Skip to content

Virtual Private Network (VPC)

Virtual Private Cloud (VPC) Overview

A Virtual Private Cloud (VPC) is a private, isolated network environment within EduCloud that mimics a traditional physical network topology. It serves as a container for multiple isolated networks, called Network Tiers, which can communicate with each other through a virtual router (VPC-VR).

Each VPC is defined by a super CIDR block—such as 10.0.0.0/16 or 172.16.0.0/12—from which individual Network Tiers are created (for example: 10.10.0.0/24, 10.20.0.0/24, etc.). These Network Tiers are segmented by VLANs and act as isolated networks where resources such as virtual machines (VMs) can be grouped based on their IP address ranges.

VPN virtual router

The VPC is managed by a virtual router that provides services such as DNS, DHCP, and NAT for outbound internet access. The VPC also acts as the gateway for each Network Tier and routes traffic between the Network Tiers, to the public gateway, and to any configured VPN gateways.

The VPC can be configured with various network architectures, including setups with only a public gateway, both public and private gateways, or site-to-site VPN access for connecting to external networks such as corporate data centers.

Adding a Virtual Private CLoud (VPC)

To add a VPC network, go the left navigation menu and slecect Network, then VPC and select the Add VPC + button.

adding VPC

The Add VPC Page appears as follows:

adding VPC

  • Name: A short name for the VPC that you are creating.
  • Description: A brief description of the VPC.
  • CIDR: Defines the CIDR range for all the Network Tiers (guest Networks) within a VPC. When you create a Network Tier, ensure that its CIDR is within the Super CIDR value you enter. The CIDR must be RFC1918 compliant.
  • Network Domain: If you want to assign a special domain name, specify the DNS suffix. This parameter is applied to all the Network Tiers within the VPC. That implies, all the Network Tiers you create in the VPC belong to the same DNS domain. If the parameter is not specified, a DNS domain name is generated automatically.
  • VPC Offering: If the administrator has configured multiple VPC offerings, select the one you want to use for this VPC.
  • DNS: A set of custom DNS that will be used by this VPC. If not provided then DNS specified for the zone will be used. Available only when the selected VPC offering supports DNS service.
  • IPv4 address for the VR in this VPC: The source NAT address or primary public Network address to use by the guest Networks. If not provided then a random address from the available pool of addresses will be used.

Click OK.

Adding Network Tiers

Network Tiers are distinct locations within a VPC that act as isolated networks. By default, they do not have access to other Network Tiers. Each Network Tier is set up on a different VLAN, and communication between them is handled through the virtual router.

From the left navigation menu, choose Network In the view selector, choose VPC

After selecting the VPC, click Add new Netwok Tier

new network tier

The Add new network Tier dialog is displayed, as follows:

new network tier

If no custom ACLs are available, two default ACLs are provided:

  1. default_allow permits all traffic and is not considered secure.
  2. default_deny blocks all traffic unless explicit ACL rules are created. For more details, see Configuring Network Access Control list

You can create multiple Network Tiers within a single VPC.

Specify the following fields

  • Name: A unique name for the Network Tier you are creating.
  • Network Offering : The following default network offerings are available:
    • Internal LB
    • DefaultIsolatedNetworkOfferingForVpcNetworksNoLB
    • DefaultIsolatedNetworkOfferingForVpcNetworks

In a VPC, only one Network Tier can be created by using LB-enabled Network offering.

  • Gateway: The gateway address for this Network Tier. Ensure it falls within the VPC’s Super CIDR range and does not overlap with the CIDR of any existing Network Tier.
  • Netmask: The netmask for this Network Tier. For example, if the VPC CIDR is 172.16.0.0/16 and the Network Tier CIDR is 172.16.1.0/24, then the Network Tier gateway is 172.16.1.1, and the netmask is 255.255.255.0.

When finished, Click OK

Configuring Network Access Control List.

A Network Access Control List (ACL) controls incoming (ingress) and outgoing (egress) traffic between a Network Tier and external networks—including other Network Tiers within the VPC and public networks.

Network ACLs

Within EduCloud, a Network ACL is a group of ACL rules. These rules are processed in ascending order based on their rule number. Each rule defines, at minimum, a protocol, traffic type, action, and source/destination network. The following image shows an example of the default_deny ACL:

default deny acl

Each Network ACL belongs to a VPC and can be assigned to multiple Network Tiers. Every Network Tier must be associated with exactly one Network ACL at any given time. If no custom ACLs exist when a Network Tier is created, a default ACL must be used.

EduCloud provides two default ACLs

  • default_allow - Allows all ingress and egress traffic. (Not recommended for secure environments.)
  • default_deny - Blocks all ingress and egress traffic.

Default ACLs cannot be removed or modified.

Creating ACLs

  1. In the left navigation menu, choose Network.
  2. Select Network ACLs.
  3. Click Add ACL

Specify the required fields:

add acl

Click OK when done.

Your custom ACL will now appear under Network ACLs. Next, create the ACL rules within the new ACL group.

In the left navigation menu, select the ACL group you created, then open the ACL Rules tab.

Select the ACL Rules tab,

To add a new rule, click Add ACL Rule and complete the following fields:

  • Rule Number: The order in which the rules are evaluated.
  • CIDR:
    • For Ingress rules: Source CIDR.
    • For Egress rules: Destination CIDR. Enter a single CIDR or a comma-separated list. For example: 192.168.0.0/22. To allow all addresses, use 0.0.0.0/0.
  • Action: Allow or Deny
  • Protocol: The protocol used by the traffic (TCP, UDP, ICMP, ALL, or protocol number).
  • Start Port (TCP/UDP only): Beginning of the port range. Use the same value as End Port for a single port.
  • End Port (TCP/UDP only): End of the port range.
  • Traffic Type: Incoming (Ingress) or Outgoing (Egress).

allow rule outgoing

Click Ok when done,

You may edit or delete your ACL rules from the Details tab using the appropriate buttons.

Assigning the Custom ACL to a Network Tier.

After creating an ACL, you must assign it to a Network Tier. Custom ACLs can also be selected during the creation of new Network Tiers.

To assign a custom ACL:

  1. In the left navigation menu, choose Network.
  2. Select Guest Networks.
  3. Hover over the vertical ellipsis next to the desired Network Tier and select Replace ACL.
  4. Choose the custom ACL you created.

assign custom ACL assign custom ACL