Internal Networks

overview an internal network is a virtual network originated within your tenant any number of internal networks can be created, each being created secure by default network rules can be used to open up access between internal networks and through external networks as needed concepts with each new tenant, a virtual network is automatically created to aggregate and encapsulate all of that tenant's traffic from the tenant's perspective, this is their physical network a tenant is then able to create a virtually unlimited number of internal networks within their own environment a tenant is typically assigned one or more external ip addresses and traffic is routed through an external network on the host cluster traffic flow see the traffic flow docid\ iialy zkjbdvadbweaoun diagram to better understand how traffic moves within the platform layer 2 & layer 3 support built in software defined networking (sdn) provides the ability to create/destroy internal networks on the fly without hardware changes both layer 2 and layer 3 internal networks are supported layer 2 networks the network is managed up to layer 2 by the platform cross node routing is handled within the dmz network ip level administration is handled in third party tools (e g , virtual firewall/router appliance) layer 3 networks full network management ip administration (dns, dhcp, routing, firewall, etc ) available within the platform network rules rules govern incoming and outgoing traffic to the network, replacing the traditional role of firewalls, routers and switches rules can be defined on all networks, allowing more granular security firewall accept, drop, or reject packets based on defined criteria routing to direct traffic between internal networks and out to external networks with defined static routes nat/pat map external internal/internal internal ip addresses/ports more information about working with network rules is available at network rules docid\ rty8z1ydekb9logsdgaw6 internal networks create internal network internal networks are virtual networks originated within the platform an internal network can be created as either layer 2 or layer 3, (layer 3 is recommended) from the top menu , click networks > + new internal enter a name for the network (optional), enter a description (optional), enter a ha group ℹ️ ha groups define two or more networks to provide high availability when multiple networks are assigned to the same ha group, the system will attempt to run the networks across different physical nodes to increase redundancy (optional), enter a layer 2 id ℹ️ most customers typically match layer 2 id and layer 3 vlan numbers (optional), select a port mirroring option north/south only mirror traffic that passes through the router east/west mirror all traffic, including traffic between vms in the network and traffic that passes through the router ℹ️ see port mirroring docid\ nds0l6of63zcuumtgff9z for more information select ip address type static \<font color="#2166ae">(recommended)\</font> creates a layer 3 network none creates a layer 2 network toggle show advanced options enter an ip address for the network (e g , 10 1 1 1 ) enter a network address (e g , 10 1 1 0/24 ) (optional), enter a hostname for the layer 3 routed interface (optional), enter a domain suffix (e g , contoso com ) select dns type bind run a full features dns server (authoritative, etc ) disabled do not run a dns server, but offer servers in the dns server list to dhcp clients other network forward dns requests to another network and auto create a records for dhcp clients simple \<font color="#2166ae">(recommended)\</font> run a forwarding dns server; if no forwarding servers are listed, the default gateway network dns is used instead (optional), add dns servers \<font color="#2166ae">(important)\</font> , select a default gateway (typically external ) to give an internal network access outside of the platform (e g , the internet), select the proper external network as the default gateway an appropriate routing rule will be created automatically if no default gateway is selected when creating the network, routing rules will need to be created manually to route traffic through an external network the dhcp option is checked by default if you do not wish to run dhcp on this network, or you have your own dhcp server, uncheck dhcp configure any additional options, if desired monitor gateway continually ping the gateway and report uptime to the ui on power loss determines the action taken when power is restored track statistics for all rules tracks total packets/bytes, per rule, for all rules assigned to this network (tracking does not apply to route rules) track dmz statistics tracks total packets/bytes from this network through the dmz network trace/debug rules traces all traffic through the firewall for diagnostics mirror logs mirror syslog messages from this network to the main tenant ui enable rate limiting throttles the bandwidth through the network's router click submit after creating the network, you must power it on for it to become active from the left menu , click power on modify internal network from the top menu , click networks > list select the desired network from the left menu , click edit modify desired fields click submit delete internal network from the top menu , click networks > list select the desired network from the left menu , click delete configure inter vlan routing both source and destination networks must already be created see network rules docid\ rty8z1ydekb9logsdgaw6 for additional information on network rules create outgoing rule from the top menu , click networks > list select the source vlan from the left menu , click view from the left menu , click rules from the left menu , click new enter a name for the rule (e g , route out v10 to v20 ) action , select route select protocol (typically any ) direction , select outgoing configure source type , select my network address configure destination type , select other network address network , select the name of the desired network configure target type , select other network dmz ip target network , select the name of the desired network click submit create incoming rule from the top menu , click networks > list select the source vlan from the left menu , click view from the left menu , click rules from the