How to create a VM inside your virtual datacenter to act as an internet gateway

Owned by MS (Unlicensed)
Jan 17, 2023
5 min read

This page describes how to provide Internet access to your VMs in Abiquo on a private network with an isolated VLAN.
This is done through a gateway VM with an IP address in the cloud's public network.
Note: Abiquo now enables you to create network topologies using the Abiquo integrations with VMware NSX-T.

 

The problem of managing complex networks

Abiquo provides complete freedom to create, modify and delete network configurations using VLANs. Virtual appliances have private network addresses within VLANs, which is a very flexible way to configure network access for virtual appliances. However, this feature makes administration of the Abiquo System exponentially more complex. Hundreds of users can create, configure and remove isolated VLANs at the same time. So cloud administrators could conceivably spend much of their time managing Internet access for the VLAN configurations in a cloud. Thus, Abiquo provides a logical and automated solution for the administration of Internet access.

Abiquo networking overview

Before going any further with this how-to, it is important to understand the difference between private networks and public networks in terms of access and definition in the Abiquo platform.

Private networks

  • Private networks use private IP address space

  • They are created and managed by users within a virtual datacenter

  • They are isolated in VLANs so a private network address range can be duplicated without causing problems for other users

  • There may be more than one private network within a virtual datacenter (each with its own VLAN).

  • Machines on private networks can access the Internet through a gateway machine configured with a public network address

Public networks

  • Public networks use public IP address space

  • They are created and managed by the cloud administrator

  • They may have a common VLAN tag within the datacenter

  • Users purchase unique public IP addresses from their datacenter

  • The machines on the public network are connected to the Internet

Private network configuration

When you create a private network the following dialog appears:

 

The most important fields of this form are the network address and mask, which define the network, and the Gateway.
The Gateway is the node of the network that will access another network (in this case, the Internet) and it must be defined.
Every network packet will be sent to the gateway. Selecting a network in the network list displays the network details and the Gateway address.

Internet connectivity solution

The cloud administrator has privileges to provide Internet access to the public networks, so public IPs will have Internet access.
In this solution, one virtual machine with a public IP address will act as a gateway to provide Internet access to every VM in a virtual datacenter, as shown in the diagram below.

When the VM gateway is deployed, it will forward all the private VLAN traffic to the public IP address.
Because this public IP address has Internet access through the datacenter's network infrastructure, every VM in the VDC will now have Internet access.

Example

This example implements the solution shown in the above diagram.

Step 1. Create a Virtual Datacenter

  • Create a Virtual Datacenter named gateway_example in Abiquo

    • Create VLAN1 10.60.1.0/24 with gateway 10.60.1.1

    • Create VLAN2 192.168.7.0/24 with gateway 192.168.7.1.

The Abiquo Cloud Admin has defined a public VLAN with the following parameters:

 


The public VLAN is a Network with the address range 80.169.246.201 to 80.169.246.206 using 80.169.246.201 as a gateway.

Step 2. Buy a Public IP Address

  • For example 80.169.246.206

  • All the network traffic will be forwarded to this IP address and thus indirectly to gateway 80.169.246.201.

Step 3. Create the Gateway Virtual Machine
Create and configure a virtual machine node_gateway to redirect all the VLAN traffic to the public address.

  • Create the gateway_app with the following NICs:

    • Gateway address of the private VLAN_1 : 192.168.7.1.

    • Gateway address of the private VLAN_2 : 10.60.1.1.

    • Public VLAN address: 80.169.246.206.

    • Make sure you assign the default gateway as the public VLAN gateway: 80.169.246.201.

Screenshots:

Step 4. Deploy the Machine

Step 5. Set Up Forwarding and Firewall
Now forward all the traffic to the NIC that belongs the IP address 80.169.246.206. You can configure the Unix firewall iptables to do this.

  • After deploying the machine, type the following as root:

$echo 1 > /proc/sys/net/ipv4/ip_forward $iptables --flush $iptables --table nat --flush $iptables --table nat --append POSTROUTING --out-interface ethX -j MASQUERADE $iptables --append FORWARD --in-interface ethY -j ACCEPT $iptables --append FORWARD --in-interface ethY -j ACCEPT ...

Where:

  • ethX is the NIC of the Public IP address.

  • ethY are all the NICs of the private IP addresses.

Step 6. Check the Configuration

  • To check the internal gateway is configured correctly, create a virtual appliance with two VMs.

    • For example, one with IP 192.168.7.56 and the second one will have the IP 10.60.1.34.

Virtual machine 1:

Virtual machine 2:

  • Connect a remote access client to any of the VMs and ping the Google DNS IP address to ensure the Internet connection is active:

Success!

Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved