem>
	<para>A VPC can be created in Advance zone only, and can't belong to more than one zone at a
	time.</para>
	</listitem>
	<listitem>
	<para>The default number of VPCs an account can create is 20. However, you can change it by
	using the max.account.vpcs global parameter, which controls the maximum number of VPCs an
	account is allowed to create.</para>
	</listitem>
	<listitem>
	<para>The default number of tiers an account can create within a VPC is 3. You can configure
	this number by using the vpc.max.networks parameter.</para>
	</listitem>
	<listitem>
	<para>Each tier should have an unique CIDR in the VPC. Ensure that the tier's CIDR should be
	within the VPC CIDR range.</para>
	</listitem>
	<listitem>
	<para>A tier belongs to only one VPC. </para>
	</listitem>
	<listitem>
	<para>All network tiers inside the VPC should belong to the same account.</para>
	</listitem>
	<listitem>
	<para>When a VPC is created, by default, a SourceNAT IP is allocated to it. The Source NAT IP
	is released only when the VPC is removed.</para>
	</listitem>
	<listitem>
	<para>A public IP can be used for only one purpose at a time. If the IP is a sourceNAT, it
	cannot be used for StaticNAT or port forwarding.</para>
	</listitem>
	<listitem>
	<para>The instances can only have a private IP address that you provision. To communicate with
	the Internet, enable NAT to an instance that you launch in your VPC.</para>
	</listitem>
	<listitem>
	<para>Only new networks can be added to a VPC. The maximum number of networks per VPC is
	limited by the value you specify in the vpc.max.networks parameter. The default value is
	three.</para>
	</listitem>
	<listitem>
	<para>The load balancing service can be supported by only one tier inside the VPC.</para>
	</listitem>
	<listitem>
	<para>If an IP address is assigned to a tier:</para>
	<itemizedlist>
	<listitem>
	<para>That IP can't be used by more than one tier at a time in the VPC. For example, if
	you have tiers A and B, and a public IP1, you can create a port forwarding rule by using
	the IP either for A or B, but not for both.</para>
	</listitem>
	<listitem>
	<para>That IP can't be used for StaticNAT, load balancing, or port forwarding rules for
	another guest network inside the VPC.</para>
	</listitem>
	</itemizedlist>
	</listitem>
	<listitem>
	<para>Remote access VPN is not supported in VPC networks.</para>
	</listitem>
	</itemizedlist>
	</section>