Networking Primer for Virtual DataCenter
Virtual DataCenter offers a robust and secure networking model, but it can be a bit difficult to understand if you are new to it. Here are a few basics to help you communicate with your servers in a Virtual DataCenter network.
Private Network for Virtual Machines
Your virtual machines are attached to a private network that’s located behind a firewall. This is a truly private network, that uses an IP subnet configured when you create the network. You can control the IP subnet with the Internal Address Range setting.
By default, the firewall does not allow inbound access from the Internet to your virtual machines. Outbound access from virtual machines to the Internet is always allowed.
Public IP Addresses
When you create a network, a single public IP address (the primary IP address) is assigned to it. You can assign additional, secondary IP addresses later, if necessary. Click here for more information.
The public IP address on the network is the one where the services your virtual machines provide are accessed from the Internet. The firewall between the Internet and the private network translates the requests from the public IP address to the private IP addresses of the virtual machines, and vice versa.
For outbound connections generated from the virtual machines generate, the firewall implements a hide network address translation (NAT) to the primary IP address. This means that any outgoing connection from the private network to the Internet appears to come from the primary public IP address of the network.
Inbound connections are slightly different. Since the incoming connections allowed into the private network are defined by the port forward rules and load balancers configured (see below), the firewall implements port address translation (PAT). Because of this, you cannot public IP addresses directly to virtual machines. Only the incoming connections allowed by the port forward/load balancer configuration are translated to the private IP address of the virtual machine they are destined for. Outgoing connections (even on the same port as is defined in the port forward rule or load balancer) from the virtual machine are still translated via hide NAT to the primary public IP address of the network.
Port Forward Rules and Load Balancers
To enable inbound access from the Internet for services running on virtual machines, you create port forward rules or load balancers on the network. These configurations let only certain requests from the Internet to reach the virtual machines in the private network.
A port forward rule provides a one-to-one mapping between a public IP address and port number and a virtual machine and port number. Any requests destined for the port number configured in a port forward rule are directed to one, and only one, virtual machine and port number.
A public IP address and port number pair can only be configured in one port forward at once. If you need to forward the same port number for multiple virtual machines, you must use a load balancer or assign additional public IP addresses to your network.
Port forward rules are typically used for allowing ssh or remote desktop access to virtual machines, or for allowing access to other services that are only running on one virtual machine.
Load balancers distribute requests destined for a public IP address and port number across multiple virtual machines. Typically, load balancers are for web services that several virtual machines in the network provide. This way, you can distribute the load among several virtual machines and provide redundancy for the services.
Similar to port forward rules, you can only configure a public IP address and port number pair in one load balancer at once.
For specific instructions to add port forwards and load balancers, see:
Remember, no access at all is allowed into the virtual machines from the Internet, until you create a port forward or load balancer to explicitly allow requests through!