You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by se...@apache.org on 2014/05/17 09:34:32 UTC
[3/7] split the networking2 file into multiple includes and renamed
it to 'networking_and_traffic': This closes #11
http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/9831ca6e/source/networking/remote_access_vpn.rst
----------------------------------------------------------------------
diff --git a/source/networking/remote_access_vpn.rst b/source/networking/remote_access_vpn.rst
new file mode 100644
index 0000000..94e9733
--- /dev/null
+++ b/source/networking/remote_access_vpn.rst
@@ -0,0 +1,696 @@
+.. Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information#
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+
+Remote Access VPN
+-----------------
+
+CloudStack account owners can create virtual private networks (VPN) to
+access their virtual machines. If the guest network is instantiated from
+a network offering that offers the Remote Access VPN service, the
+virtual router (based on the System VM) is used to provide the service.
+CloudStack provides a L2TP-over-IPsec-based remote access VPN service to
+guest virtual networks. Since each network gets its own virtual router,
+VPNs are not shared across the networks. VPN clients native to Windows,
+Mac OS X and iOS can be used to connect to the guest networks. The
+account owner can create and manage users for their VPN. CloudStack does
+not use its account database for this purpose but uses a separate table.
+The VPN user database is shared across all the VPNs created by the
+account owner. All VPN users get access to all VPNs created by the
+account owner.
+
+.. note::
+ Make sure that not all traffic goes through the VPN. That is, the route
+ installed by the VPN should be only for the guest network and not for
+ all traffic.
+
+- **Road Warrior / Remote Access**. Users want to be able to connect
+ securely from a home or office to a private network in the cloud.
+ Typically, the IP address of the connecting client is dynamic and
+ cannot be preconfigured on the VPN server.
+
+- **Site to Site**. In this scenario, two private subnets are connected
+ over the public Internet with a secure VPN tunnel. The cloud user's
+ subnet (for example, an office network) is connected through a
+ gateway to the network in the cloud. The address of the user's
+ gateway must be preconfigured on the VPN server in the cloud. Note
+ that although L2TP-over-IPsec can be used to set up Site-to-Site
+ VPNs, this is not the primary intent of this feature. For more
+ information, see ":ref:`setting-s2s-vpn-conn`".
+
+
+Configuring Remote Access VPN
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To set up VPN for the cloud:
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, click Global Settings.
+
+#. Set the following global configuration parameters.
+
+ - remote.access.vpn.client.ip.range - The range of IP addresses to
+ be allocated to remote access VPN clients. The first IP in the
+ range is used by the VPN server.
+
+ - remote.access.vpn.psk.length - Length of the IPSec key.
+
+ - remote.access.vpn.user.limit - Maximum number of VPN users per
+ account.
+
+To enable VPN for a particular network:
+
+#. Log in as a user or administrator to the CloudStack UI.
+
+#. In the left navigation, click Network.
+
+#. Click the name of the network you want to work with.
+
+#. Click View IP Addresses.
+
+#. Click one of the displayed IP address names.
+
+#. Click the Enable VPN button. |vpn-icon.png|
+
+ The IPsec key is displayed in a popup window.
+
+
+Configuring Remote Access VPN in VPC
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+On enabling Remote Access VPN on a VPC, any VPN client present outside
+the VPC can access VMs present in the VPC by using the Remote VPN
+connection. The VPN client can be present anywhere except inside the VPC
+on which the user enabled the Remote Access VPN service.
+
+To enable VPN for a VPC:
+
+#. Log in as a user or administrator to the CloudStack UI.
+
+#. In the left navigation, click Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC.
+
+ For each tier, the following options are displayed:
+
+ - Internal LB
+
+ - Public LB IP
+
+ - Static NAT
+
+ - Virtual Machines
+
+ - CIDR
+
+ The following router information is displayed:
+
+ - Private Gateways
+
+ - Public IP Addresses
+
+ - Site-to-Site VPNs
+
+ - Network ACL Lists
+
+#. In the Router node, select Public IP Addresses.
+
+ The IP Addresses page is displayed.
+
+#. Click Source NAT IP address.
+
+#. Click the Enable VPN button. |vpn-icon.png|
+
+ Click OK to confirm. The IPsec key is displayed in a pop-up window.
+
+Now, you need to add the VPN users.
+
+#. Click the Source NAT IP.
+
+#. Select the VPN tab.
+
+#. Add the username and the corresponding password of the user you
+ wanted to add.
+
+#. Click Add.
+
+#. Repeat the same steps to add the VPN users.
+
+
+Using Remote Access VPN with Windows
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The procedure to use VPN varies by Windows version. Generally, the user
+must edit the VPN properties and make sure that the default route is not
+the VPN. The following steps are for Windows L2TP clients on Windows
+Vista. The commands should be similar for other Windows versions.
+
+#. Log in to the CloudStack UI and click on the source NAT IP for the
+ account. The VPN tab should display the IPsec preshared key. Make a
+ note of this and the source NAT IP. The UI also lists one or more
+ users and their passwords. Choose one of these users, or, if none
+ exists, add a user and password.
+
+#. On the Windows box, go to Control Panel, then select Network and
+ Sharing center. Click Setup a connection or network.
+
+#. In the next dialog, select No, create a new connection.
+
+#. In the next dialog, select Use my Internet Connection (VPN).
+
+#. In the next dialog, enter the source NAT IP from step
+ #1 and give the connection a name. Check Don't
+ connect now.
+
+#. In the next dialog, enter the user name and password selected in step
+ #1.
+
+#. Click Create.
+
+#. Go back to the Control Panel and click Network Connections to see the
+ new connection. The connection is not active yet.
+
+#. Right-click the new connection and select Properties. In the
+ Properties dialog, select the Networking tab.
+
+#.
+
+ In Type of VPN, choose L2TP IPsec VPN, then click IPsec settings.
+ Select Use preshared key. Enter the preshared key from step #1.
+
+#. The connection is ready for activation. Go back to Control Panel ->
+ Network Connections and double-click the created connection.
+
+#. Enter the user name and password from step #1.
+
+
+Using Remote Access VPN with Mac OS X
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+First, be sure you've configured the VPN settings in your CloudStack
+install. This section is only concerned with connecting via Mac OS X to
+your VPN.
+
+Note, these instructions were written on Mac OS X 10.7.5. They may
+differ slightly in older or newer releases of Mac OS X.
+
+#. On your Mac, open System Preferences and click Network.
+
+#. Make sure Send all traffic over VPN connection is not checked.
+
+#. If your preferences are locked, you'll need to click the lock in the
+ bottom left-hand corner to make any changes and provide your
+ administrator credentials.
+
+#. You will need to create a new network entry. Click the plus icon on
+ the bottom left-hand side and you'll see a dialog that says "Select
+ the interface and enter a name for the new service." Select VPN from
+ the Interface drop-down menu, and "L2TP over IPSec" for the VPN Type.
+ Enter whatever you like within the "Service Name" field.
+
+#. You'll now have a new network interface with the name of whatever you
+ put in the "Service Name" field. For the purposes of this example,
+ we'll assume you've named it "CloudStack." Click on that interface
+ and provide the IP address of the interface for your VPN under the
+ Server Address field, and the user name for your VPN under Account
+ Name.
+
+#. Click Authentication Settings, and add the user's password under User
+ Authentication and enter the pre-shared IPSec key in the Shared
+ Secret field under Machine Authentication. Click OK.
+
+#. You may also want to click the "Show VPN status in menu bar" but
+ that's entirely optional.
+
+#. Now click "Connect" and you will be connected to the CloudStack VPN.
+
+
+.. _setting-s2s-vpn-conn:
+
+Setting Up a Site-to-Site VPN Connection
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A Site-to-Site VPN connection helps you establish a secure connection
+from an enterprise datacenter to the cloud infrastructure. This allows
+users to access the guest VMs by establishing a VPN connection to the
+virtual router of the account from a device in the datacenter of the
+enterprise. You can also establish a secure connection between two VPC
+setups or high availability zones in your environment. Having this
+facility eliminates the need to establish VPN connections to individual
+VMs.
+
+The difference from Remote VPN is that Site-to-site VPNs connects entire
+networks to each other, for example, connecting a branch office network
+to a company headquarters network. In a site-to-site VPN, hosts do not
+have VPN client software; they send and receive normal TCP/IP traffic
+through a VPN gateway.
+
+The supported endpoints on the remote datacenters are:
+
+- Cisco ISR with IOS 12.4 or later
+
+- Juniper J-Series routers with JunOS 9.5 or later
+
+- CloudStack virtual routers
+
+.. note::
+ In addition to the specific Cisco and Juniper devices listed above, the
+ expectation is that any Cisco or Juniper device running on the supported
+ operating systems are able to establish VPN connections.
+
+To set up a Site-to-Site VPN connection, perform the following:
+
+#. Create a Virtual Private Cloud (VPC).
+
+ See ":ref:`configuring-vpc`".
+
+#. Create a VPN Customer Gateway.
+
+#. Create a VPN gateway for the VPC that you created.
+
+#. Create VPN connection from the VPC VPN gateway to the customer VPN
+ gateway.
+
+
+Creating and Updating a VPN Customer Gateway
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. note::
+ A VPN customer gateway can be connected to only one VPN gateway at a time.
+
+To add a VPN Customer Gateway:
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPN Customer Gateway.
+
+#. Click Add VPN Customer Gateway.
+
+ |addvpncustomergateway.png|
+
+ Provide the following information:
+
+ - **Name**: A unique name for the VPN customer gateway you create.
+
+ - **Gateway**: The IP address for the remote gateway.
+
+ - **CIDR list**: The guest CIDR list of the remote subnets. Enter a
+ CIDR or a comma-separated list of CIDRs. Ensure that a guest CIDR
+ list is not overlapped with the VPC's CIDR, or another guest CIDR.
+ The CIDR must be RFC1918-compliant.
+
+ - **IPsec Preshared Key**: Preshared keying is a method where the
+ endpoints of the VPN share a secret key. This key value is used to
+ authenticate the customer gateway and the VPC VPN gateway to each
+ other.
+
+ .. note::
+ The IKE peers (VPN end points) authenticate each other by
+ computing and sending a keyed hash of data that includes the
+ Preshared key. If the receiving peer is able to create the same
+ hash independently by using its Preshared key, it knows that both
+ peers must share the same secret, thus authenticating the customer
+ gateway.
+
+ - **IKE Encryption**: The Internet Key Exchange (IKE) policy for
+ phase-1. The supported encryption algorithms are AES128, AES192,
+ AES256, and 3DES. Authentication is accomplished through the
+ Preshared Keys.
+
+ .. note::
+ The phase-1 is the first phase in the IKE process. In this initial
+ negotiation phase, the two VPN endpoints agree on the methods to
+ be used to provide security for the underlying IP traffic. The
+ phase-1 authenticates the two VPN gateways to each other, by
+ confirming that the remote gateway has a matching Preshared Key.
+
+ - **IKE Hash**: The IKE hash for phase-1. The supported hash
+ algorithms are SHA1 and MD5.
+
+ - **IKE DH**: A public-key cryptography protocol which allows two
+ parties to establish a shared secret over an insecure
+ communications channel. The 1536-bit Diffie-Hellman group is used
+ within IKE to establish session keys. The supported options are
+ None, Group-5 (1536-bit) and Group-2 (1024-bit).
+
+ - **ESP Encryption**: Encapsulating Security Payload (ESP) algorithm
+ within phase-2. The supported encryption algorithms are AES128,
+ AES192, AES256, and 3DES.
+
+ .. note::
+ The phase-2 is the second phase in the IKE process. The purpose of
+ IKE phase-2 is to negotiate IPSec security associations (SA) to
+ set up the IPSec tunnel. In phase-2, new keying material is
+ extracted from the Diffie-Hellman key exchange in phase-1, to
+ provide session keys to use in protecting the VPN data flow.
+
+ - **ESP Hash**: Encapsulating Security Payload (ESP) hash for
+ phase-2. Supported hash algorithms are SHA1 and MD5.
+
+ - **Perfect Forward Secrecy**: Perfect Forward Secrecy (or PFS) is
+ the property that ensures that a session key derived from a set of
+ long-term public and private keys will not be compromised. This
+ property enforces a new Diffie-Hellman key exchange. It provides
+ the keying material that has greater key material life and thereby
+ greater resistance to cryptographic attacks. The available options
+ are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security
+ of the key exchanges increase as the DH groups grow larger, as
+ does the time of the exchanges.
+
+ .. note::
+ When PFS is turned on, for every negotiation of a new phase-2 SA
+ the two gateways must generate a new set of phase-1 keys. This
+ adds an extra layer of protection that PFS adds, which ensures if
+ the phase-2 SA's have expired, the keys used for new phase-2 SA's
+ have not been generated from the current phase-1 keying material.
+
+ - **IKE Lifetime (seconds)**: The phase-1 lifetime of the security
+ association in seconds. Default is 86400 seconds (1 day). Whenever
+ the time expires, a new phase-1 exchange is performed.
+
+ - **ESP Lifetime (seconds)**: The phase-2 lifetime of the security
+ association in seconds. Default is 3600 seconds (1 hour). Whenever
+ the value is exceeded, a re-key is initiated to provide a new
+ IPsec encryption and authentication session keys.
+
+ - **Dead Peer Detection**: A method to detect an unavailable
+ Internet Key Exchange (IKE) peer. Select this option if you want
+ the virtual router to query the liveliness of its IKE peer at
+ regular intervals. It's recommended to have the same configuration
+ of DPD on both side of VPN connection.
+
+#. Click OK.
+
+
+Updating and Removing a VPN Customer Gateway
+''''''''''''''''''''''''''''''''''''''''''''
+
+You can update a customer gateway either with no VPN connection, or
+related VPN connection is in error state.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPN Customer Gateway.
+
+#. Select the VPN customer gateway you want to work with.
+
+#. To modify the required parameters, click the Edit VPN Customer
+ Gateway button |vpn-edit-icon.png|
+
+#. To remove the VPN customer gateway, click the Delete VPN Customer
+ Gateway button |delete.png|
+
+#. Click OK.
+
+
+Creating a VPN gateway for the VPC
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC to which you want to deploy the
+ VMs.
+
+ The VPC page is displayed where all the tiers you created are listed
+ in a diagram.
+
+ For each tier, the following options are displayed:
+
+ - Internal LB
+
+ - Public LB IP
+
+ - Static NAT
+
+ - Virtual Machines
+
+ - CIDR
+
+ The following router information is displayed:
+
+ - Private Gateways
+
+ - Public IP Addresses
+
+ - Site-to-Site VPNs
+
+ - Network ACL Lists
+
+#. Select Site-to-Site VPN.
+
+ If you are creating the VPN gateway for the first time, selecting
+ Site-to-Site VPN prompts you to create a VPN gateway.
+
+#. In the confirmation dialog, click Yes to confirm.
+
+ Within a few moments, the VPN gateway is created. You will be
+ prompted to view the details of the VPN gateway you have created.
+ Click Yes to confirm.
+
+ The following details are displayed in the VPN Gateway page:
+
+ - IP Address
+
+ - Account
+
+ - Domain
+
+
+Creating a VPN Connection
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. note:: CloudStack supports creating up to 8 VPN connections.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you create for the account are listed in the page.
+
+#. Click the Configure button of the VPC to which you want to deploy the
+ VMs.
+
+ The VPC page is displayed where all the tiers you created are listed
+ in a diagram.
+
+#. Click the Settings icon.
+
+ For each tier, the following options are displayed:
+
+ - Internal LB
+
+ - Public LB IP
+
+ - Static NAT
+
+ - Virtual Machines
+
+ - CIDR
+
+ The following router information is displayed:
+
+ - Private Gateways
+
+ - Public IP Addresses
+
+ - Site-to-Site VPNs
+
+ - Network ACL Lists
+
+#. Select Site-to-Site VPN.
+
+ The Site-to-Site VPN page is displayed.
+
+#. From the Select View drop-down, ensure that VPN Connection is
+ selected.
+
+#. Click Create VPN Connection.
+
+ The Create VPN Connection dialog is displayed:
+
+ |createvpnconnection.png|
+
+#. Select the desired customer gateway.
+
+#. Select Passive if you want to establish a connection between two VPC
+ virtual routers.
+
+ If you want to establish a connection between two VPC virtual
+ routers, select Passive only on one of the VPC virtual routers, which
+ waits for the other VPC virtual router to initiate the connection. Do
+ not select Passive on the VPC virtual router that initiates the
+ connection.
+
+#. Click OK to confirm.
+
+ Within a few moments, the VPN Connection is displayed.
+
+ The following information on the VPN connection is displayed:
+
+ - IP Address
+
+ - Gateway
+
+ - State
+
+ - IPSec Preshared Key
+
+ - IKE Policy
+
+ - ESP Policy
+
+
+Site-to-Site VPN Connection Between VPC Networks
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+CloudStack provides you with the ability to establish a site-to-site VPN
+connection between CloudStack virtual routers. To achieve that, add a
+passive mode Site-to-Site VPN. With this functionality, users can deploy
+applications in multiple Availability Zones or VPCs, which can
+communicate with each other by using a secure Site-to-Site VPN Tunnel.
+
+This feature is supported on all the hypervisors.
+
+#. Create two VPCs. For example, VPC A and VPC B.
