Private Networks

Tagged in
- compute

Each instance may provision one or more additional unmanaged and managed network interfaces. This interface is bound to a private network segment shared only with your other instances.

The Private Network is a classic layer 2 segment: it is as if your instances were attached to a dedicated switch. This means:

You can use any ethernet-compatible protocol (IPv4, IPv6, NetBIOS).
Security group rules do not apply to traffic inside private networks.
Multicast and broadcast are authorized.
Only your instances are attached to the segment.
No encryption is performed, but your packets do not leave our datacenter.
Private Networks can be managed.
Private Networks do not span across several zones.

However, there is a small difference: unknown MAC addresses cannot be used. Do not create a bridge including the private interface.

To attach one instance to your Private Network on the Portal, go to the instance details and click on Add Private Network:

Activate Private Network for an instance

To attach an instance to your Private Network on the CLI:

$ exo compute instance private-network attach my-instance my-network
 ✔ Attaching instance "my-instance" to Private Network "my-network"... 6s
┼──────────────────────┼──────────────────────────────────────┼
│   COMPUTE INSTANCE   │                                      │
┼──────────────────────┼──────────────────────────────────────┼
│ ID                   │ 0e713d4c-9f3f-4a9a-b958-b4571450d3a8 │
│ Name                 │ my-instance                          │
│ Creation Date        │ 2019-03-08 15:07:14 +0000 UTC        │
│ Instance Type        │ standard.tiny                        │
│ Template             │ Linux Ubuntu 18.04 LTS 64-bit        │
│ Zone                 │ ch-gva-2                             │
│ Anti-Affinity Groups │ n/a                                  │
│ Security Groups      │ default                              │
│ Private Networks     │ my-network                           │
│ Elastic IPs          │ n/a                                  │
│ IP Address           │ 185.19.30.32                         │
│ IPv6 Address         │ 2a04:c43:e00:588:4fe:9cef:fe00:23f   │
│ SSH Key              │ admin                                │
│ Disk Size            │ 10 GiB                               │
│ State                │ running                              │
│ Labels               │ n/a                                  │
┼──────────────────────┼──────────────────────────────────────┼

After the instance is attached to the Private Network, you will see the MAC address of the additional interface:

MAC address of additional interface

If you log into your instance, a new interface will be visible.

Repeat the operation for each instance you want to join the Private Network. Some operating systems, such as OpenBSD, will require a reboot for the new network interface to appear.

Configuration

By default, there is no DHCP listening on your Private Network. If you want a DHCP server attached to your Private Network, you should create a managed Private Network.

Managed Private Networks

Managed Private Networks allow you to create Private Networks with a DHCP server managed by Exoscale in order to automatically configure the IP addresses of your Private Network interfaces.

You can also assign specific IP addresses to Private Network interfaces.

Prerequisites

In order to use managed Private Networks, install Cloud Init version 19.3 or later on your instance to use the Exoscale datasource. You can learn more about Cloud Init on the Cloud Init documentation page.

Create a managed Private Network

You can create a managed Private Network through the Portal, the CLI, or using tools like Terraform. In this example, we will use the CLI:

$ exo compute private-network create managed-network \
    --zone ch-gva-2      \
    --start-ip 10.0.0.20 \
    --end-ip 10.0.0.200  \
    --netmask 255.255.255.0
 ✔ Creating Private Network "managed-network"... 3s
┼─────────────────┼──────────────────────────────────────┼
│ PRIVATE NETWORK │                                      │
┼─────────────────┼──────────────────────────────────────┼
│ ID              │ 0f621ed0-a161-4c9a-a533-51c8e3504a13 │
│ Name            │ managed-network                      │
│ Description     │                                      │
│ Zone            │ ch-gva-2                             │
│ Type            │ managed                              │
│ Start IP        │ 10.0.0.20                            │
│ End IP          │ 10.0.0.200                           │
│ Netmask         │ 255.255.255.0                        │
│ Leases          │ -                                    │
┼─────────────────┼──────────────────────────────────────┼

The --start-ip, --end-ip and --netmask flags allow you to define the IP range of your Private Network:

Some values are forbidden:

the IP address for --start-ip must be lower than the --end-ip, and cannot be the network address.
the IP address for --end-ip cannot be the network broadcast address or the last IP of the network, because this IP will be the IP address of the DHCP server.
you cannot shrink the network range, you can only increase it. For example, exo compute private-network update <NETWORK> --end-ip 10.0.0.230 will increase the network range.

In this example, the DHCP server will assign IP addresses between 10.0.0.20 and 10.0.0.200 to the network interfaces. This means that you can only have at most 180 machines in this network.

