Skip to content

Virtual Private Cloud (VPC)

A virtual private cloud (VPC) is a secure and isolated private cloud infrastructure hosted within a public cloud. You can use a VPC to restrict public access to web services. For example, you can have a web service connect to its database service via a private network, but still be accessible from a public network. This way, a VPC creates an additional layer of security and control.

In SolusVM 2, you can configure a VPC for yourself as well as offer it to your users.

Known Issues and Limitations

At the moment, the following limitations exist:

  • Only KVM virtual servers support the VPC feature.
  • For security reasons, you can't use a VPC if your compute resources have only public IP addresses. We're planning to remove this restriction in the future to allow a VPC for such compute resources as well. Meanwhile, you can use WireGuard to create tunnels between compute resources over a public network and then use the WireGuard interface IP address as the SolusVM 2 "IP for VPC networks" setting.
  • It's impossible to create a virtual server without a public IP address and with a VPC only.
    We're planning to remove this restriction in the future.

The VPC feature also has some aspects worth mentioning:

  • In SolusVM 2, a VPC is a location-bound feature.
  • All virtual servers created in SolusVM 2 and attached to a VPC use the Open vSwitch (OVS) technology, while those created in SolusVM 1, Linux bridge. If you migrate VPC-attached servers from SolusVM 1 to SolusVM 2, the latter automatically changes the type of the migrated servers to Open vSwitch.

VPC Configuration Overview

The usual process of providing a VPC for users' virtual servers consists of the following steps:

  1. You create a VPC in the Administrator Area.
  2. You grant users the VPC-related permissions.
  3. Users attach their servers to the created VPC.

We'll break down each step in more detail below.

Creating a VPC

To create a VPC network:

  1. Go to Compute Resources.

  2. Choose a compute resource that will offer a VPC.

    Note

    Make sure the compute resource is only related to one location. Otherwise, when necessary, SolusVM 2 will pick the location with the highest ID.

  3. Click the icon next to the compute resource of your choice.

  4. In the "Network" section, under "IP for VPC network", specify a private IPv4 address which belongs to one of the following ranges:

    10.0.0.0 – 10.255.255.255 (10.0.0.0/8 prefix)
172.16.0.0 – 172.31.255.255  (172.16.0.0/12 prefix)
192.168.0.0 – 192.168.255.255 (192.168.0.0/16 prefix)

  5. Go to Network > VPC Networks, and then click Create VPC Network.

  6. Give your VPC network a recognizable name.

  7. Choose the network's list type. The type defines the way IP addresses will be assigned to the VPC network:

    • To allocate a range of private IP addresses (for example, 10.1.1.1 – 10.1.1.7), select "Range".
    • To assign individual private IP addresses in a random order (for example, 10.1.1.1 and 10.1.1.6), select "Set".

  8. If you've selected "Range" in the previous step, specify a range of private IP addresses. If you've selected "Set", there's no need to do that. Users will later add individual private IP addresses for this VPC network in the User Area.

  9. Specify the IP addresses' netmask.

  10. Select the location of the VPC network.
  11. Specify the email address of the network owner. You can create a VPC network for yourself or another user.

  12. Click Save.

You've created a VPC network. If you've created it for yourself, you got the job done. If you've created it for another user, you need to make sure they have the required permissions.

The VPC feature introduces the following permissions:

  • manage all VPC networks
  • manage owned VPC networks
  • get VPC networks

The "manage all VPC networks" permission should be reserved only for the Administrator role.

With the "manage owned VPC networks" permission, a user can create their own VPC network and also attach and detach virtual servers from it.

With the "get VPC networks" permission, a user can see VPC networks created and attached to their virtual servers by you. They can neither create their own VPC networks nor detach those created by you from their virtual servers.

Without any VPC permissions granted, a user can still see private IP addresses from the VPC network but can't see which VPC network has provided these IP addresses.

Usually, you choose to grant the "manage owned VPC networks" and "get VPC networks" permissions. The "Client" role doesn't have them enabled by default, and you cannot edit the role because it's built-in.

You will need to create a new role with a set of permissions related to a VPC, and then assign this role to one or multiple users.

To grant users the permissions to use the VPC network:

  1. Go to Access > Roles, and then click Add Role.
  2. Give the role a recognizable name.

  3. Select the "manage owned VPC networks" and "get VPC networks" permissions.

  4. Click Save.

  5. Go to Access > Users.
  6. Click the icon next to the user you want to grant the new role to.
  7. Under "Role", keep the default client role, and then select the new role you have created.
  8. Click Save.

The user now has the necessary permissions.

Learn more about creating and using roles and permissions.

Attaching Servers to the VPC in the User Area

If you've granted the "manage owned VPC networks" and "get VPC networks" permissions, users can now attach and detach their virtual servers from the VPC. They can do so while editing already existing servers.

They can also attach a new server to the VPC when they create the server.