The Networking menu in the Virtual Servers menu enables you to manage network interfaces, allocate IP addresses, and set firewall rules for virtual servers. In this document you can find information on how to manage Virtual Server networks. 

  • To run the VS, at least one network interface with an assigned IP address (or addresses) is required.
  • To allocate another physical network, add a new network interface.

Configure Virtual Server Network Interface

The Networking > Network Interfaces menu shows the virtual network interfaces allocated to this VS. Network interfaces join the physical network to the VS. 
When you create a VS a network interface is added automatically. This network interface will be assigned to the existing physical network using a spare IP (IPv4) and will be set primary by default.

OnApp supports IPv4 and IPv6. Since not every application supports IPv6, at least one IPv4 address must be allocated to a VS's primary network interface. 

To see the list of all network interfaces allocated to the VS:

  1. Go to your Control Panel > Cloud > Virtual Servers menu.
  2. Click the label of the virtual server you're interested in.
  3. Click the Networking tab, then click Network Interfaces.
  4. On the page that follows you will see the following fields:
    • Interface – optional label of the network interface
    • Network join – name of the network and a сompute resource or сompute zone this network is joined to
    • Port speed – the speed set to the interface
    • Primary interface – indication whether the interface is primary or not

Here you can also view Interface Usage, Edit and Delete network interface (using icon controls) and Add a new network interface using the button at the bottom of the screen.
To add a network interface:

  1. Go to your Control Panel > Cloud > Virtual Servers menu.
  2. Click the label of the virtual server you're interested in.
  3. Click the Networking tab, then click Network Interfaces.
  4. Click the New Network Interface button at the bottom of the screen.
  5. On the screen that appears, input values for the following parameters:
    • Label – name for the new interface
    • Physical Network – choose a network join from the drop-down menu, which lists network joins assigned to the compute resource/compute zone on which the VS runs)
    • Port speed – set port speed in Mbps, or make it unlimited

  6. Click the Submit button.

To edit the network interface label, port speed or set it as primary (if none is marked as primary), click Edit icon next to the appropriate network interface. After editing the port speed, the virtual server should be power cycled for the change to take effect.
To delete a network interface, click the Delete icon next to the interface you want to delete.

Rebuild Virtual Server Network

To rebuild a network join, added to the virtual server (required after allocating new IP addresses):

  1. Go to your Control Panel > Cloud > Virtual Servers menu.
  2. Click the label of a required VS.
  3. On the screen that appears, click the Actions button, point to Options, then click Rebuild Network.

  4. In the pop-up window, move the Force Reboot slider to the right, then select the VS shutdown type.

    During the network rebuild, the system tries to reach a VS's network interface without rebooting a virtual server. Then, if it is not possible, the transaction will quit. The force reboot action allows to rebuild a VS network with the reboot action if live rebuild is impossible. In case the force reboot option is disabled and system cannot enter the virtual server, the network rebuild operation will fail.

  5. Move the Required Startup slider to the right to start up a VS when you're rebuilding network of a powered off VS.
  6. Click the Rebuild Network button.

In case of network interface replacement for Windows VSs running on Xen compute resources, the user has to add new network interface, rebuild network, then remove the old network interface and perform network rebuild again.

Set Virtual Server Firewall Rules

With OnApp you can set firewall rules for the network interfaces of virtual servers. There are two types of firewall rule:

  • ACCEPT – defines the packets that will be accepted by the firewall
  • DROP – defines the packets that will be rejected by the firewall

Ensure that the following permissions are enabled before setting firewall rules for your virtual server:

  • Create own firewall rules
  • Destroy own firewall rules
  • Read own firewall rules
  • Update own firewall rules
  • Update own virtual server
  • Read own virtual server

You cannot apply firewall rules to virtual servers which are parts of a blueprint.

You can set the following:

Add a specific firewall rule

To configure a specific firewall rule:

  1. Go to your Control Panel > Cloud > Virtual Servers menu.
  2. Click the label of the VS for which you want to configure a firewall rule.
  3. Click the Networking tab, then click Firewall.
  4. On the page that appears, set the following:
    1. Interface - choose the network interface.
    2. Command - specify if the rule defines requests that should be accepted or dropped.
    3. Source - set the IP address for which this rule is active.
      • Leave the empty field to apply this rule to all IPs
      • Enter hyphen-separated IPs to apply the rule to an IP range (e.g. 192.168.1.1-192.168.1.10)
      • Enter the IPs with slash to apply the rule to CIDR (e.g. 192.168.1.1/24)
    4. Destination Port - set the port for which this rule is effective.
      • Leave the empty field to apply the rule to all ports
      • Enter colon-separated ports to apply the rule to a port range (e.g. 1024:1028)
      • Enter comma-separated ports to apply the rule to the list of ports (e.g. 80,443,21)
    5. Protocol Type (for ICMP protocol only) - indicate a type of the ICMP protocol (range from 0 to 255)
    6. Protocol - choose the protocol (TCP, UDP, DCCP, SCTP or ICMP). 
    7. Comment - enter the comment to the firewall rule.
  5. Save the rule by clicking the Add Rule button. The rule will be saved in the UI, but the transaction won't be started until you click the Apply Firewall Rules button.
  6. To start the transaction which runs firewall rules for a VS, click Apply Firewall Rules button.
  7. Use Up and Down arrow buttons in the left column to change firewall rule position.
  8. To edit or delete a firewall rule click the appropriate icon in the last column.

