Technology.Life.Insight.

Dedicated server IP routing for VMs in a hosted datacenter

So you just got a great deal on a hosted/ dedicated server from one of the major hosting providers. KVM (IPMI) access has been established and the host OS has been installed, in this case Server 2008 x64. The server package comes with 1 dedicated and routable IP address but more are available for purchase, usually in packs.  The goal is, partially, to host VMs that are publically accessible from the internet. Hosters such as GigeNet and SoftLayer sell IP packs that are based on networks which rely on the primary host’s IP network. In other words, you can’t just assign the IPs from these ranges to VMs because, for one reason, they’re not on the same subnet as the host. The intention of the hoster is that you’ll bind these IPs to the NIC of the host, then assign them to websites. Access to these addresses are made available via the host’s primary network which has access to a default gateway. The IP pack networks have no gateway and as such are not routable on their own, even though they’re ultimately accessible via the internet. For example, my host’s IP is x.x.50.70/19 and my IP block is x.x.220.200/29. The /29 network has no routable gateway for my VMs to use and is not in the same subnet as my host so is unusable on its own. While this presents a challenge to solve it also offers some inherent security. The host, being on a completely separate subnet with a different IP scheme means that the it cannot be easily discovered via access to the VMs. There is nothing publicly accessible that exposes this relationship. Still with me?

To pull this off we need to enable routing on the host server. The same principle should apply to any host-based virtualization platform that makes use of virtual network interfaces (vNICs) to connect VM guests. In my scenario I’m using VMware Server 2.0. The first step is to enable the Network Policy and Access Services role in Server 2008. All that you need to make this work is RRAS which includes the RAS and Routing functionalities.

image image

Once installed, launch your virtual network configuration and set up a new virtual adapter. You could modify a default adapter but I prefer to leave these alone and build one from scratch. In VMware Server you have 3 options for virtual networks:

  • Bridged - shares the Host NIC with the virtual adapter (this requires routable IPs on the guest VMs)
  • NAT – allows you to put your guests on a private network (192.x) and all traffic in/out from the VMs will use the Host’s IP
  • Host-only – a private network shared with the host (this can be used to create an isolated network not internet accessible)

In this scenario the only viable option is the host-only network type which will allow me to bend the rules a bit. Create a new host virtual adapter and assign the subnet from your block of assigned IPs to it. This needs to be the address of the subnet which is not a usable address and in my case is .200.

image image

Once the new virtual adapter is created you will see a new network interface in the network connections list on the host. Assign the next IP in your block to this interface and this will become the gateway for your VMs.

image image

Now to apply the glue to hold it all together. In RRAS, create a new static route under the IPv4 context. Select the new virtual gateway interface (VMnet2) and point it to the host server’s network, subnet mask, and gateway. The destination is the host network’s subnet address, in this case x.x.50.64.

image

Now when you set up your VMs, you will assign their vNICs to the VMnet2 adapter, give them usable IPs from the block (starting at .202), and specify .201 as the gateway. The VMs can now get out to the internet and are accessible directly via the internet for web hosting or whatever.

1 comment:

  1. It seems like a great idea and really informative post it was, I got some thing new here. web hosting service india


    website hosting services

    ReplyDelete

Recent Comments

Popular Posts

Powered by Blogger.

Twitter Feed

.

.