This article describes how an instance on IBM SmartCloud Enterprise can be provisioned to span or bridge the Internet-facing virtual local area network and the private, virtual local area network in the cloud environment. It examines a typical use case that can leverage this new capability to provide additional network level isolation and security for deployments in a public cloud environment.

It is important to understand that this feature of the IBM Cloud environment has security implications that need to be fully understood by the user. The goal of this article is to describe the spanning features and its capabilities. It is your responsibility to fully understand the architecture being deployed in the cloud and all security requirements of that deployment. Be sure you do not expose data that needs to be protected (such as confidential corporate information, customer information, credit card numbers, addresses, etc.).

Background concepts

IBM SmartCloud Enterprise is an Infrastructure as a Service (IaaS) offering that provides an enterprise-class virtual server cloud environment. By default, virtual machine instances are provisioned with TCP/IP network addresses that are accessible via the Internet.

Optionally, enterprises can sign up for a virtual private network (VPN). The optional VPN provides an Internet Protocol Security (IPSec-based), point-to-point communication channel between the enterprise's network and one of the IBM Cloud data centers. Network communication over the VPN still travels over the public Internet, but is encrypted prior to leaving either the enterprise network or the IBM Cloud network and decrypted upon receipt at either end, thus allowing for secure communication of data.

When the VPN is established in the IBM Cloud environment for the enterprise account, a private virtual local area network (VLAN) is also provisioned for the account. This VLAN provides an additional layer of network isolation for instances that are provisioned on it. Users in the enterprise account that have the VPN option are able to provision new instances either on the public Internet-facing VLAN or the private, VPN facing VLAN.

Instances in the IBM Cloud environment have long been able to be provisioned with both a primary and up to two secondary IP addresses; however, both the primary and secondary IP addresses had to both be on the same VLAN (either all on the public VLAN or all on the private VLAN). With Release 1.4, not only has the limit of two secondary IP addresses been removed, so has the limitation of all addresses being required to be on the same VLAN.

Now, when provisioning a new instance, users can select a primary IP address from either the public VLAN or the private VLAN address pools, both reserved and unreserved, and one or more secondary IP addresses that are reserved IP addresses on either the public VLAN or the private VLAN.

Back to top

Spanning the VLANs

To create an instance that spans or bridges the public and private VLANs, first decide if the primary IP address for the instance will reside on the public or the private VLAN. As seen in Figure 1, this is done by selecting the appropriate VLAN (such as the public VLAN) from the VLAN pull-down menu from Step 2 of the Add instance process.

Choosing in which VLAN the primary IP address resides is important since that will be the only available network interface for the instance when the instance is initially provisioned. Once the VLAN has been chosen, the primary IP address pull-down will be populated from the correct pool of either system generated or reserved IP addresses for the selected VLAN.

After the primary IP address is selected, select the Add IP link on the Virtual IP entry field. As seen in Figure 2, when assigning the virtual (or secondary) IP address(es), first select the VLAN (such as Private VLAN Ehningen) other than the one selected in the previous step and then select the appropriate reserved IP address.

Note, only reserved IP addresses can be assigned as secondary IP addresses.

Once the provisioning process is complete for this instance, the instance is accessible via the primary IP address only.

Using the appropriate access method to the instance (such as ssh for Linux® or RDP for Microsoft® Windows®), the next step is to enable the secondary IP interfaces. The process for doing this depends on the instance's operating system (ifup for Linux or Control Panel for Microsoft Windows).

Now that both network interfaces are enabled, the instance can communicate (send and receive) on both the private VLAN and the public VLAN.

Back to top

Connectivity to instances

The ability to have an instance with IP addresses on both the public and private VLANs can open up the capabilities of cloud computing. In Figure 3, four instances have been configured in an account that has the optional VPN in IBM SmartCloud Enterprise.

The instance named PrivateOnly is configured with only a primary IP address which is assigned to the private VLAN associated with the VPN option. This instance is only accessible to other instances on the private VLAN or from the enterprise network via the established VPN. All network traffic from this instance, if not locally routable on the private VLAN, is sent over the VPN to the enterprise-side VPN gateway for further routing.

The instance named PrivateSpanToPublic is configured with a primary IP address on the private VLAN and a secondary IP address on the public VLAN. Once the secondary IP address is enabled, the instance is able to communicate on both the private VLAN and the Internet-facing public VLAN. All network traffic from this instance, if not locally routable on the private VLAN or public VLAN, is sent over the VPN to the enterprise-side VPN gateway for further routing.

The instance named PublicOnly is configured with only a primary IP address which is assigned to the Internet-facing public VLAN. This instance is accessible over the Internet and to all instances on the public VLAN.

The instance named PublicSpanToPrivate is configured with a primary IP address on the Internet-facing public VLAN and a secondary IP address on the private VLAN. Once the secondary IP address is enabled, the instance is able to communicate on both the Internet-facing public VLAN and the private VLAN. All network traffic from this instance, if not locally routable on the private VLAN or public VLAN, is sent over the VPN to the enterprise-side VPN gateway for further routing.

