Network security

The different classes are separated by the harmonised use of VLANs and VXLANs and protected from internet traffic by firewalls on the routers and individually on each VM.

VLAN classes and gateway firewall

Front-end network

Nodes that offer services to the general public have one or more IPv4/IPv6 addresses in this network.

Traffic to addresses in this network is forwarded by the gateway firewall without restrictions.

Customers should only bind services to the IP addresses that are intended for access from the Internet. Backend services should be bound to the server network.

Server network

All nodes have an address in the server network. This is used by applications for internal communication, for example by application servers that communicate with your database.

The computers in the server network generally use private IPv4 addresses and public IPv6 addresses. Outgoing data traffic is generally permitted and is masked on the gateway firewall if required. If a computer requires unmasked access to the Internet, an IP address must be provided in the front-end network.

Most incoming traffic is blocked on the gateway firewall, with the exception of port 22 for tcp (ssh), among others.

Storage network

This network is used for storage traffic. It is only accessible for Ring 0 machines, but not for customer-owned devices or virtual machines. Customer-owned environments implement separate storage networks.

This network uses private IPv4 addresses that are not routed over the Internet. Data traffic from outside this network is not permitted.

Management network

This network is only used for management purposes: Access to the Intelligent Platform Management Interface (IPMI), switch consoles, operating systems, etc.

It uses private IPv4 addresses that are not routed via the Internet. Data traffic from outside this network is not permitted.

Underlay network

This network is used to implement a redundant, dynamic BGP/Ethernet VPN/VXLAN environment to transport all other networks to the physical machines as required.

It uses a private IPv4 network and local IPv6 link addresses. The underlay is only accessible to Ring 0 machines, but not to virtual machines.

VM firewall

Each VM runs an additional local firewall with iptables, which by default

  • blocks all data traffic to the frontend IPs unless it is explicitly opened by a configured service, and
  • blocks all data traffic to the server-to-server IPs, except for VMs from the same project.