+
+ For more information, see ":ref:`configuring-vpc`".
+
+#. Create VPN gateways on both the VPCs you created.
+
+ For more information, see `"Creating a VPN gateway
+ for the VPC" <#creating-a-vpn-gateway-for-the-vpc>`_.
+
+#. Create VPN customer gateway for both the VPCs.
+
+ For more information, see `"Creating and Updating
+ a VPN Customer Gateway" <#creating-and-updating-a-vpn-customer-gateway>`_.
+
+#. Enable a VPN connection on VPC A in passive mode.
+
+ For more information, see `"Creating a VPN
+ Connection" <#creating-a-vpn-connection>`_.
+
+ Ensure that the customer gateway is pointed to VPC B. The VPN
+ connection is shown in the Disconnected state.
+
+#. Enable a VPN connection on VPC B.
+
+ Ensure that the customer gateway is pointed to VPC A. Because virtual
+ router of VPC A, in this case, is in passive mode and is waiting for
+ the virtual router of VPC B to initiate the connection, VPC B virtual
+ router should not be in passive mode.
+
+ The VPN connection is shown in the Disconnected state.
+
+ Creating VPN connection on both the VPCs initiates a VPN connection.
+ Wait for few seconds. The default is 30 seconds for both the VPN
+ connections to show the Connected state.
+
+
+Restarting and Removing a VPN Connection
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC to which you want to deploy the
+ VMs.
+
+ The VPC page is displayed where all the tiers you created are listed
+ in a diagram.
+
+#. Click the Settings icon.
+
+ For each tier, the following options are displayed:
+
+ - Internal LB
+
+ - Public LB IP
+
+ - Static NAT
+
+ - Virtual Machines
+
+ - CIDR
+
+ The following router information is displayed:
+
+ - Private Gateways
+
+ - Public IP Addresses
+
+ - Site-to-Site VPNs
+
+ - Network ACL Lists
+
+#. Select Site-to-Site VPN.
+
+ The Site-to-Site VPN page is displayed.
+
+#. From the Select View drop-down, ensure that VPN Connection is
+ selected.
+
+ All the VPN connections you created are displayed.
+
+#. Select the VPN connection you want to work with.
+
+ The Details tab is displayed.
+
+#. To remove a VPN connection, click the Delete VPN connection button
+ |remove-vpn.png|
+
+ To restart a VPN connection, click the Reset VPN connection button
+ present in the Details tab. |reset-vpn.png|
+
+
+.. |vpn-icon.png| image:: /_static/images/vpn-icon.png
+ :alt: button to enable VPN.
+.. |addvpncustomergateway.png| image:: /_static/images/add-vpn-customer-gateway.png
+ :alt: adding a customer gateway.
+.. |createvpnconnection.png| image:: /_static/images/create-vpn-connection.png
+ :alt: creating a VPN connection to the customer gateway.
+.. |remove-vpn.png| image:: /_static/images/remove-vpn.png
+ :alt: button to remove a VPN connection
+.. |reset-vpn.png| image:: /_static/images/reset-vpn.png
+ :alt: button to reset a VPN connection
+.. |delete.png| image:: /_static/images/delete-button.png
+ :alt: button to remove a VPN customer gateway.
+.. |vpn-edit-icon.png| image:: /_static/images/edit-icon.png
+ :alt: button to edit.
http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/9831ca6e/source/networking/security_groups.rst
----------------------------------------------------------------------
diff --git a/source/networking/security_groups.rst b/source/networking/security_groups.rst
new file mode 100644
index 0000000..9ff2841
--- /dev/null
+++ b/source/networking/security_groups.rst
@@ -0,0 +1,214 @@
+.. Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information#
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+
+Security Groups
+---------------
+
+About Security Groups
+~~~~~~~~~~~~~~~~~~~~~
+
+Security groups provide a way to isolate traffic to VMs. A security
+group is a group of VMs that filter their incoming and outgoing traffic
+according to a set of rules, called ingress and egress rules. These
+rules filter network traffic according to the IP address that is
+attempting to communicate with the VM. Security groups are particularly
+useful in zones that use basic networking, because there is a single
+guest network for all guest VMs. In advanced zones, security groups are
+supported only on the KVM hypervisor.
+
+.. note::
+ In a zone that uses advanced networking, you can instead define multiple guest networks to isolate traffic to VMs.
+
+Each CloudStack account comes with a default security group that denies
+all inbound traffic and allows all outbound traffic. The default
+security group can be modified so that all new VMs inherit some other
+desired set of rules.
+
+Any CloudStack user can set up any number of additional security groups.
+When a new VM is launched, it is assigned to the default security group
+unless another user-defined security group is specified. A VM can be a
+member of any number of security groups. Once a VM is assigned to a
+security group, it remains in that group for its entire lifetime; you
+can not move a running VM from one security group to another.
+
+You can modify a security group by deleting or adding any number of
+ingress and egress rules. When you do, the new rules apply to all VMs in
+the group, whether running or stopped.
+
+If no ingress rules are specified, then no traffic will be allowed in,
+except for responses to any traffic that has been allowed out through an
+egress rule.
+
+
+Adding a Security Group
+~~~~~~~~~~~~~~~~~~~~~~~
+
+A user or administrator can define a new security group.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In Select view, choose Security Groups.
+
+#. Click Add Security Group.
+
+#. Provide a name and description.
+
+#. Click OK.
+
+ The new security group appears in the Security Groups Details tab.
+
+#. To make the security group useful, continue to Adding Ingress and
+ Egress Rules to a Security Group.
+
+
+Security Groups in Advanced Zones (KVM Only)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+CloudStack provides the ability to use security groups to provide
+isolation between guests on a single shared, zone-wide network in an
+advanced zone where KVM is the hypervisor. Using security groups in
+advanced zones rather than multiple VLANs allows a greater range of
+options for setting up guest isolation in a cloud.
+
+
+Limitations
+^^^^^^^^^^^
+
+The following are not supported for this feature:
+
+- Two IP ranges with the same VLAN and different gateway or netmask in
+ security group-enabled shared network.
+
+- Two IP ranges with the same VLAN and different gateway or netmask in
+ account-specific shared networks.
+
+- Multiple VLAN ranges in security group-enabled shared network.
+
+- Multiple VLAN ranges in account-specific shared networks.
+
+Security groups must be enabled in the zone in order for this feature to
+be used.
+
+
+Enabling Security Groups
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order for security groups to function in a zone, the security groups
+feature must first be enabled for the zone. The administrator can do
+this when creating a new zone, by selecting a network offering that
+includes security groups. The procedure is described in Basic Zone
+Configuration in the Advanced Installation Guide. The administrator can
+not enable security groups for an existing zone, only when creating a
+new zone.
+
+
+Adding Ingress and Egress Rules to a Security Group
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network
+
+#. In Select view, choose Security Groups, then click the security group
+ you want.
+
+#. To add an ingress rule, click the Ingress Rules tab and fill out the
+ following fields to specify what network traffic is allowed into VM
+ instances in this security group. If no ingress rules are specified,
+ then no traffic will be allowed in, except for responses to any
+ traffic that has been allowed out through an egress rule.
+
+ - **Add by CIDR/Account**. Indicate whether the source of the
+ traffic will be defined by IP address (CIDR) or an existing
+ security group in a CloudStack account (Account). Choose Account
+ if you want to allow incoming traffic from all VMs in another
+ security group
+
+ - **Protocol**. The networking protocol that sources will use to
+ send traffic to the security group. TCP and UDP are typically used
+ for data exchange and end-user communications. ICMP is typically
+ used to send error messages or network monitoring data.
+
+ - **Start Port, End Port**. (TCP, UDP only) A range of listening
+ ports that are the destination for the incoming traffic. If you
+ are opening a single port, use the same number in both fields.
+
+ - **ICMP Type, ICMP Code**. (ICMP only) The type of message and
+ error code that will be accepted.
+
+ - **CIDR**. (Add by CIDR only) To accept only traffic from IP
+ addresses within a particular address block, enter a CIDR or a
+ comma-separated list of CIDRs. The CIDR is the base IP address of
+ the incoming traffic. For example, 192.168.0.0/22. To allow all
+ CIDRs, set to 0.0.0.0/0.
+
+ - **Account, Security Group**. (Add by Account only) To accept only
+ traffic from another security group, enter the CloudStack account
+ and name of a security group that has already been defined in that
+ account. To allow traffic between VMs within the security group
+ you are editing now, enter the same name you used in step 7.
+
+ The following example allows inbound HTTP access from anywhere:
+
+ |httpaccess.png|
+
+#. To add an egress rule, click the Egress Rules tab and fill out the
+ following fields to specify what type of traffic is allowed to be
+ sent out of VM instances in this security group. If no egress rules
+ are specified, then all traffic will be allowed out. Once egress
+ rules are specified, the following types of traffic are allowed out:
+ traffic specified in egress rules; queries to DNS and DHCP servers;
+ and responses to any traffic that has been allowed in through an
+ ingress rule
+
+ - **Add by CIDR/Account**. Indicate whether the destination of the
+ traffic will be defined by IP address (CIDR) or an existing
+ security group in a CloudStack account (Account). Choose Account
+ if you want to allow outgoing traffic to all VMs in another
+ security group.
+
+ - **Protocol**. The networking protocol that VMs will use to send
+ outgoing traffic. TCP and UDP are typically used for data exchange
+ and end-user communications. ICMP is typically used to send error
+ messages or network monitoring data.
+
+ - **Start Port, End Port**. (TCP, UDP only) A range of listening
+ ports that are the destination for the outgoing traffic. If you
+ are opening a single port, use the same number in both fields.
+
+ - **ICMP Type, ICMP Code**. (ICMP only) The type of message and
+ error code that will be sent
+
+ - **CIDR**. (Add by CIDR only) To send traffic only to IP addresses
+ within a particular address block, enter a CIDR or a
+ comma-separated list of CIDRs. The CIDR is the base IP address of
+ the destination. For example, 192.168.0.0/22. To allow all CIDRs,
+ set to 0.0.0.0/0.
+
+ - **Account, Security Group**. (Add by Account only) To allow
+ traffic to be sent to another security group, enter the CloudStack
+ account and name of a security group that has already been defined
+ in that account. To allow traffic between VMs within the security
+ group you are editing now, enter its name.
+
+#. Click Add.
+
+
+.. |httpaccess.png| image:: /_static/images/http-access.png
+ :alt: allows inbound HTTP access from anywhere.
+
http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/9831ca6e/source/networking/static_nat.rst
----------------------------------------------------------------------
diff --git a/source/networking/static_nat.rst b/source/networking/static_nat.rst
new file mode 100644
index 0000000..4e6199e
--- /dev/null
+++ b/source/networking/static_nat.rst
@@ -0,0 +1,56 @@
+.. Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information#
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+
+Static NAT
+----------
+
+A static NAT rule maps a public IP address to the private IP address of
+a VM in order to allow Internet traffic into the VM. The public IP
+address always remains the same, which is why it is called static NAT.
+This section tells how to enable or disable static NAT for a particular
+IP address.
+
+
+Enabling or Disabling Static NAT
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If port forwarding rules are already in effect for an IP address, you
+cannot enable static NAT to that IP.
+
+If a guest VM is part of more than one network, static NAT rules will
+function only if they are defined on the default network.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. Click the name of the network where you want to work with.
+
+#. Click View IP Addresses.
+
+#. Click the IP address you want to work with.
+
+#. Click the Static NAT |enabledisablenat.png| button.
+
+ The button toggles between Enable and Disable, depending on whether
+ static NAT is currently enabled for the IP address.
+
+#. If you are enabling static NAT, a dialog appears where you can choose
+ the destination VM and click Apply.
+
+
+.. |enabledisablenat.png| image:: /_static/images/enable-disable.png
+ :alt: button to enable/disable NAT.
http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/9831ca6e/source/networking/virtual_private_cloud_config.rst
----------------------------------------------------------------------
diff --git a/source/networking/virtual_private_cloud_config.rst b/source/networking/virtual_private_cloud_config.rst
new file mode 100644
index 0000000..87188aa
--- /dev/null
+++ b/source/networking/virtual_private_cloud_config.rst
@@ -0,0 +1,1438 @@
+.. Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information#
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+
+.. _configuring-vpc:
+
+Configuring a Virtual Private Cloud
+-----------------------------------
+
+About Virtual Private Clouds
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+CloudStack Virtual Private Cloud is a private, isolated part of
+CloudStack. A VPC can have its own virtual network topology that
+resembles a traditional physical network. You can launch VMs in the
+virtual network that can have private addresses in the range of your
+choice, for example: 10.0.0.0/16. You can define network tiers within
+your VPC network range, which in turn enables you to group similar kinds
+of instances based on IP address range.
+
+For example, if a VPC has the private range 10.0.0.0/16, its guest
+networks can have the network ranges 10.0.1.0/24, 10.0.2.0/24,
+10.0.3.0/24, and so on.
+
+
+Major Components of a VPC
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+A VPC is comprised of the following network components:
+
+- **VPC**: A VPC acts as a container for multiple isolated networks
+ that can communicate with each other via its virtual router.
+
+- **Network Tiers**: Each tier acts as an isolated network with its own
+ VLANs and CIDR list, where you can place groups of resources, such as
+ VMs. The tiers are segmented by means of VLANs. The NIC of each tier
+ acts as its gateway.
+
+- **Virtual Router**: A virtual router is automatically created and
+ started when you create a VPC. The virtual router connect the tiers
+ and direct traffic among the public gateway, the VPN gateways, and
+ the NAT instances. For each tier, a corresponding NIC and IP exist in
+ the virtual router. The virtual router provides DNS and DHCP services
+ through its IP.
+
+- **Public Gateway**: The traffic to and from the Internet routed to
+ the VPC through the public gateway. In a VPC, the public gateway is
+ not exposed to the end user; therefore, static routes are not support
+ for the public gateway.
+
+- **Private Gateway**: All the traffic to and from a private network
+ routed to the VPC through the private gateway. For more information,
+ see ":ref:`adding-priv-gw-vpc`".
+
+- **VPN Gateway**: The VPC side of a VPN connection.
+
+- **Site-to-Site VPN Connection**: A hardware-based VPN connection
+ between your VPC and your datacenter, home network, or co-location
+ facility. For more information, see ":ref:`setting-s2s-vpn-conn`".
+
+- **Customer Gateway**: The customer side of a VPN Connection. For more
+ information, see `"Creating and Updating a VPN
+ Customer Gateway" <#creating-and-updating-a-vpn-customer-gateway>`_.
+
+- **NAT Instance**: An instance that provides Port Address Translation
+ for instances to access the Internet via the public gateway. For more
+ information, see ":ref:`enabling-disabling-static-nat-on-vpc`".
+
+- **Network ACL**: Network ACL is a group of Network ACL items. Network
+ ACL items are nothing but numbered rules that are evaluated in order,
+ starting with the lowest numbered rule. These rules determine whether
+ traffic is allowed in or out of any tier associated with the network
+ ACL. For more information, see ":ref:`conf-net-acl`".
+
+
+Network Architecture in a VPC
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+In a VPC, the following four basic options of network architectures are
+present:
+
+- VPC with a public gateway only
+
+- VPC with public and private gateways
+
+- VPC with public and private gateways and site-to-site VPN access
+
+- VPC with a private gateway only and site-to-site VPN access
+
+
+Connectivity Options for a VPC
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+You can connect your VPC to:
+
+- The Internet through the public gateway.
+
+- The corporate datacenter by using a site-to-site VPN connection
+ through the VPN gateway.
+
+- Both the Internet and your corporate datacenter by using both the
+ public gateway and a VPN gateway.
+
+
+VPC Network Considerations
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Consider the following before you create a VPC:
+
+- A VPC, by default, is created in the enabled state.
+
+- A VPC can be created in Advance zone only, and can't belong to more
+ than one zone at a time.
+
+- The default number of VPCs an account can create is 20. However, you
+ can change it by using the max.account.vpcs global parameter, which
+ controls the maximum number of VPCs an account is allowed to create.
+
+- The default number of tiers an account can create within a VPC is 3.
+ You can configure this number by using the vpc.max.networks
+ parameter.
+
+- Each tier should have an unique CIDR in the VPC. Ensure that the
+ tier's CIDR should be within the VPC CIDR range.
+
+- A tier belongs to only one VPC.
+
+- All network tiers inside the VPC should belong to the same account.
+
+- When a VPC is created, by default, a SourceNAT IP is allocated to it.
+ The Source NAT IP is released only when the VPC is removed.
+
+- A public IP can be used for only one purpose at a time. If the IP is
+ a sourceNAT, it cannot be used for StaticNAT or port forwarding.
+
+- The instances can only have a private IP address that you provision.
+ To communicate with the Internet, enable NAT to an instance that you
+ launch in your VPC.
+
+- Only new networks can be added to a VPC. The maximum number of
+ networks per VPC is limited by the value you specify in the
+ vpc.max.networks parameter. The default value is three.
+
+- The load balancing service can be supported by only one tier inside
+ the VPC.
+
+- If an IP address is assigned to a tier:
+
+ - That IP can't be used by more than one tier at a time in the VPC.
+ For example, if you have tiers A and B, and a public IP1, you can
+ create a port forwarding rule by using the IP either for A or B,
+ but not for both.
