Network Service

ZStack Cloud provides VM instances with multiple network services, including VPC firewall, security group, virtual IP address (VIP), elastic IP address (EIP), port forwarding, IPsec tunnel, load balancing, OSPF area, Netflow, port mirror, and route table.

ZStack Cloud supports the following two network models:
  • Flat network
  • VPC

Network Service Module

Network Service Module provides a group of network services. Note that this module has been hidden on the UI.

Network Service Module has the following four types:
  1. Virtual Router Network Service Module (Not recommended)

    Provides various network services: DNS, SNAT, load balancing, port forwarding, EIP, and DHCP.

  2. Flat Network Service Module (Flat Network Service Provider)
    Provides the following network services:
    • User Data: Injects user data, such as ssh-key. By running cloud-init, user data will be loaded into your VM instance and executed when the VM instance is started.
    • EIP: Is realized by distributed EIP to access private networks through public networks.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
      Note: The DHCP service includes the DNS feature.
    • VIP QoS: Adjusts the upstream bandwidth and downstream bandwidth, and can only be applied to EIPs.
  3. VPC vRouter Network Service Module
    Provides the following network services:
    • IPsec: Achieves VPN connections.
    • vRouter route table: Manages custom routes.
    • Centralized DNS: Is provided when the distributed DHCP service is enabled.
    • VIP QoS: Adjusts the upstream bandwidth and downstream bandwidth.
    • DNS: Uses VPC vRouters to provide the DNS service.
    • SNAT: Enables VM instances to access the Internet directly.
    • Load balancing: Distributes inbound traffics from a VIP to a group of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • EIP: Uses VPC vRouters to access private networks of VM instances through public networks.
    • DHCP: Provides the centralized DHCP service.
  4. Security Group Network Service Module
    Provides the following network service:
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

Flat Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Injects user data, such as ssh-key. By running cloud-init, user data will be loaded into your VM instance and executed when the VM instance is started.
    • EIP: Is realized by distributed EIP can access private networks through public networks.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
      Note: The DHCP service includes the DNS feature.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

VPC Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Injects user data, such as ssh-key. By running cloud-init, user data will be loaded into your VM instance and executed when the VM instance is started.
    • DHCP: DHCP allows you to dynamically obtain an IP address.
  • vRouter Network Service Module
    • DNS: Uses vRouters to provide the DNS service.
    • SNAT: Allows VM instances to access directly the Internet.
    • vRouter route table: Manages custom routes.
    • EIP: Uses vRouters to access private networks of VM instances through public networks.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances. Then, unavailable VM instances will be detected and isolated automatically.
    • IPsec: Achieves VPN connections.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

VPC Network Practice

In your production environments, we recommend that you use the following combination of network services:
  • Flat Network Service Module
    • User Data: Customizes some parameters, such as ssh-key injection. By running cloud-init, these parameters will be loaded and injected into your VM instance when the VM instance is started.
    • DHCP: Is realized by distributed DHCP to dynamically obtain an IP address.
  • VPC vRouter Network Service Module
    • DNS: Uses VPC vRouters to provide DNS services.
    • SNAT: Allows VM instances to access directly the Internet.
    • vRouter route table: Manages custom routes.
    • EIP: Uses VPC vRouters to access private networks of VM instances through public networks.
    • Port forwarding: Forwards port traffics of specified public IP addresses to the ports of corresponding VM instances according to specified protocols.
    • Load balancing: Distributes inbound traffics from a VIP to a set of backend VM instances, and unavailable VM instances will be detected and isolated automatically.
    • IPsec: Achieves VPN connections.
  • Security Group Network Service Module
    • Security group: Manipulates securities of VM instance firewalls by using iptables.

Advanced Network Services

  • Dynamic routing: Uses the Open Shortest Path First (OSPF) routing protocol to distribute routing information within a single autonomous system. This service applies to VPC network scenarios.
  • Multicast routing: Forwards the multicast information sent by the multicast source to VM instances, achieving one-to-multi-point communication in the transmission side and receiving side. This service applies to VPC network scenarios.
  • VPC firewall: Filters the south-north traffic on the VPC vRouter ports, effectively protecting the VPC communication security and VPC vRouter security. This service applies to VPC network scenarios.
  • Port mirroring: Copies and sends network traffics of VM NICs from a port to another port, and analyzes the business packets on the ports, better monitoring and managing the network data. This service applies to flat network, vRouter network, and VPC network scenarios.
  • Netflow: Monitors and analyzes the inbound and outbound traffics of the VPC vRouter NICs. Currently, the following two types of data-flow output formats are supported: Netflow V5 and Netflow V9. This service applies to VPC network scenarios.