In the second part of this three-part blog series, we will demonstrate adding custom routing rules to accomplish the separation and then test the reachability.

This is one of the simplest methods to achieve reachability in an existing virtual machine without having to understand the concepts of routing tables or namespaces. This is part of the series of blogs to explain how to use multiple network interfaces in IBM Cloud VPC.

Custom Routes

This figure shows our multi-zone controller/worker scenario, as explained in Part 1:

From Worker1 we can see that ping to Control Subnet1 and Subnet2 are working by default using the default route. Therefore, we need to add routing rules for the data subnet to ping Worker2 on Interface D from Worker1 using Interface B.

Generally, a simple approach can be to simply add the rules via an ip route add command. Specifically, in this case, one would use the command on Worker1:

ip route add via dev ens4 metric 0
Scroll to view full table

Similarly, here is the command to execute on Worker2:

ip route add via dev ens4 metric 0
Scroll to view full table

Once the rules have been established, one can check routes via ip route command. Ping the respective IP addresses from Worker1 to Worker2 to validate that reachability is achieved:

ping -c 3 -I
ping -c 3 -I
Scroll to view full table

Additionally, to be sure that communication is NOT occurring from the control interfaces to data network and vice versa, we can validate that the following pings will NOT be successful:

ping -c 3 -I
ping -c 3 -I
Scroll to view full table

In this case, the correct isolation has been achieved by the combination of the routing rules and anti-spoofing. More generally, one should enforce the isolation by security group rules. Readers are referred to our online manual.

One additional item to note is the default routing within the virtual machine. Since we have properly added routes based on the destination, even the default ping command without specifying a source interface will work properly. Therefore, the following commands will be successful:

ping -c 3
ping -c 3
Scroll to view full table

Persistent Custom Routes

Now that we have successfully tested the Custom Routes we added, we can make it persistent by adding the following on Ubuntu distributions to the netplan. First, move the existing /etc/netplan/50-cloud-init.yaml to /etc/netplan/99-netcfg.yaml and then add a route to the destination network via the local interface’s gateway.

New /etc/netplan/99-netcfg.yaml:

    version: 2
            dhcp4: true
                macaddress: 02:00:02:06:b3:a3
            set-name: ens3
            dhcp4: true
                - to:
                  metric: 0
Scroll to view full table

Once this is done, /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg can be created, according to the following text:

network: {config: disabled}
Scroll to view full table

Now, issue the netplan apply command and proceed to test the reachability by ping. 

On Red Hat Enterprise Linux, kindly refer to the Red Hat documentation on configuring the custom/static routes.


In this post, we explained how to configure Custom Routes to accomplish reachability in our use case of multiple network interfaces. Custom Routes are the simplest method to enable communication and separation among virtual server instances with multiple network interfaces. In the next (and final) post, we will present two more approaches that are more advanced and flexible, namely Source Interface Based Routing Tables and Network Namespaces.

More from Cloud

Modernizing child support enforcement with IBM and AWS

7 min read - With 68% of child support enforcement (CSE) systems aging, most state agencies are currently modernizing them or preparing to modernize. More than 20% of families and children are supported by these systems, and with the current constituents of these systems becoming more consumer technology-centric, the use of antiquated technology systems is archaic and unsustainable. At this point, families expect state agencies to have a modern, efficient child support system. The following are some factors driving these states to pursue modernization:…

7 min read

IBM Cloud Databases for Elasticsearch End of Life and pricing changes

2 min read - As part of our partnership with Elastic, IBM is announcing the release of a new version of IBM Cloud Databases for Elasticsearch. We are excited to bring you an enhanced offering of our enterprise-ready, fully managed Elasticsearch. Our partnership with Elastic means that we will be able to offer more, richer functionality and world-class levels of support. The release of version 7.17 of our managed database service will include support for additional functionality, including things like Role Based Access Control…

2 min read

Connected products at the edge

6 min read - There are many overlapping business usage scenarios involving both the disciplines of the Internet of Things (IoT) and edge computing. But there is one very practical and promising use case that has been commonly deployed without many people thinking about it: connected products. This use case involves devices and equipment embedded with sensors, software and connectivity that exchange data with other products, operators or environments in real-time. In this blog post, we will look at the frequently overlooked phenomenon of…

6 min read

SRG Technology drives global software services with IBM Cloud VPC under the hood

4 min read - Headquartered in Ft. Lauderdale, Florida, SRG Technology LLC. (SRGT) is a software development company supporting the education, healthcare and travel industries. Their team creates data systems that deliver the right data in real time to customers around the globe. Whether those customers are medical offices and hospitals, schools or school districts, government agencies, or individual small businesses, SRGT addresses a wide spectrum of software services and technology needs with round-the-clock innovative thinking and fresh approaches to modern data problems. The…

4 min read