+
+ - That IP can't be used for StaticNAT, load balancing, or port
+ forwarding rules for another guest network inside the VPC.
+
+- Remote access VPN is not supported in VPC networks.
+
+
+Adding a Virtual Private Cloud
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When creating the VPC, you simply provide the zone and a set of IP
+addresses for the VPC network address space. You specify this set of
+addresses in the form of a Classless Inter-Domain Routing (CIDR) block.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+#. Click Add VPC. The Add VPC page is displayed as follows:
+
+ |add-vpc.png|
+
+ Provide the following information:
+
+ - **Name**: A short name for the VPC that you are creating.
+
+ - **Description**: A brief description of the VPC.
+
+ - **Zone**: Choose the zone where you want the VPC to be available.
+
+ - **Super CIDR for Guest Networks**: Defines the CIDR range for all
+ the tiers (guest networks) within a VPC. When you create a tier,
+ ensure that its CIDR is within the Super CIDR value you enter. The
+ CIDR must be RFC1918 compliant.
+
+ - **DNS domain for Guest Networks**: If you want to assign a special
+ domain name, specify the DNS suffix. This parameter is applied to
+ all the tiers within the VPC. That implies, all the tiers you
+ create in the VPC belong to the same DNS domain. If the parameter
+ is not specified, a DNS domain name is generated automatically.
+
+ - **Public Load Balancer Provider**: You have two options: VPC
+ Virtual Router and Netscaler.
+
+#. Click OK.
+
+
+Adding Tiers
+~~~~~~~~~~~~
+
+Tiers are distinct locations within a VPC that act as isolated networks,
+which do not have access to other tiers by default. Tiers are set up on
+different VLANs that can communicate with each other by using a virtual
+router. Tiers provide inexpensive, low latency network connectivity to
+other tiers within the VPC.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPC that you have created for the account is listed in the
+ page.
+
+ .. note::
+ The end users can see their own VPCs, while root and domain admin can
+ see any VPC they are authorized to see.
+
+#. Click the Configure button of the VPC for which you want to set up
+ tiers.
+
+#. Click Create network.
+
+ The Add new tier dialog is displayed, as follows:
+
+ |add-tier.png|
+
+ If you have already created tiers, the VPC diagram is displayed.
+ Click Create Tier to add a new tier.
+
+#. Specify the following:
+
+ All the fields are mandatory.
+
+ - **Name**: A unique name for the tier you create.
+
+ - **Network Offering**: The following default network offerings are
+ listed: Internal LB,
+ DefaultIsolatedNetworkOfferingForVpcNetworksNoLB,
+ DefaultIsolatedNetworkOfferingForVpcNetworks
+
+ In a VPC, only one tier can be created by using LB-enabled network
+ offering.
+
+ - **Gateway**: The gateway for the tier you create. Ensure that the
+ gateway is within the Super CIDR range that you specified while
+ creating the VPC, and is not overlapped with the CIDR of any
+ existing tier within the VPC.
+
+ - **VLAN**: The VLAN ID for the tier that the root admin creates.
+
+ This option is only visible if the network offering you selected
+ is VLAN-enabled.
+
+ For more information, see `"Assigning VLANs to
+ Isolated Networks" <hosts.html#assigning-vlans-to-isolated-networks>`_.
+
+ - **Netmask**: The netmask for the tier you create.
+
+ For example, if the VPC CIDR is 10.0.0.0/16 and the network tier
+ CIDR is 10.0.1.0/24, the gateway of the tier is 10.0.1.1, and the
+ netmask of the tier is 255.255.255.0.
+
+#. Click OK.
+
+#. Continue with configuring access control list for the tier.
+
+
+.. _conf-net-acl:
+
+Configuring Network Access Control List
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Define Network Access Control List (ACL) on the VPC virtual router to
+control incoming (ingress) and outgoing (egress) traffic between the VPC
+tiers, and the tiers and Internet. By default, all incoming traffic to
+the guest networks is blocked and all outgoing traffic from guest
+networks is allowed, once you add an ACL rule for outgoing traffic, then
+only outgoing traffic specified in this ACL rule is allowed, the rest is
+blocked. To open the ports, you must create a new network ACL. The
+network ACLs can be created for the tiers only if the NetworkACL service
+is supported.
+
+
+About Network ACL Lists
+^^^^^^^^^^^^^^^^^^^^^^^
+
+In CloudStack terminology, Network ACL is a group of Network ACL items.
+Network ACL items are nothing but numbered rules that are evaluated in
+order, starting with the lowest numbered rule. These rules determine
+whether traffic is allowed in or out of any tier associated with the
+network ACL. You need to add the Network ACL items to the Network ACL,
+then associate the Network ACL with a tier. Network ACL is associated
+with a VPC and can be assigned to multiple VPC tiers within a VPC. A
+Tier is associated with a Network ACL at all the times. Each tier can be
+associated with only one ACL.
+
+The default Network ACL is used when no ACL is associated. Default
+behavior is all the incoming traffic is blocked and outgoing traffic is
+allowed from the tiers. Default network ACL cannot be removed or
+modified. Contents of the default Network ACL is:
+
+===== ======== ============ ====== =========
+Rule Protocol Traffic type Action CIDR
+===== ======== ============ ====== =========
+1 All Ingress Deny 0.0.0.0/0
+2 All Egress Deny 0.0.0.0/0
+===== ======== ============ ====== =========
+
+
+Creating ACL Lists
+^^^^^^^^^^^^^^^^^^
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC.
+
+ For each tier, the following options are displayed:
+
+ - Internal LB
+
+ - Public LB IP
+
+ - Static NAT
+
+ - Virtual Machines
+
+ - CIDR
+
+ The following router information is displayed:
+
+ - Private Gateways
+
+ - Public IP Addresses
+
+ - Site-to-Site VPNs
+
+ - Network ACL Lists
+
+#. Select Network ACL Lists.
+
+ The following default rules are displayed in the Network ACLs page:
+ default\_allow, default\_deny.
+
+#. Click Add ACL Lists, and specify the following:
+
+ - **ACL List Name**: A name for the ACL list.
+
+ - **Description**: A short description of the ACL list that can be
+ displayed to users.
+
+
+Creating an ACL Rule
+^^^^^^^^^^^^^^^^^^^^
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC.
+
+#. Select Network ACL Lists.
+
+ In addition to the custom ACL lists you have created, the following
+ default rules are displayed in the Network ACLs page: default\_allow,
+ default\_deny.
+
+#. Select the desired ACL list.
+
+#. Select the ACL List Rules tab.
+
+ To add an ACL rule, fill in the following fields to specify what kind
+ of network traffic is allowed in the VPC.
+
+ - **Rule Number**: The order in which the rules are evaluated.
+
+ - **CIDR**: The CIDR acts as the Source CIDR for the Ingress rules,
+ and Destination CIDR for the Egress rules. To accept traffic only
+ from or to the IP addresses within a particular address block,
+ enter a CIDR or a comma-separated list of CIDRs. The CIDR is the
+ base IP address of the incoming traffic. For example,
+ 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.
+
+ - **Action**: What action to be taken. Allow traffic or block.
+
+ - **Protocol**: The networking protocol that sources use to send
+ traffic to the tier. The TCP and UDP protocols are typically used
+ for data exchange and end-user communications. The ICMP protocol
+ is typically used to send error messages or network monitoring
+ data. All supports all the traffic. Other option is Protocol
+ Number.
+
+ - **Start Port**, **End Port** (TCP, UDP only): A range of listening
+ ports that are the destination for the incoming traffic. If you
+ are opening a single port, use the same number in both fields.
+
+ - **Protocol Number**: The protocol number associated with IPv4 or
+ IPv6. For more information, see `Protocol Numbers
+ <http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml>`_.
+
+ - **ICMP Type**, **ICMP Code** (ICMP only): The type of message and
+ error code that will be sent.
+
+ - **Traffic Type**: The type of traffic: Incoming or outgoing.
+
+#. Click Add. The ACL rule is added.
+
+ You can edit the tags assigned to the ACL rules and delete the ACL
+ rules you have created. Click the appropriate button in the Details
+ tab.
+
+
+Creating a Tier with Custom ACL List
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+#. Create a VPC.
+
+#. Create a custom ACL list.
+
+#. Add ACL rules to the ACL list.
+
+#. Create a tier in the VPC.
+
+ Select the desired ACL list while creating a tier.
+
+#. Click OK.
+
+
+Assigning a Custom ACL List to a Tier
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+#. Create a VPC.
+
+#. Create a tier in the VPC.
+
+#. Associate the tier with the default ACL rule.
+
+#. Create a custom ACL list.
+
+#. Add ACL rules to the ACL list.
+
+#. Select the tier for which you want to assign the custom ACL.
