Last updated on: 2014-03-06
Authored by: Sameer Satyam
In order to access Rackspace services from your cloud servers, you traditionally need the servers to be connected to ServiceNet and/or Public interfaces. It is possible to detach your servers from either of these networks and have servers be connected only to isolated network interfaces if you want to restrict access to them. However, this would cause you to lose access to some Rackspace services.
The following article describes what services are impacted by disconnecting Public and/or SNET interfaces from your cloud servers:
The Vyatta network appliance provides you with an easy-to-configure firewall, advanced networking and VPN capabilities in addition to increased security in the Cloud. Using this appliance , you can detach your servers from Public and SNET interfaces and still retain access to Rackspace services. In this article you will see how this can be accomplished.
In the below setup the cloud server is connected only on the isolated network (cloud network). The Vyatta is also on the same cloud network and is used as the default gateway by the server in question. The Vyatta appliance is connected to all three networks (Public, SNET and Isolated).
The table below summarizes what services can be accessed if the Vyatta is configured as described in the next section:
|Managed Cloud Service Level||No *|
|Operating System Updates||Yes|
*Vyatta Network appliance is not available for this service.
In order for the services listed in the table above to work as explained, the Vyatta appliance needs to be configured with Source NAT. For a more comprehensive explanation of Source NAT configuration, visit the following link:
Note: The cloud servers are on the isolated interface 192.168.1.0/24 and they are using the Vyatta network appliance as their default gateway
Login to the Vyatta appliance and enter configuration mode:
$ ssh firstname.lastname@example.org Welcome to Vyatta email@example.com's password: Welcome to Vyatta Version: VSE6.5R2 Description: Vyatta Subscription Edition 6.5 R2 Copyright: 2006-2012 Vyatta, Inc. Last login: Thu May 2 04:48:29 2013 from x.x.x.x vyatta@vyatta-thefinal:~$ vyatta@vyatta-thefinal:~$ configure  vyatta@vyatta-thefinal#
Configure Source NAT for ServiceNet traffic. eth1 is the SNET interface on the Vyatta. Any traffic going out via SNET will now use a source IP of the SNET interface on the Vyatta.
set nat source rule 10 outbound-interface 'eth1' set nat source rule 10 protocol 'all' set nat source rule 10 source address '192.168.1.0/24' set nat source rule 10 translation address 'masquerade'
Configure Source NAT for PublicNet traffic. eth0 is the Public interface on the Vyatta. Any traffic going out via PublicNet will now use a source IP of the Public interface on the Vyatta.
set nat source rule 20 outbound-interface 'eth0' set nat source rule 20 protocol 'all' set nat source rule 20 source address '192.168.1.0/24' set nat source rule 20 translation address 'masquerade'
This simple configuration should allow you to access the services listed in the table. You may also want to configure firewall policies on the Vyatta appliance. For configuration assistance of firewall policies on Vyatta please visit the following article:
©2020 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License