left menu , click new enter name a name for the rule (e g , allow in v20 to v10 ) action , select accept select protocol (typically any ) direction , select incoming configure source type , select other network address network , select the name of the destination network configure destination type , select my network address click submit repeat for second network repeat the steps above for the second network once completed you should have an outgoing and incoming rule on each network (source and destination) click apply rules to apply the changes ip addressing external ip addresses to request external ip addresses for your tenant, please contact korgrid support once external ip's have been assigned to your tenant, follow the steps in this section to make them available to your virtual machines assign external ip there are two ways korgrid can assign public ips single ip assignment (/32) a network block that contains a single external ip address use the network block method multiple ip assignment (/29, /28, etc ) a network block that contains multiple external ip addresses use the vip method determine ip address from the top menu , click networks > list select the external network from the left menu , click view from the left menu , click network blocks determine the public ip address you wish to use from the network block create vip from the top menu , click networks > list select the external network from the left menu , click view from the left menu , click ip addresses from the left menu , click new type , select virtual ip enter the public ip address from the network block (e g , 24 221 112 159 ) owner type , select network owner , select the desired internal network click submit from the top menu , click networks > list select the external network from the left menu , click view from the left menu , click network blocks select the desired network block from the left menu , click edit owner type , select network owner , select your desired internal network click submit once the external ip address(es) have been assigned to an internal network, you must create a translation rule to allow traffic to reach the destination vm create nat translation assign to network from the top menu , click networks > list select the external network from the left menu , click view from the left menu vip method click ip addresses network block method click network blocks select the desired external ip address or network block from the left menu , click edit owner type , select network owner , select the desired internal network (e g , vlan10 , etc ) click submit create nat translation rule when assigning a network block or ip address to a network, routing rules will be automatically created the only additional step needed is to create the 1 1 nat translation from the top menu , click networks > list select the internal network your vm is assigned to (e g , vlan10 , etc ) from the left menu , click view from the left menu , click rules from the left menu , click new enter a name for the rule ℹ️ try to be as descriptive as possible this name will appear in logs (e g , nat 64 96 23 16 > 10 3 16 95 ) (optional), enter a description action , select translate protocol , select any direction , select incoming configure source type , select any / none configure destination vip method type , select my ip addresses ip address , select the desired external ip address network block method type , select other network block network , select external network block , select the desired network block configure target type , select ip / custom target ip , select the internal ip address of your target vm click submit apply rules ⚠️ click apply rules to apply the changes advanced configuration it may be necessary to assign ip addresses from a single network block across multiple internal networks when this is required, network rules must be created manually for each ip address in the block this approach provides precise control over which ip addresses are assigned to each internal network create external network rules from the top menu , click networks > list select the external network from the left menu , click view from the left menu , click rules routing rule from the left menu , click new enter a name for the rule ℹ️ try to be as descriptive as possible (e g , route 64 96 23 16 ) (optional), enter a description action , select route protocol , select any direction , select incoming configure source type , select any / none configure destination type , select custom custom filter , select the desired public ip address (e g , 64 96 23 16 ) configure target type , select other network dmz ip target network , select your desired internal network click submit firewall rule from the left menu , click new enter a name for the rule ℹ️ try to be as descriptive as possible (e g , accept 64 96 23 16 ) (optional), enter a description action , select accept protocol , select any direction , select incoming configure source type , select any / none configure destination type , select custom custom filter , select the desired public ip address (e g , 64 96 23 16 ) click submit create internal network rules from the top menu , click networks > list select the desired internal network from the left menu , click view from the left menu , click rules routing rule from the left menu , click new enter a name for the rule ℹ️ try to be as descriptive as possible (e g , route 64 96 23 16 ) (optional), enter a description action , select route protocol , select any direction , select outgoing configure source type , select custom custom filter , select the desired public ip address (e g , 64 96 23 16 ) configure destination type , select default configure target type , select other network dmz ip target network , select external click submit nat rule from the left menu , click new enter a name for the rule ℹ️ try to be as descriptive as possible (e g , nat 64 96 23 16 ) (optional), enter a description action , select translate protocol , select any direction , select incoming configure source type , select any / none configure destination type , select custom custom filter , select the desired public ip address (e g , 64 96 23 16 ) configure target type , select ip / custom target ip , select the internal ip address of your target vm click submit apply rules ⚠️ click apply rules to apply the changes