Internal Networks

overview an internal network is a virtual network originated within your tenant any number of internal networks can be created, each being created secure by default network rules can be used to open up access between internal networks and through external networks as needed concepts with each new tenant, a virtual network is automatically created to aggregate and encapsulate all of that tenant's traffic from the tenant's perspective, this is their physical network a tenant is then able to create a virtually unlimited number of internal networks within their own environment a tenant is typically assigned one or more external ip addresses and traffic is routed through an external network on the host cluster traffic flow see the docid\ iialy zkjbdvadbweaoun diagram to better understand how traffic moves within the platform layer 2 & layer 3 support built in software defined networking (sdn) provides the ability to create/destroy internal networks on the fly without hardware changes both layer 2 and layer 3 internal networks are supported layer 2 networks the network is managed up to layer 2 by the platform cross node routing is handled within the dmz network ip level administration is handled in third party tools (e g , virtual firewall/router appliance) layer 3 networks full network management ip administration (dns, dhcp, routing, firewall, etc ) available within the platform network rules rules govern incoming and outgoing traffic to the network, replacing the traditional role of firewalls, routers and switches rules can be defined on all networks, allowing more granular security firewall accept, drop, or reject packets based on defined criteria routing to direct traffic between internal networks and out to external networks with defined static routes nat/pat map external internal/internal internal ip addresses/ports more information about working with network rules is available at docid\ rty8z1ydekb9logsdgaw6 internal networks create internal network internal networks are virtual networks originated within the platform an internal network can be created as either layer 2 or layer 3, (layer 3 is recommended) from the top menu , click networks > + new internal enter a name for the network (optional), enter a description (optional), enter a ha group ℹ️ ha groups define two or more networks to provide high availability when multiple networks are assigned to the same ha group, the system will attempt to run the networks across different physical nodes to increase redundancy (optional), enter a layer 2 id ℹ️ most customers typically match layer 2 id and layer 3 vlan numbers (optional), select a port mirroring option north/south only mirror traffic that passes through the router east/west mirror all traffic, including traffic between vms in the network and traffic that passes through the router ℹ️ see docid\ nds0l6of63zcuumtgff9z for more information select ip address type static (recommended) (recommended) creates a layer 3 network none creates a layer 2 network toggle show advanced options enter an ip address for the network (e g , 10 1 1 1 ) enter a network address (e g , 10 1 1 0/24 ) (optional), enter a hostname for the layer 3 routed interface (optional), enter a domain suffix (e g , contoso com ) select dns type bind run a full features dns server (authoritative, etc ) disabled do not run a dns server, but offer servers in the dns server list to dhcp clients other network forward dns requests to another network and auto create a records for dhcp clients simple (recommended) (recommended) run a forwarding dns server; if no forwarding servers are listed, the default gateway network dns is used instead (optional), add dns servers (important) (important) , select a default gateway (typically external ) to give an internal network access outside of the platform (e g , the internet), select the proper external network as the default gateway an appropriate routing rule will be created automatically if no default gateway is selected when creating the network, routing rules will need to be created manually to route traffic through an external network the dhcp option is checked by default if you do not wish to run dhcp on this network, or you have your own dhcp server, uncheck dhcp configure any additional options, if desired monitor gateway continually ping the gateway and report uptime to the ui on power loss determines the action taken when power is restored track statistics for all rules tracks total packets/bytes, per rule, for all rules assigned to this network (tracking does not apply to route rules) track dmz statistics tracks total packets/bytes from this network through the dmz network trace/debug rules traces all traffic through the firewall for diagnostics mirror logs mirror syslog messages from this network to the main tenant ui enable rate limiting throttles the bandwidth through the network's router click submit after creating the network, you must power it on for it to become active from the left menu , click power on modify internal network from the top menu , click networks > list select the desired network from the left menu , click edit modify desired fields click submit delete internal network from the top menu , click networks > list select the desired network from the left menu , click delete click yes to confirm configure inter vlan routing both source and destination networks must already be created see docid\ rty8z1ydekb9logsdgaw6 for additional information on network rules create outgoing rule from the top menu , click networks > list select the source vlan from the left menu , click view from the left menu , click rules from the left menu , click new enter a name for the rule (e g , route out v10 to v20 ) set action to route select protocol set direction to outgoing set source type to my network address set destination type to other network address network to the name of the desired network set target type to other network dmz ip target network to the name of the desired network click submit create incoming rule from the top menu , click networks > list select the source vlan from the left menu , click view from the left menu , click rules from the left menu , click new enter name a name for the rule (e g , allow in v20 to v10 ) set action to accept select protocol set direction to incoming set source type to other network address network to the name of the destination network set destination type to my network address click submit repeat for second network repeat steps 1 and 2 for the second network once completed you should have an outgoing and incoming rule on each network (source and destination) don't forget to click apply rules to activate the rules for the network ip addressing external ip addresses to request external ip addresses for your tenant, please contact korgrid support once external ip's have been assigned to your tenant, follow the steps below to make them available to your virtual machines assign to network from the top menu , click networks > list select the external network from the left menu , click view from the left menu , click network blocks select the desired network block from the left menu , click edit set owner type to network set owner to your desired internal network click submit create nat translation rule when assigning a network block to a network, routing rules will be automatically created the only additional step needed is to create the 1 1 nat translation from the top menu , click networks > list select the internal network your vm is assigned to from the left menu , click view from the left menu , click rules from the left menu , click new enter a name for the rule ℹ️ try to be as descriptive as possible this name will appear in logs (e g , nat 64 96 23 16 > 10 3 16 95 ) (optional), enter a description set action to translate set protocol to any set direction to incoming set source type to any / none set destination type to other network block network to external network block to the desired network block set target type to ip / custom target ip to the internal ip address of your target vm click submit apply rules when network rules are modified, you must apply rules before they are live advanced configuration it may be necessary to assign ip addresses from a single network block across multiple internal networks when this is required, network rules must be created manually for each ip address in the block this approach provides precise control over which ip addresses are assigned to each internal network create external network rules from the top menu , click networks > list select the external network from the left menu , click view from the left menu , click rules routing rule from the left menu , click new enter a name for the rule ℹ️ try to be as descriptive as possible (e g , route 64 96 23 16 ) (optional), enter a description set action to route set protocol to any set direction to incoming set source type to any / none set destination type to custom custom filter to the desired public ip address (e g , 64 96 23 16 ) set target type to other network dmz ip target network to your desired internal network click submit firewall rule from the left menu , click new enter a name for the rule ℹ️ try to be as descriptive as possible (e g , accept 64 96 23 16 ) (optional), enter a description set action to accept set protocol to any set direction to incoming set source type to any / none set destination type to custom custom filter to the desired public ip address (e g , 64 96 23 16 ) click submit create internal network rules from the top menu , click networks > list select the desired internal network from the left menu , click view from the left menu , click rules routing rule from the left menu , click new enter a name for the rule ℹ️ try to be as descriptive as possible (e g , route 64 96 23 16 ) (optional), enter a description set action to route set protocol to any set direction to outgoing set source type to custom custom filter to the desired public ip address (e g , 64 96 23 16 ) set destination type to default set target type to other network dmz ip target network to external click submit nat rule from the left menu , click new enter a name for the rule ℹ️ try to be as descriptive as possible (e g , nat 64 96 23 16 ) (optional), enter a description set action to translate set protocol to any set direction to incoming set source type to any / none set destination type to custom custom filter to the desired public ip address (e g , 64 96 23 16 ) set target type to ip / custom target ip to the internal ip address of your target vm click submit apply rules when network rules are modified, you must apply rules before they are live