A network is an isolated layer 2 network broadcast domain (Layer 2 network means that packets delivery is based on destination MAC address, not an IP address like in Layer 3). You, as a user, can create your own networks, which are independent from networks created by other users.
By default, networks are completely isolated from each other - that means, only devices connected to the same network can communicate. However, it is easy to connect a network to a router, this way allowing communications between different networks.
Networks and subnets
It is important to note that many network management services, which on non-cloud infrastructure would require deploying additional management services, are available on the platform out of the box. IP address management is a notable example.
To support IP address management, a subnet can be created within a network. A subnet is simply a block if IP addresses and associated configuration state. Subnets are used to allocate IP addresses when devices are connected to the network.
IP address management
Every device (for example, an instance), when connecting to a network, automatically allocates an IP address from the subnet configured on that network (this, of course, assumes that subnet is configured and free IPs are available). The IP used on an internal network is called a fixed IP and used to communicate within the cloud (unlike floating IPs used to connect from the internet).
To assign IP addresses, a DHCP service is used - so the instances typically requests IP configuration via DHCP. You don't need to install any DHCP server to make it work - this service is a fully manageable feature of the cloud. Moreover, if you install your own DHCP server, it won't properly work and may create many problems and conflicts.
The DHCP service provided in the cloud is tightly integrated with the cloud management and configuration. When IP is assigned to a port (typically during the port creation), a record matching that IP and its MAC address is stored in the configuration database. The DHCP service will only provide IP to a requestor with a MAC address matching this record. This configuration is static - it is not a subject to DHCP lease expiration; the port will receive the same IP address as long as the port (in its current configuration) exists.
In a hypothetical situation when an "unknown" endpoint (with a MAC address not recorded in the configuration database) will send a DHCP request on a network, this request will not be answered to. So, you can consider DHCP here is a mechanism to deliver IP configuration to the port, but not truly a management service, since it does not make any configuration decisions.
When DHCP is not enabled on a subnet, DHCP based IP configuration will no longer work, so the IPs must be assigned manually. However, the configuration itself (including IP<->MAC mappings) will still be created for every port. In case a port is manually configured with a different IP (not matching its configuration), the port security will block the traffic from that port (see Security groups for more details about port security).
By default, a network is isolated from all other networks, as well as from the Internet. To enable internet connectivity for an instance, the network that the instance uses must be connected to a router, and the router must have external gateway configured.
Using connectivity via a router, the instance can connect to the Internet using Source NAT (SNAT) mechanism. NAT is used because instances use private, not globally routable IP addresses. SNAT will allow the instance to connect to the internet resources, but won't allow incoming connections (from the Internet).
To allow incoming connections from the Internet, the instance must have a floating IP assigned. Floating IP can only be assigned on a network which is connected to a router with external gateway (same requirement as for SNAT based connectivity).
A regular network is fully virtual - it does not support connecting any devices outside of the cloud. At the same time, such connectivity may be required - for example, when building a network channel connecting on-premise network directly to the virtual datacenter using IP VPN.
For cases like that, there is special type of network called provider network. A provider network can be connected to a physical network, and at the same time it has all the features of a regular network (so instances can connect to it directly).
To create a provider network for specific needs, you will need to contact your service provider.
If you compare the cloud network to a physical network (especially the one using an unmanaged switch), you will find that cloud networking is much more "hardened" and restrictive. With port security enabled, the following functions will be not be allowed:
- Sending or receiving traffic from/to IP addresses not configured on that port. For example, if you'd like to build your own router instead of the one provided, you will need to disable port security on the ports of the router.
- Sending DHCP responses (so DHCP server installed in an instance will not work).
- Using promiscuous mode (so an instance won't be able to receive traffic of other instances on the same network).
Network creation and management
To create a network, do the following:
- Click on "Networking" on the left pane of the portal. This will display all the networking features of the portal.
- Click on "Networks".
- In the Networks page, click on the "Create network" button to open a new network configuration window.
Enter a name for your network.
To associate an IP configuration with this network, select "Add new subnet now" control.
Note: That you can always add a subnet later by going to the "Manage Subnets" section in your Network's settings.
To delete a network, click on the network action menu ans select "Delete". Note that you can only delete a network which does not have any connections to it. Any ports connecting to a network must be removed first, before the network can be deleted.
A special network called ext-net is a pre-configured as an external (connected to the Internet) network. You cannot change this network, or connect instances to this network directly - this network can only be used when configuring a gateway on a router.
You can specify the following configuration on your subnet:
- Subnet name.
IP Version: (either IPv4 or IPv6).
Network CIDR: (Classless Inter-Domain Routing), for example 10.1.2.0/24. In the same private network, subnet IP addresses cannot overlap. However, different private networks can use the same or overlapping subnet IP addresses.
DNS Servers:. The DNS servers configuration is only useful for networks connected to the Internet. You can use DNS servers of your provider, or public DNS servers like 18.104.22.168.
Gateway: This is a default gateway for the subnet (a gateway is used when trying to communicate with an IP which is outside of the current subnet). When network is connected to a router, the router will automatically allocate the gateway IP from this network. The gateway information will be distributed to the instances via DHCP, or can be configured manually inside the instance.
DHCP:. DHCP settings enables DHCP service on this network for automatic IP configuration assignment. If not enabled, the IPs must be assigned manually on the network adapters of the instances.