+
+#. Click the Replace ACL List icon. |replace-acl-icon.png|
+
+ The Replace ACL List dialog is displayed.
+
+#. Select the desired ACL list.
+
+#. Click OK.
+
+
+.. _adding-priv-gw-vpc:
+
+Adding a Private Gateway to a VPC
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A private gateway can be added by the root admin only. The VPC private
+network has 1:1 relationship with the NIC of the physical network. You
+can configure multiple private gateways to a single VPC. No gateways
+with duplicated VLAN and IP are allowed in the same data center.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC to which you want to configure
+ load balancing rules.
+
+ The VPC page is displayed where all the tiers you created are listed
+ in a diagram.
+
+#. Click the Settings icon.
+
+ The following options are displayed.
+
+ - Internal LB
+
+ - Public LB IP
+
+ - Static NAT
+
+ - Virtual Machines
+
+ - CIDR
+
+ The following router information is displayed:
+
+ - Private Gateways
+
+ - Public IP Addresses
+
+ - Site-to-Site VPNs
+
+ - Network ACL Lists
+
+#. Select Private Gateways.
+
+ The Gateways page is displayed.
+
+#. Click Add new gateway:
+
+ |add-new-gateway-vpc.png|
+
+#. Specify the following:
+
+ - **Physical Network**: The physical network you have created in the
+ zone.
+
+ - **IP Address**: The IP address associated with the VPC gateway.
+
+ - **Gateway**: The gateway through which the traffic is routed to
+ and from the VPC.
+
+ - **Netmask**: The netmask associated with the VPC gateway.
+
+ - **VLAN**: The VLAN associated with the VPC gateway.
+
+ - **Source NAT**: Select this option to enable the source NAT
+ service on the VPC private gateway.
+
+ See ":ref:`source-nat-priv-gw`".
+
+ - **ACL**: Controls both ingress and egress traffic on a VPC private
+ gateway. By default, all the traffic is blocked.
+
+ See ":ref:`acl-priv-gw`".
+
+ The new gateway appears in the list. You can repeat these steps to
+ add more gateway for this VPC.
+
+
+.. _source-nat-priv-gw:
+
+Source NAT on Private Gateway
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+You might want to deploy multiple VPCs with the same super CIDR and
+guest tier CIDR. Therefore, multiple guest VMs from different VPCs can
+have the same IPs to reach a enterprise data center through the private
+gateway. In such cases, a NAT service need to be configured on the
+private gateway to avoid IP conflicts. If Source NAT is enabled, the
+guest VMs in VPC reaches the enterprise network via private gateway IP
+address by using the NAT service.
+
+The Source NAT service on a private gateway can be enabled while adding
+the private gateway. On deletion of a private gateway, source NAT rules
+specific to the private gateway are deleted.
+
+To enable source NAT on existing private gateways, delete them and
+create afresh with source NAT.
+
+
+.. _acl-priv-gw:
+
+ACL on Private Gateway
+^^^^^^^^^^^^^^^^^^^^^^
+
+The traffic on the VPC private gateway is controlled by creating both
+ingress and egress network ACL rules. The ACLs contains both allow and
+deny rules. As per the rule, all the ingress traffic to the private
+gateway interface and all the egress traffic out from the private
+gateway interface are blocked.
+
+You can change this default behaviour while creating a private gateway.
+Alternatively, you can do the following:
+
+#. In a VPC, identify the Private Gateway you want to work with.
+
+#. In the Private Gateway page, do either of the following:
+
+ - Use the Quickview. See 3.
+
+ - Use the Details tab. See 4 through .
+
+#. In the Quickview of the selected Private Gateway, click Replace ACL,
+ select the ACL rule, then click OK
+
+#. Click the IP address of the Private Gateway you want to work with.
+
+#. In the Detail tab, click the Replace ACL button.
+ |replace-acl-icon.png|
+
+ The Replace ACL dialog is displayed.
+
+#. select the ACL rule, then click OK.
+
+ Wait for few seconds. You can see that the new ACL rule is displayed
+ in the Details page.
+
+
+Creating a Static Route
+^^^^^^^^^^^^^^^^^^^^^^^
+
+CloudStack enables you to specify routing for the VPN connection you
+create. You can enter one or CIDR addresses to indicate which traffic is
+to be routed back to the gateway.
+
+#. In a VPC, identify the Private Gateway you want to work with.
+
+#. In the Private Gateway page, click the IP address of the Private
+ Gateway you want to work with.
+
+#. Select the Static Routes tab.
+
+#. Specify the CIDR of destination network.
+
+#. Click Add.
+
+ Wait for few seconds until the new route is created.
+
+
+Blacklisting Routes
+^^^^^^^^^^^^^^^^^^^
+
+CloudStack enables you to block a list of routes so that they are not
+assigned to any of the VPC private gateways. Specify the list of routes
+that you want to blacklist in the ``blacklisted.routes`` global
+parameter. Note that the parameter update affects only new static route
+creations. If you block an existing static route, it remains intact and
+continue functioning. You cannot add a static route if the route is
+blacklisted for the zone.
+
+
+Deploying VMs to the Tier
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC to which you want to deploy the
+ VMs.
+
+ The VPC page is displayed where all the tiers you have created are
+ listed.
+
+#. Click Virtual Machines tab of the tier to which you want to add a VM.
+
+ |add-vm-vpc.png|
+
+ The Add Instance page is displayed.
+
+ Follow the on-screen instruction to add an instance. For information
+ on adding an instance, see the Installation Guide.
+
+
+Deploying VMs to VPC Tier and Shared Networks
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+CloudStack allows you deploy VMs on a VPC tier and one or more shared
+networks. With this feature, VMs deployed in a multi-tier application
+can receive monitoring services via a shared network provided by a
+service provider.
+
+#. Log in to the CloudStack UI as an administrator.
+
+#. In the left navigation, choose Instances.
+
+#. Click Add Instance.
+
+#. Select a zone.
+
+#. Select a template or ISO, then follow the steps in the wizard.
+
+#. Ensure that the hardware you have allows starting the selected
+ service offering.
+
+#. Under Networks, select the desired networks for the VM you are
+ launching.
+
+ You can deploy a VM to a VPC tier and multiple shared networks.
+
+ |addvm-tier-sharednw.png|
+
+#. Click Next, review the configuration and click Launch.
+
+ Your VM will be deployed to the selected VPC tier and shared network.
+
+
+Acquiring a New IP Address for a VPC
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When you acquire an IP address, all IP addresses are allocated to VPC,
+not to the guest networks within the VPC. The IPs are associated to the
+guest network only when the first port-forwarding, load balancing, or
+Static NAT rule is created for the IP or the network. IP can't be
+associated to more than one network at a time.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC to which you want to deploy the
+ VMs.
+
+ The VPC page is displayed where all the tiers you created are listed
+ in a diagram.
+
+ The following options are displayed.
+
+ - Internal LB
+
+ - Public LB IP
+
+ - Static NAT
+
+ - Virtual Machines
+
+ - CIDR
+
+ The following router information is displayed:
+
+ - Private Gateways
+
+ - Public IP Addresses
+
+ - Site-to-Site VPNs
+
+ - Network ACL Lists
+
+#. Select IP Addresses.
+
+ The Public IP Addresses page is displayed.
+
+#. Click Acquire New IP, and click Yes in the confirmation dialog.
+
+ You are prompted for confirmation because, typically, IP addresses
+ are a limited resource. Within a few moments, the new IP address
+ should appear with the state Allocated. You can now use the IP
+ address in port forwarding, load balancing, and static NAT rules.
+
+
+Releasing an IP Address Alloted to a VPC
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The IP address is a limited resource. If you no longer need a particular
+IP, you can disassociate it from its VPC and return it to the pool of
+available addresses. An IP address can be released from its tier, only
+when all the networking ( port forwarding, load balancing, or StaticNAT
+) rules are removed for this IP address. The released IP address will
+still belongs to the same VPC.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC whose IP you want to release.
+
+ The VPC page is displayed where all the tiers you created are listed
+ in a diagram.
+
+ The following options are displayed.
+
+ - Internal LB
+
+ - Public LB IP
+
+ - Static NAT
+
+ - Virtual Machines
+
+ - CIDR
+
+ The following router information is displayed:
+
+ - Private Gateways
+
+ - Public IP Addresses
+
+ - Site-to-Site VPNs
+
+ - Network ACL Lists
+
+#. Select Public IP Addresses.
+
+ The IP Addresses page is displayed.
+
+#. Click the IP you want to release.
+
+#. In the Details tab, click the Release IP button |release-ip-icon.png|
+
+
+.. _enabling-disabling-static-nat-on-vpc:
+
+Enabling or Disabling Static NAT on a VPC
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A static NAT rule maps a public IP address to the private IP address of
+a VM in a VPC to allow Internet traffic to it. This section tells how to
+enable or disable static NAT for a particular IP address in a VPC.