Default firewall rules

To set default firewall rules for a network interface:

  1. Go to your Control Panel > Cloud > Virtual Servers menu.
  2. Click the label of the VS for which you want to configure a firewall rule.
  3. Click the Networking tab, then click Firewall.
  4. On the page that appears, go to Default Firewall Rules section.
  5. Choose ACCEPT or DROP command next to the network interface and click Save Default Firewall Rules. The rule will be saved in the UI, but the transaction won't be started until you click the Apply Firewall Rules button.

Example:

The Int1 ACCEPT 122.158.111.21 22 TCP firewall rule means that the Int1 network interface will accept all requests and packets addressed from 122.158.111.21 using the TCP protocol on port 22.
The Int2 DROP 122.158.111.21 22 UDP firewall rule means that the Int2 network interface will reject all requests and packets from 122.158.111.21 using the UDP protocol on port 22.

If you reboot a Xen-based VS from the console, the firewall rules for this VS will be lost, and you will need to update the firewall rules again.


Protocols:

For IPv4, only the ICMP, IPV6-ICMP, TCP, UDP, DCCP, SCTP protocols are available by default. However, if required, you can enable other protocols for IPv4.

  1. Go to the /onapp/interface/config/network_protocols.yml file.
  2. The list contains all protocols available (IPv4). Set 'true' for the required protocols.

  3. Restart httpd by running one of the following commands:

    service httpd restart
    CODE

    or

    /etc/init.d/httpd restart
    CODE
  4. The protocols you have enabled are now available at Control Panel > Cloud > Virtual Servers > Label > Networking tab > Firewall while adding new firewall rules.

The following protocols can be enabled in the /onapp/interface/config/network_protocols.yml file:

  • IP

  • HOPOPT

  • ICMP

  • IGMP

  • GGP

  • IP-ENCAP

  • ST

  • TCP

  • CBT

  • EGP

  • IGP

  • BBN-RCC-MON

  • NVP-II

  • PUP

  • ARGUS

  • EMCON

  • XNET

  • CHAOS

  • UDP

  • MUX

  • DCN-MEAS

  • HMP

  • PRM

  • XNS-IDP

  • TRUNK-1

  • TRUNK-2

  • LEAF-1

  • LEAF-2

  • RSVP-E2E-IGNORE
  • FC
  • SCTP
  • IPLT

  • RDP

  • IRTP

  • ISO-TP4

  • NETBLT

  • MFE-NSP

  • MERIT-INP

  • DCCP

  • 3PC

  • IDPR

  • XTP

  • DDP

  • IDPR-CMTP

  • TP

  • IL

  • SDRP

  • IDRP

  • RSVP

  • GRE

  • DSR

  • BNA

  • ESP

  • AH

  • I-NLSP

  • SWIPE

  • NARP

  • MOBILE

  • HIP
  • manet
  • MPLS-in-IP
  • UDPLite
  • PIPE
  • SSCOPMCE

  • TLSP

  • SKIP

  • CFTP

  • SAT-EXPAK

  • KRYPTOLAN

  • RVD

  • IPPC

  • SAT-MON

  • VISA

  • IPCV

  • CPNX

  • CPHB

  • WSN

  • PVP

  • BR-SAT-MON

  • SUN-ND

  • WB-MON

  • WB-EXPAK

  • ISO-IP

  • VMTP

  • SECURE-VMTP

  • VINES

  • TTP

  • NSFNET-IGP

  • DGP, TCF

  • EIGRP

  • OSPFIGP

  • Sprite-RPC

  • LARP

  • MTP

  • SPS
  • CRUDP

  • AX.25

  • IPIP

  • MICP

  • SCC-SP

  • ETHERIP

  • ENCAP

  • GMTP

  • IFMP

  • PNNI

  • PIM

  • ARIS

  • SCPS

  • QNX

  • A/N

  • IPComp

  • SNP

  • Compaq-Peer

  • IPX-in-IP

  • VRRP

  • PGM

  • L2TP

  • DDX

  • IATP

  • STP

  • SRP

  • UTI

  • SMP

  • SM

  • PTP

  • ISIS

  • FIRE

  • CRTP

Virtual Server IP Addresses

In the Networking > IP Addresses tab you can find the list of assigned IP addresses, allocate new IP addresses and rebuild a network.
To allocate a new IP Address to the VS:

  1. Go to your Control Panel > Cloud > Virtual Servers menu.
  2. Click the label of the virtual server you're interested in.
  3. Click the Networking tab > IP Addresses.
  4. Click the Allocate New IP Address button.
  5. Select a network interface from the drop-down menu (only the network interfaces you added to the VS will be available). The IP Address will be allocated automatically.
  6. (Not available for federated VSs) As an alternative, you can manually select an IP address from the IP Pool associated with the network interface. To enable this option, move the Specify IP Address slider to the right and choose IP Address from the drop-down list. You may select an IP address that's already assigned to a VS, but only one VS should be online at a time. Use Please show me used IP PoolShow only my IPs and Show only IPv6 checkboxes to narrow the list of IP in the drop-down list.
  7. Click the Add IP Address button.
  8. Click the Rebuild Network button to rebuild the network.
  • You must rebuild the network after making changes to IP address allocations.
  • Currently, it is possible to assign only up to 320 IPs to an Ubuntu virtual server.
  • The external IP address can be managed by API only. If you want to add external IP address, refer to the Add/Edit External IP Address section of API Guide. 

