Network security
VLAN classes and gateway firewall
Front-end network
Nodes that offer services to the general public have one or more IPv4/IPv6 addresses in this network.
Traffic to addresses in this network is forwarded by the gateway firewall without restrictions.
Customers should only bind services to the IP addresses that are intended for access from the Internet. Backend services should be bound to the server network.
Server network
All nodes have an address in the server network. This is used by applications for internal communication, for example by application servers that communicate with your database.
The computers in the server network generally use private IPv4 addresses and public IPv6 addresses. Outgoing data traffic is generally permitted and is masked on the gateway firewall if required. If a computer requires unmasked access to the Internet, an IP address must be provided in the front-end network.
Most incoming traffic is blocked on the gateway firewall, with the exception of port 22 for tcp (ssh), among others.
Storage network
This network is used for storage traffic. It is only accessible for Ring 0 machines, but not for customer-owned devices or virtual machines. Customer-owned environments implement separate storage networks.
This network uses private IPv4 addresses that are not routed over the Internet. Data traffic from outside this network is not permitted.
Management network
This network is only used for management purposes: Access to the Intelligent Platform Management Interface (IPMI), switch consoles, operating systems, etc.
It uses private IPv4 addresses that are not routed via the Internet. Data traffic from outside this network is not permitted.
VM firewall
Each VM runs an additional local firewall with iptables/nftables, which by default
- blocks all data traffic to the frontend IPs unless it is explicitly opened by a configured service, and
- blocks all data traffic to the server-to-server IPs, except for VMs from the same project.