Network security
VLAN classes and gateway firewall
Front-end network
Nodes that offer services to the general public have one or more IPv4/IPv6 addresses in this network.
Traffic to addresses in this network is forwarded by the gateway firewall without restrictions.
Customers should only bind services to the IP addresses that are intended for access from the Internet. Backend services should be bound to the server network.
Server network
All nodes have an address in the server network. This is used by applications for internal communication, for example by application servers that communicate with your database.
The computers in the server network generally use private IPv4 addresses and public IPv6 addresses. Outgoing data traffic is generally permitted and is masked on the gateway firewall if required. If a computer requires unmasked access to the Internet, an IP address must be provided in the front-end network.
Most incoming traffic is blocked on the gateway firewall, with the exception of port 22 for tcp (ssh), among others.
Storage network
This network is used for storage traffic. It is only accessible for Ring 0 machines, but not for customer-owned devices or virtual machines. Customer-owned environments implement separate storage networks.
This network uses private IPv4 addresses that are not routed over the Internet. Data traffic from outside this network is not permitted.
Management network
This network is only used for management purposes: Access to the Intelligent Platform Management Interface (IPMI), switch consoles, operating systems, etc.
It uses private IPv4 addresses that are not routed via the Internet. Data traffic from outside this network is not permitted.
Underlay network
This network is used to implement a redundant, dynamic BGP/Ethernet VPN/VXLAN environment to transport all other networks to the physical machines as required.
It uses a private IPv4 network and local IPv6 link addresses. The underlay is only accessible to Ring 0 machines, but not to virtual machines.
VM firewall
Each VM runs an additional local firewall with iptables, which by default
- blocks all data traffic to the frontend IPs unless it is explicitly opened by a configured service, and
- blocks all data traffic to the server-to-server IPs, except for VMs from the same project.