Skip to content

Commit 006931a

Browse files
Radhika PCke4qqq
authored andcommitted
[DOCS] files for s2s
1 parent b968cb8 commit 006931a

2 files changed

Lines changed: 229 additions & 71 deletions

File tree

docs/en-US/site-to-site-vpn.xml

Lines changed: 54 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -3,43 +3,60 @@
33
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
44
%BOOK_ENTITIES;
55
]>
6-
76
<!-- Licensed to the Apache Software Foundation (ASF) under one
8-
or more contributor license agreements. See the NOTICE file
9-
distributed with this work for additional information
10-
regarding copyright ownership. The ASF licenses this file
11-
to you under the Apache License, Version 2.0 (the
12-
"License"); you may not use this file except in compliance
13-
with the License. You may obtain a copy of the License at
14-
15-
http://www.apache.org/licenses/LICENSE-2.0
16-
17-
Unless required by applicable law or agreed to in writing,
18-
software distributed under the License is distributed on an
19-
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
20-
KIND, either express or implied. See the License for the
21-
specific language governing permissions and limitations
22-
under the License.
7+
or more contributor license agreements. See the NOTICE file
8+
distributed with this work for additional information
9+
regarding copyright ownership. The ASF licenses this file
10+
to you under the Apache License, Version 2.0 (the
11+
"License"); you may not use this file except in compliance
12+
with the License. You may obtain a copy of the License at
13+
http://www.apache.org/licenses/LICENSE-2.0
14+
Unless required by applicable law or agreed to in writing,
15+
software distributed under the License is distributed on an
16+
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17+
KIND, either express or implied. See the License for the
18+
specific language governing permissions and limitations
19+
under the License.
2320
-->
24-
2521
<section id="site-to-site-vpn">
26-
<title>Site-to-Site VPN</title>
27-
<para></para>
28-
<para>To add a Virtual Private Cloud (VPC):</para>
29-
<orderedlist>
30-
<listitem><para>Log in to the &PRODUCT; UI as an administrator or end user. </para></listitem>
31-
<listitem><para>In the left navigation, choose Network</para></listitem>
32-
<listitem><para>In the Select view, select site-to-site VPN.</para></listitem>
33-
<listitem><para>Click Add site-to-site VPN. Provide the following information:</para>
34-
<itemizedlist>
35-
<listitem><para><emphasis role="bold">IP Address</emphasis>:.</para></listitem>
36-
<listitem><para><emphasis role="bold">Gateway</emphasis>: The IP address of the remote gateway.</para></listitem>
37-
<listitem><para><emphasis role="bold">CIDR list</emphasis>: The guest CIDR list of the remote subnets. Enter a CIDR or a comma-separated list of CIDRs. </para></listitem>
38-
<listitem><para><emphasis role="bold">IPsec Preshared Key</emphasis>: The preshared key of the remote gateway.</para></listitem>
39-
<listitem><para><emphasis role="bold">IKE Policy</emphasis>: Internet Key Exchange (IKE) policy for phase 1. Specify it as a combination of the encryption algorithm(aes,3des,des) and hash algorithm(sha1,md5). For example: aes-sha1, 3des-sha1.</para></listitem>
40-
<listitem><para><emphasis role="bold">ESP Policy</emphasis>: Encapsulating Security Payload (ESP) policy for phase 2. Specify it as a combination of the encryption algorithm(aes,3des,des) and hash algorithm(sha1,md5). For example: aes-sha1, 3des-sha1.</para></listitem>
41-
<listitem><para><emphasis role="bold">Lifetime (seconds)</emphasis>: Lifetime of SA in seconds. Default is 86400 seconds(1day).</para></listitem>
42-
</itemizedlist></listitem>
43-
<listitem><para>Click OK.</para></listitem>
44-
</orderedlist>
45-
</section>
22+
<title>Setting Up a Site-to-Site VPN Connection</title>
23+
<para>A Site-to-Site VPN connection helps you establish a secure connection from an enterprise
24+
datacenter to the cloud infrastructure. This allows users to access the guest VMs by
25+
establishing a VPN connection to the virtual router of the account from a device in the
26+
datacenter of the enterprise. Having this facility eliminates the need to establish VPN
27+
connections to individual VMs.</para>
28+
<para>The supported endpoints on the remote datacenters are: </para>
29+
<itemizedlist>
30+
<listitem>
31+
<para>Cisco ISR with IOS 12.4 or later</para>
32+
</listitem>
33+
<listitem>
34+
<para>Juniper J-Series routers with JunOS 9.5 or later</para>
35+
</listitem>
36+
</itemizedlist>
37+
<note>
38+
<para>In addition to the specific Cisco and Juniper devices listed above, the expectation is
39+
that any Cisco or Juniper device running on the supported operating systems are able to
40+
establish VPN connections.</para>
41+
</note>
42+
<para> To set up a Site-to-Site VPN connection, perform the following:</para>
43+
<orderedlist>
44+
<listitem>
45+
<para>Create a Virtual Private Cloud (VPC).</para>
46+
<para>See <xref linkend="configure-vpc"/>.</para>
47+
</listitem>
48+
<listitem>
49+
<para>Create a VPN Customer Gateway.</para>
50+
</listitem>
51+
<listitem>
52+
<para>Create a VPN gateway for the VPC that you created.</para>
53+
</listitem>
54+
<listitem>
55+
<para>Create VPN connection from the VPC VPN gateway to the customer VPN gateway.</para>
56+
</listitem>
57+
</orderedlist>
58+
<xi:include href="create-vpn-customer-gateway.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
59+
<xi:include href="create-vpn-gateway-for-vpc.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
60+
<xi:include href="create-vpn-connection-vpc.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
61+
<xi:include href="delete-reset-vpn.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
62+
</section>