  • Currently, it is not possible to assign IPv6 addresses of the following ranges:

    ::/128					fec0::/10
::1/128					fc00::/7
2001:db8::/32				ff00::/8
fe80::/10
    PY

To remove an IP address from a VS:

  1. Go to your Control Panel > Cloud > Virtual Servers menu.
  2. Click the label of the virtual server you're interested in.
  3. Click the Networking > IP Addresses tab.
  4. Click the Delete icon next to the IP address you want to delete.
  5. In the pop-up window that appears:
    • Choose the Delete with Reboot option if you want to reboot a VS and rebuild the network immediately after deleting the IP address. After choosing the Delete with Reboot option you will be redirected to the VS's Overview page.
    • Choose the Delete without Reboot option if you don't want to reboot a VS. In this case to apply the changes, you will have to the reboot the VS additionally.
You can't delete an IP address that is in use.

Display Network Speed for Network Interfaces on Virtual Server Page

The main Virtual Servers screen displays the network speed of each VS's primary network interface. To see the speed of all interfaces assigned to a VS:

  1. Go to your Control Panel > Cloud > Virtual Servers menu.
  2. Click the label of the virtual server you are interested in.
  3. Click the Networking > Network Interfaces tab.
  4. On the screen that appears, the Port Speed column shows the network speed of the network interface.

Edit Virtual Server Network Speed

To edit a virtual server's network speed:

  1. Go to your Control Panel > Cloud > Virtual Servers menu.
  2. Click the label of the virtual server you want to change.
  3. Go to the Networking tab > Network Interfaces.
  4. In the last column click the Edit button.
  5. Change the port speed.
  6. Click the Submit button to save changes.

Virtual Server as a Gateway

You can set up your virtual server configuration so that it can function as a gateway for the network interface. Such a configuration overrides firewall rules and accepts all traffic to the VS from the selected network interface. This functionality provides the ability for third party gateways and load balancers to be used as OnApp virtual server.

For the VS to function as a gateway at least two IPs are required: one private and one public. A VS cannot be used as a gateway for a network interface if the network interface does not contain IPs or if it contains only public IPs.

To use a virtual server as a gateway for a network interface:

  1. Go to your Control Panel > Cloud > Virtual Servers > Label > Networking > Firewall. On the page that loads the Default firewall rules section displays the list of network interfaces for which this VS can function as a gateway.
  2. Select the command for the network interface, it can be either ACCEPT or DROP. If you select the DROP option, the Use as Gateway slider will become inactive, but you can save the configuration and all the traffic from the network interface will be dropped.
  3. Move the Use as Gateway slider to the right if you want the VS to function as a gateway for the network interface.

  4. Click the Save Default Firewall Rules button to apply changes.

    The configurations in steps 5 and 6 are only examples that were tested on CentOS 6. You can use them at your own risk. You may require different configurations for other operating systems.

  5. Add the following commands in the console of the gateway VS:

    echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s IP_range ! -d IP_range -o public_network_interface_name -j MASQUERADE
iptables -I FORWARD -i private_network_interface_name -o public_network_interface_name -j ACCEPT
iptables -I FORWARD -i public_network_interface_name -o private_network_interface_name -j ACCEPT
    CODE

    The changes added in step 5 are not preserved after a reboot. The corresponding changes should be performed again after the reboot.


    Where you need to indicate the range of IPs for which the VS will serve as a gateway and the name of the public and private network interfaces for the gateway VS. The IP range should contain only the IPv4 IPs (e.g. 10.10.10.0/24).

  6. Add the following commands in the console of the VS that is to send traffic through the gateway VS:

    route delete -net default
route add -net default gw gateway_VS_IP
    CODE

    Where you need to indicate the IP of the gateway VS for this server.

You can view the list of virtual servers that are used as gateways on a compute resource by going to your Control Panel > Admin > Settings > Compute Resources > Label > Tools > Gateway Servers. The page that loads shows the list of gateway servers on a compute resource with their details.


When you set default firewall rules for a VS two additional iptables rules are added on the compute resource on which the VS is built. The iptables rules will contain the range of IPs for which the VS will serve as a gateway and the identifier of the gateway VS:

iptables -A FORWARD -s IP_range ! -d IP_range -m physdev --physdev-out gateway_VS_identifier -j gateway_VS_identifier
iptables -A FORWARD ! -s IP_range -d IP_range -m physdev --physdev-in gateway_VS_identifier -j ACCEPT gateway_VS_identifier
CODE


See also:

Leave feedback