1. Manage networks
1.1. Limit Public IP bandwidths for a VDC
This document describes how to set a bandwidth limit in a virtual datacenter for each public IP using quality of service (QoS) traffic shaping parameters.
You can also limit the bandwidth of NAT IPs. See Limit bandwidth of NAT IPs with QoS
This feature applies to public IPs in infrastructure and managed by NSX in vCenter and vCenter clusters.
Privilege: Manage bandwidth limit for public IPs
During an upgrade or when you create a virtual datacenter, the public IP bandwidth limit is disabled.
To use QoS, edit the limit to set a value. The platform will apply the value when you deploy or reconfigure a VM to use a public IP.
To edit the bandwidth limit:
Select the virtual datacenter
Go to Network → QoS
Click the pencil edit button
To activate the bandwidth limit in a specific direction, select the Enabled checkbox for that direction
For the Average, enter the amount of bandwidth, in bits per second, that each public IP in the virtual datacenter can use
For the Peak, enter the maximum bandwidth in bits per second that each public IP in the virtual datacenter can use
For the Burst size, enter the amount of data that can be transmitted at the peak bandwidth rate in bytes. A burst bonus accumulates when traffic is below the Average value and this bandwidth can be used for bursts
To register changes that were made outside the platform, save existing public IP bandwidth values.
In the API, to register changes, send a POST request with the existing values.
This feature sets the limits when you deploy or reconfigure a VM to use a public IP.
If you deploy a VM and the platform cannot configure the limit, then the deploy will fail and roll back. If you reconfigure a VM and try to add a public IP, and the limit fails, then the platform will roll back the reconfigure and delete the public IP address.
If you are working with multiple VMs and there are different switches involved, then the platform will make a best effort to update all of the VMs, and log any errors.
1.2. Reserve private IPs
2. Manage NAT
3. Manage firewalls
3.1. Introduction to firewalls
3.2. Display firewall policies
3.3. Synchronize firewall policies
3.4. Create a firewall policy
3.5. Create a firewall policy in GCP
In GCP, the platform can create firewall rules in virtual datacenters or in global networks, to later attach to VMs.
Privileges: Manage firewall, Manage global networks
To create a new firewall, do these steps:
Go to Virtual datacenters → Network → Firewalls OR
Go to myCloud → Global → select the GCP provider → Network → FirewallsClick the Add button
Enter the firewall details and select the direction
For the Name, see the Google cloud entity naming conventions. See Google Cloud Platform integration
For the Direction, select
INGRESSfor incoming traffic orEGRESSfor outgoing trafficFor Sources or Targets, enter a list of comma separated values in CIDR format
For Priority, the default is 1000 and lower numbers have higher priority
Go to Inbound or Outbound and add firewall rules
Optionally, select from predefined Common protocols OR
Enter Protocols and enter a list of Ports, separated by commas, and/or a port range, separated with a dash (e.g. 80,8000-8009)
After you finish adding rules, click Save
The platform will create your firewall in the provider.
3.6. Edit firewall policy rules
3.7. Move firewall policies
3.8. Delete a firewall policy
4. Manage load balancers
4.1. Display load balancers
4.2. Create load balancers
4.3. Edit load balancers
5. Manage VPNs
This page describes how to use the VPN feature that enables you to create site-to-site VPNs between virtual datacenters and other virtual datacenters, or other entities.
For details of the VPN feature and how to configure it for specific providers, see:
This feature is available in:
Datacenters using VMware with NSX-V (and the NSX-NAT or NSX-gateway plugin)
Datacenters using VMware with NSX-T (requires NAT IPs as endpoints).
AWS
Azure
To manage VPNs:
Go to MyCloud view → Virtual datacenters
Select a virtual datacenter
Go to Network → VPN
Support for VPNs is per VDC, which means you need to create a separate VPN site for each connected virtual datacenter. Both sites of a VPN must have the same encryption and authentication settings, and inverse local and remote network configurations.
The following table describes VPN functionality in the providers. You can further configure the NSX-T options using Abiquo configuration properties.
AWS | VMware NSX-V | VMware NSX-T | Azure | |
|---|---|---|---|---|
Encryption | AES | AES, | AES_128, | AES128_SHA1, AES128_SHA256, AES256_SHA1, |
Perfect forward secrecy enabled | always enabled | optional | optional | always disabled |
DH group | DH2 | DH2, DH5, DH14 | DH2,DH5,DH14,DH15,DH16,DH19,DH20,DH21 | DH2, DH14 |
Authentication | PSK (mandatory) | PSK (mandatory) | PSK (mandatory) | PSK (mandatory) |
Create a VPN
To connect private cloud with public cloud, define the VPN site in private cloud first.
In Azure you can create a VPN using a placeholder address for the local gateway (site 1) and edit it after you create the Azure VPN site
In NSX-T you can delete and re-create a site instead of editing it
Azure may automatically select a compatible encryption type
In AWS you must supply the IP address of site 1 and you cannot edit it, so you must create site 1 first and the VPN site in AWS will always be site 2
To create a VPN site in a virtual datacenter:
We recommend that you check that the private networks for your VPN sites (local and remote) have different IP address ranges. If necessary create a new private network, and you may also decide to make it the default network for the virtual datacenter. See Manage networks
In NSX-T, for the VPN endpoint, obtain a NAT IP for the virtual datacenter.
You don’t need to create any NAT rules to create a VPN. Tip: check if your provider allows SNAT and DNAT traffic to VMs in the VDC from the internet or from IP/network addresses or NSX-T groups.
For more details see Manage NAT for virtual datacentersCreate a firewall to allow traffic to the VMs in your VPN. See Manage firewalls
Obtain the values of the remote endpoint and network. They don’t need to exist when you create the VPN, but if you need to change them, you will need to delete the site and recreate it.
Go to myCloud view → Virtual datacenters and select a virtual datacenter
Go to Networks → VPN
To create the VPN site, click the + add button and enter the VPN details. For full details see the Create VPN reference table below
Go to your other VDC or provider and create the remote VPN site.
To create the VPN site for site2 in another VDC:
Select the virtual datacenter
Add another VPN site using the same encryption and authentication settings, and the remote network configuration of the first VPN site as the local values.
To check the status of your VPN in a virtual datacenter:
Go to myCloud → Virtual datacenters → select the virtual datacenter
Go to Networks → VPN
Beside the VPN details, click Check
Create VPN reference table
This table describes all of the fields for creating a VPN.
Button | Action |
|---|---|
Name | Name of the VPN |
Encryption algorithm | Select the encryption algorithm |
Perfect forward secrecy enabled | Select to enable perfect forward secrecy to protect your session keys |
DH group | Diffie-Hellman group for the VPN |
Authentication | Select for PSK authentication (Preshared key authentication), which is mandatory in the providers |
Preshared key | Enter preshared key to use for this session. |
Local endpoint | NAT IP in the VDC or an automatically generated address in public cloud |
Local networks | Select VDC networks. We recommend that you do not use the default private network addresses for both sides of a VPN |
Remote endpoint | NAT IP in the remote VDC |
Remote networks | Add network addresses using CIDR notation. Click x beside a network to remove it from the VPN configuration |