+
+If port forwarding rules are already in effect for an IP address, you
+cannot enable static NAT to that IP.
+
+If a guest VM is part of more than one network, static NAT rules will
+function only if they are defined on the default network.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC to which you want to deploy the
+ VMs.
+
+ The VPC page is displayed where all the tiers you created are listed
+ in a diagram.
+
+ For each tier, the following options are displayed.
+
+ - Internal LB
+
+ - Public LB IP
+
+ - Static NAT
+
+ - Virtual Machines
+
+ - CIDR
+
+ The following router information is displayed:
+
+ - Private Gateways
+
+ - Public IP Addresses
+
+ - Site-to-Site VPNs
+
+ - Network ACL Lists
+
+#. In the Router node, select Public IP Addresses.
+
+ The IP Addresses page is displayed.
+
+#. Click the IP you want to work with.
+
+#. In the Details tab,click the Static NAT button. |enable-disable.png|
+ The button toggles between Enable and
+ Disable, depending on whether static NAT is currently enabled for the
+ IP address.
+
+#. If you are enabling static NAT, a dialog appears as follows:
+
+ |select-vmstatic-nat.png|
+
+#. Select the tier and the destination VM, then click Apply.
+
+
+Adding Load Balancing Rules on a VPC
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In a VPC, you can configure two types of load balancing: external LB and
+internal LB. External LB is nothing but a LB rule created to redirect
+the traffic received at a public IP of the VPC virtual router. The
+traffic is load balanced within a tier based on your configuration.
+Citrix NetScaler and VPC virtual router are supported for external LB.
+When you use internal LB service, traffic received at a tier is load
+balanced across different VMs within that tier. For example, traffic
+reached at Web tier is redirected to another VM in that tier. External
+load balancing devices are not supported for internal LB. The service is
+provided by a internal LB VM configured on the target tier.
+
+
+Load Balancing Within a Tier (External LB)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+A CloudStack user or administrator may create load balancing rules that
+balance traffic received at a public IP to one or more VMs that belong
+to a network tier that provides load balancing service in a VPC. A user
+creates a rule, specifies an algorithm, and assigns the rule to a set of
+VMs within a tier.
+
+
+Enabling NetScaler as the LB Provider on a VPC Tier
+'''''''''''''''''''''''''''''''''''''''''''''''''''
+
+#. Add and enable Netscaler VPX in dedicated mode.
+
+ Netscaler can be used in a VPC environment only if it is in dedicated
+ mode.
+
+#. Create a network offering, as given in ":ref:`create-net-offering-ext-lb`".
+
+#. Create a VPC with Netscaler as the Public LB provider.
+
+ For more information, see `"Adding a Virtual Private
+ Cloud" <#adding-a-virtual-private-cloud>`_.
+
+#. For the VPC, acquire an IP.
+
+#. Create an external load balancing rule and apply, as given in
+ :ref:`create-ext-lb-rule`.
+
+
+.. _create-net-offering-ext-lb:
+
+Creating a Network Offering for External LB
+'''''''''''''''''''''''''''''''''''''''''''
+
+To have external LB support on VPC, create a network offering as
+follows:
+
+#. Log in to the CloudStack UI as a user or admin.
+
+#. From the Select Offering drop-down, choose Network Offering.
+
+#. Click Add Network Offering.
+
+#. In the dialog, make the following choices:
+
+ - **Name**: Any desired name for the network offering.
+
+ - **Description**: A short description of the offering that can be
+ displayed to users.
+
+ - **Network Rate**: Allowed data transfer rate in MB per second.
+
+ - **Traffic Type**: The type of network traffic that will be carried
+ on the network.
+
+ - **Guest Type**: Choose whether the guest network is isolated or
+ shared.
+
+ - **Persistent**: Indicate whether the guest network is persistent
+ or not. The network that you can provision without having to
+ deploy a VM on it is termed persistent network.
+
+ - **VPC**: This option indicate whether the guest network is Virtual
+ Private Cloud-enabled. A Virtual Private Cloud (VPC) is a private,
+ isolated part of CloudStack. A VPC can have its own virtual
+ network topology that resembles a traditional physical network.
+ For more information on VPCs, see `"About Virtual Private Clouds" <#about-virtual-private-clouds>`_.
+
+ - **Specify VLAN**: (Isolated guest networks only) Indicate whether
+ a VLAN should be specified when this offering is used.
+
+ - **Supported Services**: Select Load Balancer. Use Netscaler or
+ VpcVirtualRouter.
+
+ - **Load Balancer Type**: Select Public LB from the drop-down.
+
+ - **LB Isolation**: Select Dedicated if Netscaler is used as the
+ external LB provider.
+
+ - **System Offering**: Choose the system service offering that you
+ want virtual routers to use in this network.
+
+ - **Conserve mode**: Indicate whether to use conserve mode. In this
+ mode, network resources are allocated only when the first virtual
+ machine starts in the network.
+
+#. Click OK and the network offering is created.
+
+
+.. _create-ext-lb-rule:
+
+Creating an External LB Rule
+''''''''''''''''''''''''''''
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC, for which you want to
+ configure load balancing rules.
+
+ The VPC page is displayed where all the tiers you created listed in a
+ diagram.
+
+ For each tier, the following options are displayed:
+
+ - Internal LB
+
+ - Public LB IP
+
+ - Static NAT
+
+ - Virtual Machines
+
+ - CIDR
+
+ The following router information is displayed:
+
+ - Private Gateways
+
+ - Public IP Addresses
+
+ - Site-to-Site VPNs
+
+ - Network ACL Lists
+
+#. In the Router node, select Public IP Addresses.
+
+ The IP Addresses page is displayed.
+
+#. Click the IP address for which you want to create the rule, then
+ click the Configuration tab.
+
+#. In the Load Balancing node of the diagram, click View All.
+
+#. Select the tier to which you want to apply the rule.
+
+#. Specify the following:
+
+ - **Name**: A name for the load balancer rule.
+
+ - **Public Port**: The port that receives the incoming traffic to be
+ balanced.
+
+ - **Private Port**: The port that the VMs will use to receive the
+ traffic.
+
+ - **Algorithm**. Choose the load balancing algorithm you want
+ CloudStack to use. CloudStack supports the following well-known
+ algorithms:
+
+ - Round-robin
+
+ - Least connections
+
+ - Source
+
+ - **Stickiness**. (Optional) Click Configure and choose the
+ algorithm for the stickiness policy. See Sticky Session Policies
+ for Load Balancer Rules.
+
+ - **Add VMs**: Click Add VMs, then select two or more VMs that will
+ divide the load of incoming traffic, and click Apply.
+
+The new load balancing rule appears in the list. You can repeat these
+steps to add more load balancing rules for this IP address.
+
+
+Load Balancing Across Tiers
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+CloudStack supports sharing workload across different tiers within your
+VPC. Assume that multiple tiers are set up in your environment, such as
+Web tier and Application tier. Traffic to each tier is balanced on the
+VPC virtual router on the public side, as explained in
+`"Adding Load Balancing Rules on a VPC" <#adding-load-balancing-rules-on-a-vpc>`_.
+If you want the traffic coming
+from the Web tier to the Application tier to be balanced, use the
+internal load balancing feature offered by CloudStack.
+
+
+How Does Internal LB Work in VPC?
+'''''''''''''''''''''''''''''''''
+
+In this figure, a public LB rule is created for the public IP
+72.52.125.10 with public port 80 and private port 81. The LB rule,
+created on the VPC virtual router, is applied on the traffic coming from
+the Internet to the VMs on the Web tier. On the Application tier two
+internal load balancing rules are created. An internal LB rule for the
+guest IP 10.10.10.4 with load balancer port 23 and instance port 25 is
+configured on the VM, InternalLBVM1. Another internal LB rule for the
+guest IP 10.10.10.4 with load balancer port 45 and instance port 46 is
+configured on the VM, InternalLBVM1. Another internal LB rule for the
+guest IP 10.10.10.6, with load balancer port 23 and instance port 25 is
+configured on the VM, InternalLBVM2.
+
+|vpc-lb.png|
+
+
+Guidelines
+''''''''''
+
+- Internal LB and Public LB are mutually exclusive on a tier. If the
+ tier has LB on the public side, then it can't have the Internal LB.
+
+- Internal LB is supported just on VPC networks in CloudStack 4.2
+ release.
+
+- Only Internal LB VM can act as the Internal LB provider in CloudStack
+ 4.2 release.
+
+- Network upgrade is not supported from the network offering with
+ Internal LB to the network offering with Public LB.
+
+- Multiple tiers can have internal LB support in a VPC.
