All cloud servers can be connected to a private network without direct access to the Internet. It is possible to configure different Internet access options using routers, floating IP addresses, and shared public IP addresses.
Network objects are regionally-specific resources. They can be used for combining virtual machines in all availability zones of the selected region.
Network objects of the Cloud platform are described in the following table:
|Private Network (VLAN)||Network segments isolated from each other at level L2|
|Subnet (IP address)||The range of private IP addresses limited by CIDR size assigned by the client.
Different IP addresses (subnets) can be assigned to the same private network.
Subnets are used to distribute IP addresses when creating new ports
|Port||Assigned MAC+IP binding designed to connect to the virtual network card of the cloud server.
One of the subnet ports can be connected to the router
|Router||A device that can route traffic between different subnets and the Internet. All subnets connected to the same router can communicate using the IP address of the router as the default route.
All subnets connected to the same router can access the Internet using the shared external IP address assigned to the router.
The router performs the function of NAT:
- access from a private network to the Internet (outgoing traffic);
- forwarding packets for a floating IP address to the server to which it was assigned
|Shared external IP on the router||IP address that is assigned to the router port when connecting it to an external network|
|External network||Service subnet providing public IP addresses for router ports and floating IPs|
|Floating IP address||Public IP address from the External network, which can be associated with an address of a private server or load balancer. Floating IP address traffic is processed by the router and all packets are transmitted to the associated private address|
|Public subnet||The range of public IP addresses limited by the size of a prefix (mask) provided to the client.
IP addresses from this subnet are not processed by the router. They are connected directly to the cloud server
|VRRP subnet||A VRRP subnet is a cross region cloud object. It is a composition of two identical public subnets with four available addresses in each of the two selected regions of the Cloud platform.
Unlike regular public subnets, VRRP subnets use an additional infrastructure router for routing traffic. This allows the cloud to redirect traffic to a backup subnet of a different region in case of problems with the main router of the data center
Standard Network Configurations
Private Network and Bastion Host
A bastion host is a host on a network that can function as a gateway/proxy server for all other servers. Typically, such a host is available on the external IP address and communicates with other servers over a private network.
All servers have public access to the Internet. Servers interact with each other through public interfaces.
Load Balancer and Bastion Host
A combination of the first example and a dedicated load balancer. The bastion host is used to access the private network and manage the infrastructure; and the load balancer takes the functions of proxying client requests to the infrastructure from the bastion host.
Private Network between Regions and Services
Such a topology allows you to provide direct public access to a group of cloud servers (virtual machines) and connect them with a private network to resources in another region of the Cloud platform or to dedicated servers in any location.
An L3VPN network is used to create this topology. To connect the L3VPN network, create a ticket and provide us with the information about the networks and services that need to be connected.