Static IP addresses

You can assign static IP addresses to private interfaces. The IP address must be in the network range, but not necessarily in the network IP range.

For example, you will be able to assign static IP addresses between 10.0.0.1 and 10.0.0.253 for the network defined above. The IP address must not be already used by a network interface.

Using the exo CLI, you have two ways to configure a static IP address on your Private Network interface:

Specify the static IP address with the --ip flag when attaching your instance to a managed Private Network by running the exo compute instance private-network attach command.
Run the exo compute instance private-network update-ip command.

Interfaces configuration

On Debian and Ubuntu, you will need to configure the corresponding network interface(s) - e.g. eth1 - for DHCP.

Ubuntu >= 18.04 (Bionic) [netplan]

In /etc/netplan/eth1.yaml:

network:
  version: 2
  ethernets:
    eth1:
      dhcp4: true

Followed by sudo netplan apply to bring the interface up.

Debian and Ubuntu < 18.04 [ifconfig]

In /etc/network/interfaces.d/eth1.conf:

allow-hotplug eth1
iface eth1 inet dhcp

Followed by ifup eth1 to bring the interface up.

Using Cloud-Init (for Debian or Ubuntu)

To automate your Private Network setup, you may include the ad-hoc configuration in your Compute instance’s user-data, e.g. for netplan (Ubuntu 18.04):

#cloud-config
write_files:
  - path: /etc/netplan/eth1.yaml
    content: |
      network:
        version: 2
        ethernets:
          eth1:
            dhcp4: true

runcmd:
  - [ netplan, apply ]

Granular DHCP Options Support via the CLI

Exoscale’s Managed Private Networks support granular DHCP configurations, providing enhanced control over network settings through the exo CLI.

[DHCP Option 3] Default Gateway (Router): Sets the IP of the default gateway for external traffic.
[DHCP Option 6] DNS Servers: Specifies DNS server IPs for domain name resolution.
[DHCP Option 42] NTP Servers: Defines IPs for time synchronization with NTP servers.
[DHCP Option 119] Domain Search List: Supplies a list of domain suffixes supporting multi-domain environments (limited to 255 octets).

Unmanaged Private Networks

To use your Private Network with a static IP configuration on each instance, you need to choose a subnet and to keep track of the IP assigned to each of your instances. For example, if you chose the 10.3.4.0/24 network and 10.3.4.10 as the IP address of your first instance, you can use any IP address in this network (from 10.3.4.1 to 10.3.4.254).

Interfaces configuration

You will need to configure the corresponding network interfaces - such as eth1 - with their static IP parameters.

Ubuntu >= 18.04 (Bionic) [netplan]

In /etc/netplan/eth1.yaml:

network:
  version: 2
  ethernets:
    eth1:
      addresses:
        - 10.3.4.10/24

Followed by sudo netplan apply to bring the interface up.

You can find more configuration examples about netplan on their website.

Debian and Ubuntu < 18.04 [ifconfig]

In /etc/network/interfaces.d/eth1.conf:

auto eth1
iface eth1 inet static
  address 10.3.4.10/24

Followed by ifup eth1 to bring the interface up.

Using Cloud-Init (for Debian or Ubuntu)

To automate your Private Network setup, you may include the ad-hoc configuration in your instance’s user data, such as for netplan (Ubuntu 18.04):

#cloud-config
write_files:
  - path: /etc/netplan/eth1.yaml
    content: |
      network:
        version: 2
        ethernets:
          eth1:
            addresses:
              - 10.3.4.10/24

runcmd:
  - [ netplan, apply ]

Windows

On Windows, go to the Network and Sharing Center. You should see the additional network interface:

Network and sharing center

Click on on the name of the new interface (“Ethernet 2” in our screenshot). You will get the following dialog box:

Ethernet 2 status

Click on on Properties. You will see the following dialog box:

Ethernet 2 properties

Click on on Internet Protocol Version 4 (TCP/IPv4), then on Properties. You will see a new dialog box. Click on Use the following IP address and enter the IP address you assigned for the instance (10.3.4.10). Use 255.255.255.0 for the subnet mask:

IPv4 properties

OpenBSD

OpenBSD needs to be rebooted for the new interface to show up. After it is rebooted, create the interface configuration file:

echo 'inet 10.3.4.10/24' > /etc/hostname.vio1
sh /etc/netstart vio1

Limitations

Private Networks are local to a zone.
Private Networks are unlimited per organization.
A maximum of 8 Private Networks can be attached to each single instance.
Jumbo Frames are not supported - the largest supported MTU size is 1500.