Configuring your Business Cloud network
This article will show you how to configure your Business Cloud.
iiNet Business Cloud allows you to configure network services such as DHCP, firewalls, network address translation (NAT), VPN and static routing for your organisation's network.
Some basic network configuration on your part will be required before your virtual machine(s) will be accessible externally. We have provided instructions for a simple network setup below.
To configure your network in your Business Cloud you will first need to first follow these steps to access the Edge Gateway Services. All other menu options will need you first get to this area before progressing.
Please note that your Business Cloud network configuration is your responsibility and isn't supported by our hosting support team.
Select one of the links below to jump to a query:
- Accessing Edge Gateway Services
- Setting Up NAT Rules
- Outbound NAT Rules (SNAT)
- Inbound NAT Rules (DNAT)
- Firewall Setup
- Configuring site-to-site VPN
- Log in using your organisation's login credentials.
- Click Administration.
- Click Virtual Datacenters in the left-hand column.
- Double click on your organisation's VDC.
- Once you have entered your VDC, click the Edge Gateways tab.
- Right click on your External Network (NAT) and select Edge Gateway Services.
Business Cloud makes extensive use of Network Address Translation (NAT) to connect the Virtual Machines to the internet. This means that even though you may only have one external IP address, you may be able to have several servers sitting behind the one IP address doing different tasks. In our Business Cloud environment, rules can be setup for outbound and inbound traffic.
Once you have entered the Edge Gateway Services screen you will need to:
- Select the NAT tab (marked as 1 in the example below).
- Add the rules via selecting the Add SNAT... and Add DNAT... buttons near the bottom of the new screen (marked as 2 in the example below).
SNAT (Source NAT) is used for traffic leaving the VMs to the Internet and DNAT (Destination NAT) is for traffic heading towards the virtual machines from the Internet.
To set up an Outbound NAT rule to allow your machines to contact the Internet:
- Click Add SNAT... (shown in the example above).
- Ensure the Applied on: section is set to either "External-126.96.36.199/23" or "External-188.8.131.52/23". Which one is visible will depend on what External IP Address you have been assigned.
- For Description, entera short description of what this rule will be doing. In the example below, a description of "All outbound via 202.59.xxx.xxx" would detail exactly what the rule is doing.
- The Original (Internal) source IP/Range is the IP or range of the internal network the VM is attached to. As it suggests, this can be a range (192.168.0.2-192.168.0.15) or a single IP (192.168.0.3). In the example below the range specified (192.168.0.2-192.168.0.255) covers any VMs that get created meaning that all VMs will be able to access the Internet showing their External IP.
- Translated (External) source IP/Range. This will need to be one of the IP addresses that get assigned to your Business Cloud by us.
- Clicking Ok on the mini window will add the rule to the NAT table and then clicking Ok on the configure services window will apply any new rules added (or remove rules removed).
Adding inbound NAT rules is similar to adding outbound NAT rules, except it has the added bonus of being able to specify ports.
If you are familiar with port forwarding, this is essentially what inbound NAT rules can do.
Below we will run through two examples of NAT rules for inbound traffic.
- One that will allow all traffic going to one your assigned external IP addresses to be passed to a specific VM.
- One that will just allow Remote Desktop traffic to a VM (recommended).
IMPORTANT: This is the riskiest setup you can use for NAT as it allows all traffic going to your external IP to reach your VM. This setup is NOT recommended unless you are comfortable with this and are confident in your firewall rules setup and a firewall that has been installed/setup on your VM.
It is recommended to only use this as a temporary measure to access your VM or services on the VM while adding other NAT rules.
- Applied on section is set to the correct option, either External-184.108.40.206/23 or External-220.127.116.11/23.
- Description is again just a short line to detail what the rule does (optional).
- Original (External) IP/Range is the external IP assigned to you by us, in this case 202.59.xxx.xxx.
- Protocol is what protocol (TCP/UDP/ICMP/Any) the expected traffic is running on. ANY will allow all three protocols through. By selecting ANY you will be unable to specify a port or an ICMP type.
- Translated (Internal) IP/range of the VM. It is recommended that you only use a single IP address in this field. Again as we have selected ANY in the protocol section we are unable to select a Translated port.
- Clicking OK on the above will rule with add it to the table and click OK on configure services will apply the rules.
This is the recommended method for setting up inbound NAT rules. It will allow you to point and limit traffic as you please, Even if you have one external IP address you can host several servers doing different things. For example, have one server hosting website, one server hosting emails and one server acting as a name server. This works by pointing traffic heading to a specific port to a specific server.
In the above example we are allowing Remote Desktop access to the server with an Internal IP of 192.168.0.5. Remote desktop utilizes the TCP protocol on port 3389.
Below we are again working with Remote Desktop and already have one rule setup for 3389. We did not want to change the port it uses on the server so we are using the NAT rules to do it for us. We are pointing port 3390 on the same IP to point to port 3389 on a different virtual machine.
The Firewall tab is located next to the NAT tab.
The firewall is run on a simulated router between your VMs and the Internet and will need to be setup along side the NAT rules above if you wish to leave it enabled.
Like NAT the firewall also has inbound and outbound rules. When creating rules, you will need to remember that for inbound, the target will need to be your external IP where as outbound the source will need to be an internal IP.
In the image below, we will be allowing all inbound traffic to our 202.59.xxx.xxx IP on port 80 to be allowed.
In the above screenshot, we have set the Source to External as we want all external traffic to be allowed through. This can be set to limit to a single IP or an IP Range.
In most inbound firewall rules, the Source Port will nearly always be set to any.
The Destination is our external IP address and the Destination Port is 80 (HTTP/Web).
This section was written for the older vCloud Director.
The site-to-site VPN feature allows you to connect your vCloud network to another network. This is not a client-to-server tunnel (which could be accomplished via other means, such as OpenVPN), but the joining of the networks into one, to allow the secure transfer of information and sharing of resources.
- Go to Administration. Under the Cloud Resources menu, click on Networks.
- Right-click the network you want to connect via VPN and choose Configure Services.
Tick the box Enable site-to-site VPN and click on Add.
- Name your VPN tunnel. You can now choose between the following three options:
- A network in another organization - i.e. a different Business Cloud account. You will need the login details for the second account.
- A remote network in this organizations - another network setup you already have in the existing Business Cloud account.
- A remote network - an external, non-vCloud network that has similar VPN capabilities. In this example, a remote network was chosen.
- Fill in the following details: Peer IP address: the external IP address of the other network, Peer gateway: the default gateway of the other network, Peer subnet mask.
- Check the box Show key. You can either copy the key to use with the remote network, or establish one of your own. The shared secret must be an alphanumeric string between 32 and 128 characters in length. It must include at least one uppercase letter, one lowercase letter, and one number.
- Click OK.
- The Tunnels to other networks section should display your VPN tunnel's status. Note that it might take it 2 minutes to update after connecting or disconnecting.
- Click OK.
If you require assistance using vCloud Director, you can click Help at the top right of the vCloud Director page to access the User Help section, or contact iiNet Hosting on 1300 378 638 or email@example.com.