+
+- Only one tier can have Public LB support in a VPC.
+
+
+Enabling Internal LB on a VPC Tier
+''''''''''''''''''''''''''''''''''
+
+#. Create a network offering, as given in
+ :ref:`creating-net-offering-internal-lb`.
+
+#. Create an internal load balancing rule and apply, as given in
+ :ref:`create-int-lb-rule`.
+
+
+.. _creating-net-offering-internal-lb:
+
+Creating a Network Offering for Internal LB
+'''''''''''''''''''''''''''''''''''''''''''
+
+To have internal LB support on VPC, either use the default offering,
+DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB, or create a
+network offering as follows:
+
+#. Log in to the CloudStack UI as a user or admin.
+
+#. From the Select Offering drop-down, choose Network Offering.
+
+#. Click Add Network Offering.
+
+#. In the dialog, make the following choices:
+
+ - **Name**: Any desired name for the network offering.
+
+ - **Description**: A short description of the offering that can be
+ displayed to users.
+
+ - **Network Rate**: Allowed data transfer rate in MB per second.
+
+ - **Traffic Type**: The type of network traffic that will be carried
+ on the network.
+
+ - **Guest Type**: Choose whether the guest network is isolated or
+ shared.
+
+ - **Persistent**: Indicate whether the guest network is persistent
+ or not. The network that you can provision without having to
+ deploy a VM on it is termed persistent network.
+
+ - **VPC**: This option indicate whether the guest network is Virtual
+ Private Cloud-enabled. A Virtual Private Cloud (VPC) is a private,
+ isolated part of CloudStack. A VPC can have its own virtual
+ network topology that resembles a traditional physical network.
+ For more information on VPCs, see `"About Virtual
+ Private Clouds" <#about-virtual-private-clouds>`_.
+
+ - **Specify VLAN**: (Isolated guest networks only) Indicate whether
+ a VLAN should be specified when this offering is used.
+
+ - **Supported Services**: Select Load Balancer. Select
+ ``InternalLbVM`` from the provider list.
+
+ - **Load Balancer Type**: Select Internal LB from the drop-down.
+
+ - **System Offering**: Choose the system service offering that you
+ want virtual routers to use in this network.
+
+ - **Conserve mode**: Indicate whether to use conserve mode. In this
+ mode, network resources are allocated only when the first virtual
+ machine starts in the network.
+
+#. Click OK and the network offering is created.
+
+
+.. _create-int-lb-rule:
+
+Creating an Internal LB Rule
+''''''''''''''''''''''''''''
+
+When you create the Internal LB rule and applies to a VM, an Internal LB
+VM, which is responsible for load balancing, is created.
+
+You can view the created Internal LB VM in the Instances page if you
+navigate to **Infrastructure** > **Zones** > <zone\_ name> >
+<physical\_network\_name> > **Network Service Providers** > **Internal
+LB VM**. You can manage the Internal LB VMs as and when required from
+the location.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Locate the VPC for which you want to configure internal LB, then
+ click Configure.
+
+ The VPC page is displayed where all the tiers you created listed in a
+ diagram.
+
+#. Locate the Tier for which you want to configure an internal LB rule,
+ click Internal LB.
+
+ In the Internal LB page, click Add Internal LB.
+
+#. In the dialog, specify the following:
+
+ - **Name**: A name for the load balancer rule.
+
+ - **Description**: A short description of the rule that can be
+ displayed to users.
+
+ - **Source IP Address**: (Optional) The source IP from which traffic
+ originates. The IP is acquired from the CIDR of that particular
+ tier on which you want to create the Internal LB rule. If not
+ specified, the IP address is automatically allocated from the
+ network CIDR.
+
+ For every Source IP, a new Internal LB VM is created for load
+ balancing.
+
+ - **Source Port**: The port associated with the source IP. Traffic
+ on this port is load balanced.
+
+ - **Instance Port**: The port of the internal LB VM.
+
+ - **Algorithm**. Choose the load balancing algorithm you want
+ CloudStack to use. CloudStack supports the following well-known
+ algorithms:
+
+ - Round-robin
+
+ - Least connections
+
+ - Source
+
+
+Adding a Port Forwarding Rule on a VPC
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC to which you want to deploy the
+ VMs.
+
+ The VPC page is displayed where all the tiers you created are listed
+ in a diagram.
+
+ For each tier, the following options are displayed:
+
+ - Internal LB
+
+ - Public LB IP
+
+ - Static NAT
+
+ - Virtual Machines
+
+ - CIDR
+
+ The following router information is displayed:
+
+ - Private Gateways
+
+ - Public IP Addresses
+
+ - Site-to-Site VPNs
+
+ - Network ACL Lists
+
+#. In the Router node, select Public IP Addresses.
+
+ The IP Addresses page is displayed.
+
+#. Click the IP address for which you want to create the rule, then
+ click the Configuration tab.
+
+#. In the Port Forwarding node of the diagram, click View All.
+
+#. Select the tier to which you want to apply the rule.
+
+#. Specify the following:
+
+ - **Public Port**: The port to which public traffic will be
+ addressed on the IP address you acquired in the previous step.
+
+ - **Private Port**: The port on which the instance is listening for
+ forwarded public traffic.
+
+ - **Protocol**: The communication protocol in use between the two
+ ports.
+
+ - TCP
+
+ - UDP
+
+ - **Add VM**: Click Add VM. Select the name of the instance to which
+ this rule applies, and click Apply.
+
+ You can test the rule by opening an SSH session to the instance.
+
+
+Removing Tiers
+~~~~~~~~~~~~~~
+
+You can remove a tier from a VPC. A removed tier cannot be revoked. When
+a tier is removed, only the resources of the tier are expunged. All the
+network rules (port forwarding, load balancing and staticNAT) and the IP
+addresses associated to the tier are removed. The IP address still be
+belonging to the same VPC.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPC that you have created for the account is listed in the
+ page.
+
+#. Click the Configure button of the VPC for which you want to set up
+ tiers.
+
+ The Configure VPC page is displayed. Locate the tier you want to work
+ with.
+
+#. Select the tier you want to remove.
+
+#. In the Network Details tab, click the Delete Network button.
+ |del-tier.png|
+
+ Click Yes to confirm. Wait for some time for the tier to be removed.
+
+
+Editing, Restarting, and Removing a Virtual Private Cloud
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. note:: Ensure that all the tiers are removed before you remove a VPC.
+
+#. Log in to the CloudStack UI as an administrator or end user.
+
+#. In the left navigation, choose Network.
+
+#. In the Select view, select VPC.
+
+ All the VPCs that you have created for the account is listed in the
+ page.
+
+#. Select the VPC you want to work with.
+
+#. In the Details tab, click the Remove VPC button |remove-vpc.png|
+
+ You can remove the VPC by also using the remove button in the Quick
+ View.
+
+ You can edit the name and description of a VPC. To do that, select
+ the VPC, then click the Edit button. |vpc-edit-icon.png|
+
+ To restart a VPC, select the VPC, then click the Restart button.
+ |restart-vpc.png|
+
+
+.. |add-vpc.png| image:: /_static/images/add-vpc.png
+ :alt: adding a vpc.
+.. |add-tier.png| image:: /_static/images/add-tier.png
+ :alt: adding a tier to a vpc.
+.. |replace-acl-icon.png| image:: /_static/images/replace-acl-icon.png
+ :alt: button to replace an ACL list
+.. |add-new-gateway-vpc.png| image:: /_static/images/add-new-gateway-vpc.png
+ :alt: adding a private gateway for the VPC.
+.. |add-vm-vpc.png| image:: /_static/images/add-vm-vpc.png
+ :alt: adding a VM to a vpc.
+.. |addvm-tier-sharednw.png| image:: /_static/images/addvm-tier-sharednw.png
+ :alt: adding a VM to a VPC tier and shared network.
+.. |release-ip-icon.png| image:: /_static/images/release-ip-icon.png
+ :alt: button to release an IP.
+.. |enable-disable.png| image:: /_static/images/enable-disable.png
+ :alt: button to enable Static NAT.
+.. |select-vmstatic-nat.png| image:: /_static/images/select-vm-staticnat-vpc.png
+ :alt: selecting a tier to apply staticNAT.
+.. |vpc-lb.png| image:: /_static/images/vpc-lb.png
+ :alt: Configuring internal LB for VPC
+.. |del-tier.png| image:: /_static/images/del-tier.png
+ :alt: button to remove a tier
+.. |vpc-edit-icon.png| image:: /_static/images/edit-icon.png
+ :alt: button to edit.
+.. |remove-vpc.png| image:: /_static/images/remove-vpc.png
+ :alt: button to remove a VPC
+.. |restart-vpc.png| image:: /_static/images/restart-vpc.png
+ :alt: button to restart a VPC