Network Service

ZStack Cloud provides VM instances with multiple network services, including VPC firewall, security group, virtual IP address (VIP), elastic IP address (EIP), port forwarding, IPsec tunnel, load balancing, OSPF area, Netflow, port mirror, and route table.

ZStack Cloud supports the following two network models:

Flat network
VPC network

Network Service Module

The Network Service Module provides a group of network services. Note that this module has been hidden on the UI.

The Network Service Module has the following four types:

Virtual Router Network Service Module (Not recommended)
Provides various network services: DNS, SNAT, load balancing, port forwarding, EIP, and DHCP.
Flat Network Service Module (Flat Network Service Provider)
Provides the following network services:
- User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
- EIP: Allows you to access private networks through public networks.
- DHCP: Dynamically obtains an IP address.
  Note: The DHCP service includes the DNS feature.
- VIP QoS: Limits the upstream and downstream bandwidth. This applies only to EIPs.
VPC vRouter Network Service Module
Provides the following network services:
- IPsec: Achieves VPN connections.
- vRouter route table: Manages custom routes.
- Centralized DNS: Provides the DNS service when the distributed DHCP service is enabled.
- VIP QoS: Limits the upstream and downstream bandwidth of a virtual IP address.
- DNS: Uses VPC vRouters to provide the DNS service.
- SNAT: Enables VM instances to access the Internet directly.
- Load balancing: Distributes inbound traffics from a VIP to a group of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
- Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
- EIP: Uses VPC vRouters to access private networks of VM instances through public networks.
- DHCP: Provides the centralized DHCP service.
Security Group Network Service Module
Provides the following network service:
- Security group: Manipulates securities of VM instance firewalls by using iptables.

Flat Network Practice

In your production environments, we recommend that you use the following combination of network services:

Flat Network Service Module
- User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
- EIP: Allows you to access private networks through public networks.
- DHCP: Dynamically obtains an IP address.
  Note: The DHCP service includes the DNS feature.
Security Group Network Service Module
- Security group: Manipulates securities of VM instance firewalls by using iptables.

VPC Network Practice

In your production environments, we recommend that you use the following combination of network services:

Flat Network Service Module
- User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
- DHCP: Dynamically obtains an IP address.
vRouter Network Service Module
- DNS: Uses vRouters to provide the DNS service.
- SNAT: Allows VM instances to access directly the Internet.
- vRouter route table: Manages custom routes.
- EIP: Uses vRouters to access private networks of VM instances through public networks.
- Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
- Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
- IPsec: Achieves VPN connections.
Security Group Network Service Module
- Security group: Manipulates securities of VM instance firewalls by using iptables.

Advanced Network Services

Dynamic routing: Uses the Open Shortest Path First (OSPF) routing protocol to distribute routing information within a single autonomous system. This service applies to VPC network scenarios.
Multicast routing: Forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side. This service applies to VPC network scenarios.
VPC firewall: Filters the south-north traffic on the VPC vRouter ports, effectively protecting the VPC communication security and VPC vRouter security. This service applies to VPC network scenarios.
Port mirroring: Copies and sends network traffics of VM NICs from a port to another port, and analyzes the business packets on the ports, better monitoring and managing the network data. This service applies to flat network, vRouter network, and VPC network scenarios.
Netflow: Monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output formats are supported: Netflow V5 and Netflow V9. This service applies to VPC network scenarios.

Security Group

What is Security Group?

A security group provides security control services for VM instances on the L3 network. It filters the ingress or egress TCP, UDP, and ICMP packets of specified VM instances in specified networks based on the specified security rules.

Characteristics

A security group rule can be categorized into the following two types based on the packet flow direction:
- Ingress: indicates data packets that flow into a VM instance.
- Egress: indicates data packets that are sent from a VM instance.
Security group rules support the following communication protocols:
- ALL: indicates all types of protocols. If you select ALL, you cannot specify a port.
- TCP: allows you to specify a port that ranges from 1 to 65535.
- UDP: allows you to specify a port that ranges from 1 to 65535.
- ICMP: start port and end port defaulted to -1. This protocol indicates all ICMP messages are supported.
You can specify data sources in a security group rule to limit data access:
- If you specify a CIDR block, only the ingress data from the CIDR block or egress data to the CIDR block is allowed.
- If you specify a security group, only the ingress data from the security group or egress data to the security group is allowed.
Note: If you specify both a CIDR block and a security group, only the ingress data from the intersection of the security group and CIDR block or egress data to the intersection of the security group and CIDR block is allowed.

Considerations

You can assign a security group to one or more VM instances. These VM instances share the same security group rules.
You can associate a security group with one or more L3 networks. These L3 networks share the same security group rules.
Security groups apply the allowlist mechanism. Only the traffic that follows the created rules is allowed to reach the specified ports.
When you create a security group, the system automatically configures two rules (an ingress rule and an egress rule whose protocol types are both ALL) for communications of VM instances in the security group. You can delete these two default rules to cancel the intra-group communication.
When you create a security group, if you do not set a rule, ingress traffic is not allowed to access VM instances in the security group. However, egress traffic from VM instances in the security group is allowed.
If you use a security group along with other network services, such as load balancing and vRouter table, make sure that the security group rules required by these network services are added to the security group.
Public networks, flat networks, and VPC networks support the security group service. It is provided by the security group network service module, which uses iptables to implement security control.
A security group is a distributed firewall. Each security rule change, NIC association or disassociation will cause the security group rule to be updated on all associated VM instances.

Create a Security Group

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Basic Network Service > Security Group. On the Security Group page, click Create Security Group. Then, the Create Security Group page is displayed.

On the displayed page, set the following parameters:

Name: Enter a name for the security group.
Description: Optional. Enter a description for the security group.
Network: Select an L3 network you created. The L3 network can be a public network, flat network, or a VPC network.
Rule: Optional. Add an ingress rule or egress rule for the security group. You can also add a rule after you create the security group.
NIC: Optional. Add a NIC to the security group. You can also add a NIC after you create the security group.