All cloud servers can be connected to a private network without direct access to the Internet. It is possible to configure different Internet access options using routers, public IP addresses, and shared public IP addresses.
|Private Network (VLAN)||Network segments isolated from each other at level L2|
|Subnet (IP address)||The range of private IP addresses limited by CIDR size assigned by the client.
Different IP addresses (subnets) can be assigned to the same private network.
Subnets are used to distribute IP addresses when creating new ports
|Port||A virtual network card that a MAC+IP binding is assigned to for connecting to a cloud server.
One of the subnet ports can be connected to the router
|Router||A device that can route traffic between different subnets and the Internet. All subnets connected to the same router can communicate using the IP address of the router as the default route.
All subnets connected to the same router can access the Internet using the shared external IP address assigned to the router.
The router performs the function of NAT:
- access from a private network to the Internet (outgoing traffic);
- forwarding packets for a public IP address to the server to which it was assigned
|Shared external IP on the router||IP address that is assigned to the router port when connecting it to an external network|
|External network||Service subnet providing public IP addresses for router ports and public IPs|
|Public IP address||Public IP address from the External network, which can be associated with an address of a private server or load balancer. Public IP address traffic is processed by the router and all packets are transmitted to the associated private address|
|Public subnet||The range of public IP addresses limited by the size of a prefix (mask) provided to the client.
IP addresses from this subnet are not processed by the router. They are connected directly to the cloud server
Standard Network Configurations
Private Network and Bastion Host
A bastion host is a host on a network that can function as a gateway/proxy server for all other servers. Typically, such a host is available on the external IP address and communicates with other servers over a private network.
All servers have public access to the Internet. Servers interact with each other through public interfaces.
Load Balancer and Bastion Host
A combination of the first example and a dedicated load balancer. The bastion host is used to access the private network and manage the infrastructure; and the load balancer takes the functions of proxying client requests to the infrastructure from the bastion host.
Private Network between Pools and Services
Such a topology allows you to provide direct public access to a group of cloud servers (virtual machines) and connect them with a private network to resources in another pool of the Cloud platform or to dedicated servers in any location.