docs/en-US/vpc.xml

Lines changed: 175 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -3,40 +3,181 @@
33
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
44
%BOOK_ENTITIES;
55
]>
6-
76
<!-- Licensed to the Apache Software Foundation (ASF) under one
8-
or more contributor license agreements. See the NOTICE file
9-
distributed with this work for additional information
10-
regarding copyright ownership. The ASF licenses this file
11-
to you under the Apache License, Version 2.0 (the
12-
"License"); you may not use this file except in compliance
13-
with the License. You may obtain a copy of the License at
14-
15-
http://www.apache.org/licenses/LICENSE-2.0
16-
17-
Unless required by applicable law or agreed to in writing,
18-
software distributed under the License is distributed on an
19-
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
20-
KIND, either express or implied. See the License for the
21-
specific language governing permissions and limitations
22-
under the License.
7+
or more contributor license agreements. See the NOTICE file
8+
distributed with this work for additional information
9+
regarding copyright ownership. The ASF licenses this file
10+
to you under the Apache License, Version 2.0 (the
11+
"License"); you may not use this file except in compliance
12+
with the License. You may obtain a copy of the License at
13+
http://www.apache.org/licenses/LICENSE-2.0
14+
Unless required by applicable law or agreed to in writing,
15+
software distributed under the License is distributed on an
16+
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17+
KIND, either express or implied. See the License for the
18+
specific language governing permissions and limitations
19+
under the License.
2320
-->
24-
2521
<section id="vpc">
26-
<title>Virtual Private Cloud</title>
27-
<para></para>
28-
<para>To add a Virtual Private Cloud (VPC):</para>
29-
<orderedlist>
30-
<listitem><para>Log in to the &PRODUCT; UI as an administrator or end user. </para></listitem>
31-
<listitem><para>In the left navigation, choose Network</para></listitem>
32-
<listitem><para>In the Select view, select VPC.</para></listitem>
33-
<listitem><para>Click Add VPC. Provide the following information:</para>
34-
<itemizedlist>
35-
<listitem><para><emphasis role="bold">Name</emphasis>: A short name for the VPC that you are creating.</para></listitem>
36-
<listitem><para><emphasis role="bold">Description</emphasis>: A brief description of the VPC.</para></listitem>
37-
<listitem><para><emphasis role="bold">Zone</emphasis>: Choose the zone where you want the VPC to be available.</para></listitem>
38-
<listitem><para><emphasis role="bold">CIDR</emphasis>: To accept the traffic only from the IP addresses within a particular address block, enter a CIDR or a comma-separated list of CIDRs. The CIDR is the base IP address of the incoming traffic. For example, 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para></listitem>
39-
<listitem><para><emphasis role="bold">Network Domain</emphasis>: If you want to assign a special domain name to this network, specify the DNS suffix.</para></listitem>
40-
</itemizedlist></listitem>
41-
</orderedlist>
42-
</section>
22+
<title>About Virtual Private Clouds</title>
23+
<para>&PRODUCT; Virtual Private Cloud is a private, isolated part of &PRODUCT;. A VPC can have its
24+
own virtual network topology that resembles a traditional physical network. You can launch VMs
25+
in the virtual network that can have private addresses in the range of your choice, for example:
26+
