Skip to content

Private Network

Warning

This feature is currently only available in the Prevessin DC.

This page should help you create your own private network in the CERN Cloud Infrastructure and tell you about the limitations.

With the OpenStack APIs we offer self-service private networks.

Quotas

A warning for the beginning: Network, subnets and other related resources are subject to quota. In order to create a private network, you need quota for the network and subnets.

Basic Network

For a private network, you need to create a network with subnets in OpenStack.

openstack network create my-private-network
openstack subnet create --subnet-range 10.102.234.0/24 --network my-private-network my-private-network-subnet-01

At CERN we have reserved the following range to not conflict with any other services and be able to reach other points if necessary, so you can pick part of this range. Most of the times a smaller subnet might suffice, so you can select a smaller network out of this range (e.g. 10.102.NNN.0/24).

IPv4 Network name IP Remarks
SERVICES-VIRTUAL-PRIVATE-NET-3 10.102.0.0/16 Reserved for IT (Cloud VM private/tenant networks) - non-routable net

To spawn a VM in this network, you can create a VM like so: 

openstack server create --flavor m2.small --image "ALMA9 - x86_64" --network my-private-network my-vm-in-private-network

Router

Note

This feature is not yet enabled.

For connectivity between different private networks or to the public network, there is the possibility to configure routers. 

openstack router create --external-gateway CERN_NETWORK my-router
openstack router add subnet my-router my-private-network-subnet-01

Sharing network with different project

The API provides a way to share certain network objects with other projects or publicly. If you are the owner of the project, you may share it with another project of which you know the UUID.

In your project that owns the network you can create the network as above and use the following command to share it with another OpenStack project: 

openstack network rbac create --type network --action access_as_shared --target-project $OTHER_PROJECT_UUID my-private-network

This will allow the other project to create ports in your project and use the resources you configured on it. If you have a router configured on the shared network, VMs in the other project can use it as well by default. In that case you are also responsible for the traffic that exits this router!

Offered services

In private networks, the Cloud Service will offer a basic DHCP service if enabled (default) on the subnet with the Cloud Metadata service being available via a route announced by DHCP. VMs will be registered in LanDB as a device, but their IPs and DNS names are not registered.

Currently there is no DNS service for private networks. In case you require one, you will have to set this up yourself.

Apart from those, the network behaves like an isolated L2/L3 network forwarding traffic between VMs/Ports attached to that network.

Note

All integration with other services at CERN might not be straightforward, especially if there is a dependency on a proper hostname/IP mapping. E.g. puppet managed machines or kerberos authentication might rely on those information. You might be able to create a VM in the public network and assign it an additional internal network or with some tweaking of the configuration it might be possible.

However, services like the Linuxsoft mirrors should work.