In Table 1, the network connectivity of these instances is described in more detail.

If an instance of the first column has a network interface that is able to ping a particular network address of another instance of the first row, that path is marked as Reachable. If the address is not routable, the path is marked as Unreachable.

Real world use case

With this new capability of creating multi-homed instances that span both the public and private VLANs, it is now possible to create n-tier deployments. Let's take a basic 3-tier deployment of a HTTP server, application server, and database server.

In a traditional deployment, each of these servers may be logically isolated from each other by routers and firewalls that limit the network connectivity and access to the servers. By isolating the access to these servers, a higher degree of security can be imposed on the infrastructure to prevent network-based intrusion and denial of service attacks.

By combining the VLAN spanning capabilities of IBM SmartCloud Enterprise and through the use of a firewall (those provided by the virtual instance's operating system or a third-party solution), a similar deployment can be created in the cloud.

One option for building this 3-tier deployment in the IBM Cloud environment is illustrated in Figure 4.

In this deployment, the HTTP server is deployed on an instance that only has a public VLAN primary IP address. The HTTP server instance's firewall be configured to accept HTTP traffic (such as port 80). Requests for URLs that map to a path that needs to be serviced by the application server are forwarded to the secondary IP address of the application server on the public VLAN. The application server's firewall must be configured to only accept network traffic over the public VLAN from the specific IP address of the HTTP server. All other network traffic on the secondary IP address should be blocked (such as port 22 for ssh access).

There are several alternatives to the this type of deployment in the cloud: For example, the HTTP server could be the spanning instance between the public and private VLANs. The drawback to this implementation is that the advertised IP address of the HTTP would be on an instance that directly spans the public and private VLANs. If compromised, no additional barriers would exist between that instance and other instances on the private VLAN.

In another implementation, the database server could reside within the enterprise network. In this case, the enterprise VPN gateway and/or firewalls would need to be configured to allow the database network traffic to flow over the VPN tunnel to and from the application server in the cloud (for instance, JDBC traffic over port 50000).

Firewall rules

It is critical that firewalls are utilized in a deployment where instances are used to span the public and private VLANs. Proper configuration of the firewalls is essential for securing an n-tier deployment in the cloud. For more information about configuring firewalls in the IBM SmartCloud Enterprise environment refer to the User's Guide and firewall documentation for the operating systems you are using.

Resources

Learn

• For more on how to perform tasks in the IBM Cloud, visit these resources:
  • Up and download files from a Windows instance.
  • Install IIS web server on Windows 2008 R2.
  • Create an IBM Cloud instance with the Linux command line.
  • Create an IBM Cloud instance with the Windows command line.
  • Extend your corporate network with the IBM Cloud.
  • High availability apps in the IBM Cloud.
  • Parameterize cloud images for custom instances on the fly.
  • Windows-targeted approaches to IBM Cloud provisioning.
  • Deploy products using rapid deployment service.
  • Integrate your authentication policy using a proxy.
  • Configure the Linux Logical Volume Manager.
  • Deploy a complex topology using a deployment utility tool.
  
  
• In the developerWorks cloud developer resources, discover and share knowledge and experience of application and services developers building their projects for cloud deployment.
  
  
• The next steps: Find out how to access IBM SmartCloud Enterprise.
  
  

Get products and technologies

• See the product images available for IBM SmartCloud Enterprise.
  
  

Discuss

• Join a cloud computing group on developerWorks.
  
  
• Read all the great cloud blogs on developerWorks.
  
  
• Join the developerWorks community, a professional network and unified set of community tools for connecting, sharing, and collaborating.
  
  

About the authors

In recent years, Dominique Vernier focused on Java technologies and cloud architecture. He also has been working in information technology for quite a while where he earned a broad knowledge in such technologies and products as messaging, database, SOA, EAI, client/server, C/C++, and existing frameworks. Dominique also has extensive knowledge in industry areas such as telecom, CRM, logistics, and insurance. He is the author/co-author of four patents having to do with state engines and resource management. At present, Dominique is in charge of the IBM SmartCloud Enterprise solutions on the IBM GTS Global Team.

Andrew R. Jones is a Senior Solution Architect with over 22 years of experience at IBM. For the past 16 years, he has focused on customer and business partner enablement of IBM middleware solutions in cloud computing, telecommunications, wireless technologies, and network computers. Andrew is an IBM Master Inventor and Certified IT Architect.

Rate this article

Comments

Back to top

Table of contents

• Background concepts
• Spanning the VLANs
• Connectivity to instances
• Resources
• About the authors
• Comments

Next steps from IBM

Learn more, join the cloud community

---

• Community: Cloud computing conversations led by IBM community members
• Buy: Try IBM software on IBM SmartCloud Enterprise

Dig deeper into Cloud computing on developerWorks

IBM SmartCloud trial. No charge.

Unleash the power of hybrid cloud computing today!

---

Public and private solutions in one trial.

Special offers