10.0.0.0/16. You can define network tiers within your VPC network range, which in turn enables
27+
you to group similar kinds of instances based on IP address range.</para>
28+
<para>For example, if a VPC has the private range 10.0.0.0/16, its guest networks can have the
29+
network ranges 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, and so on.</para>
30+
<formalpara>
31+
<title>Major Components of a VPC:</title>
32+
<para>A VPC is comprised of the following network components:</para>
33+
</formalpara>
34+
<itemizedlist>
35+
<listitem>
36+
<para><emphasis role="bold">VPC</emphasis>: A VPC acts as a container for multiple isolated
37+
networks that can communicate with each other via its virtual router.</para>
38+
</listitem>
39+
<listitem>
40+
<para><emphasis role="bold">Network Tiers</emphasis>: Each tier acts as an isolated network
41+
with its own VLANs and CIDR list, where you can place groups of resources, such as VMs. The
42+
tiers are segmented by means of VLANs. The NIC of each tier acts as its gateway.</para>
43+
</listitem>
44+
<listitem>
45+
<para><emphasis role="bold">Virtual Router</emphasis>: A virtual router is automatically
46+
created and started when you create a VPC. The virtual router connect the tiers and direct
47+
traffic among the public gateway, the VPN gateways, and the NAT instances. For each tier, a
48+
corresponding NIC and IP exist in the virtual router. The virtual router provides DNS and
49+
DHCP services through its IP.</para>
50+
</listitem>
51+
<listitem>
52+
<para><emphasis role="bold">Public Gateway</emphasis>: The traffic to and from the Internet
53+
routed to the VPC through the public gateway. In a VPC, the public gateway is not exposed to
54+
the end user; therefore, static routes are not support for the public gateway.</para>
55+
</listitem>
56+
<listitem>
57+
<para><emphasis role="bold">Private Gateway</emphasis>: All the traffic to and from a private
58+
network routed to the VPC through the private gateway. For more information, see <xref
59+
linkend="add-gateway-vpc"/>.</para>
60+
</listitem>
61+
<listitem>
62+
<para><emphasis role="bold">VPN Gateway</emphasis>: The VPC side of a VPN connection.</para>
63+
</listitem>
64+
<listitem>
65+
<para><emphasis role="bold">Site-to-Site VPN Connection</emphasis>: A hardware-based VPN
66+
connection between your VPC and your datacenter, home network, or co-location facility. For
67+
more information, see <xref linkend="site-to-site-vpn"/>.</para>
68+
</listitem>
69+
<listitem>
70+
<para><emphasis role="bold">Customer Gateway</emphasis>: The customer side of a VPN
71+
Connection. For more information, see <xref linkend="create-vpn-customer-gateway"/>.</para>
72+
</listitem>
73+
<listitem>
74+
<para><emphasis role="bold">NAT Instance</emphasis>: An instance that provides Port Address
75+
Translation for instances to access the Internet via the public gateway. For more
76+
information, see <xref linkend="enable-disable-static-nat-vpc"/>.</para>
77+
</listitem>
78+
</itemizedlist>
79+
<formalpara>
80+
<title>Network Architecture in a VPC</title>
81+
<para>In a VPC, the following four basic options of network architectures are present:</para>
82+
</formalpara>
83+
<itemizedlist>
84+
<listitem>
85+
<para>VPC with a public gateway only</para>
86+
</listitem>
87+
<listitem>
88+
<para>VPC with public and private gateways</para>
89+
</listitem>
90+
<listitem>
91+
<para>VPC with public and private gateways and site-to-site VPN access</para>
92+
</listitem>
93+
<listitem>
94+
<para>VPC with a private gateway only and site-to-site VPN access</para>
95+
</listitem>
96+
</itemizedlist>
97+
<formalpara>
98+
<title>Connectivity Options for a VPC</title>
99+
<para>You can connect your VPC to:</para>
100+
</formalpara>
101+
<itemizedlist>
102+
<listitem>
103+
<para>The Internet through the public gateway.</para>
104+
</listitem>
105+
<listitem>
106+
<para>The corporate datacenter by using a site-to-site VPN connection through the VPN
107+
gateway.</para>
108+
</listitem>
109+
<listitem>
110+
<para>Both the Internet and your corporate datacenter by using both the public gateway and a
111+
VPN gateway.</para>
112+
</listitem>
113+
</itemizedlist>
114+
<formalpara>
115+
<title>VPC Network Considerations</title>
116+
<para>Consider the following before you create a VPC:</para>
117+
</formalpara>
118+
<itemizedlist>
119+
<listitem>
120+
<para>A VPC, by default, is created in the enabled state.</para>
121+
</listitem>
122+
<listitem>
123+
<para>A VPC can be created in Advance zone only, and can't belong to more than one zone at a
124+
time.</para>
125+
</listitem>
126+
<listitem>
127+
<para>The default number of VPCs an account can create is 20. However, you can change it by
128+
using the max.account.vpcs global parameter, which controls the maximum number of VPCs an
129+
account is allowed to create.</para>
130+
</listitem>
131+
<listitem>
132+
<para>The default number of tiers an account can create within a VPC is 3. You can configure
133+
this number by using the vpc.max.networks parameter.</para>
134+
</listitem>
135+
<listitem>
136+
<para>Each tier should have an unique CIDR in the VPC. Ensure that the tier's CIDR should be
137+
within the VPC CIDR range.</para>
138+
</listitem>
139+
<listitem>
140+
<para>A tier belongs to only one VPC. </para>
141+
</listitem>
142+
<listitem>
143+
<para>All network tiers inside the VPC should belong to the same account.</para>
144+
</listitem>
145+
<listitem>
146+
<para>When a VPC is created, by default, a SourceNAT IP is allocated to it. The Source NAT IP
147+
is released only when the VPC is removed.</para>
148+
</listitem>
149+
<listitem>
150+
<para>A public IP can be used for only one purpose at a time. If the IP is a sourceNAT, it
151+
cannot be used for StaticNAT or port forwarding.</para>
152+
</listitem>
153+
<listitem>
154+
<para>The instances only have a private IP address that you provision. To communicate with the
155+
Internet, enable NAT to an instance that you launch in your VPC.</para>
156+
</listitem>
157+
<listitem>
158+
<para>Only new networks can be added to a VPC. The maximum number of networks per VPC is
159+
limited by the value you specify in the vpc.max.networks parameter. The default value is
160+
three.</para>
161+
</listitem>
162+
<listitem>
163+
<para>The load balancing service can be supported by only one tier inside the VPC.</para>
164+
</listitem>
165+
<listitem>
166+
<para>If an IP address is assigned to a tier:</para>
167+
<itemizedlist>
168+
<listitem>
169+
<para>That IP can't be used by more than one tier at a time in the VPC. For example, if
170+
you have tiers A and B, and a public IP1, you can create a port forwarding rule by using
171+
the IP either for A or B, but not for both.</para>
172+
</listitem>
173+
<listitem>
174+
<para>That IP can't be used for StaticNAT, load balancing, or port forwarding rules for
175+
another guest network inside the VPC.</para>
176+
</listitem>
177+
</itemizedlist>
178+
</listitem>
179+
<listitem>
180+
<para>Remote access VPN is not supported in VPC networks.</para>
181+
</listitem>
182+
</itemizedlist>
183+
</section>

0 commit comments

Comments
 (0)