In this guide I will show you how to build a simple cloud network.
Piggybank Cloud gives you the means to create a fully functioning cloud network with ease and cost effectively.
The following diagram is what the network will look like just to give you a clearer picture on what we are going to achieve.
Network Diagram 1.1
Adding a Virtual Firewall means that you can control traffic between networks. For example you could have a public server serving a website in your DMZ network and private storage and databases in your Private LAN. You would want to control the direction of traffic between the two networks i.e only allowing one way traffic from your private LAN to your DMZ.
The Virtual firewall will also allow you to control traffic coming into your network from any external source. Your DMZ web server may have a port forward configured on the firewall for web traffic like http and https, whereby your web server is accessible from any source on ports 80 and 443. Access to your private network you will want to lock down to specific source IP address (if using a port forward) or access only via VPN (Virtual Private Network).
1. Virtual Networks
You will need to ensure that you have the Virtual networks provisioned so that you can attach these to your devices. Simply navigate to Cloud/Virtual Networks.
1.1 Public IPv4 Address
This will be assigned to the WAN interface of your firewall.
Click Public IPv4 and then Create
1.2 VXLAN (Private Network)
Click VXLAN Private Networks and then Create
The VXLAN NIC is a layer 2 broadcast domain which means that it acts like a switch. Any device connected to the same VXLAN NIC will be in the same layer 2 broadcast domain. You will have to configure each device in the same subnet in order for them to communicate with each other.
In the Diagram ” Network Diagram 1.1 “ above you will see VXLAN-3 and VXLAN-4
VXLAN-3 is configured with 192.168.1.0/24 subnet and VXLAN-4 is configured with 192.168.200.0/24 subnet.
2. Deploy and configure Virtual Firewall
2.1 Click Cloud / Deploy Virtual Firewall.
If you click Operating System Info at the bottom of the page before you deploy the device – this will give you the resource recommendation and the username and password of the firewall.
You will only initially be able to allocate 2 NICs (Network Interface Card) to the firewall. Any additional networks can be added once the Firewall has been deployed by the editing the Firewall.
In this instance I have added the WAN (IPv4 Public IP address) and the LAN (VXLAN-3) NIC.
You will see the hourly and monthly cost of the device and can optionally add the Firewall to monitoring.
Once the firewall has been deployed you will see it in you list of devices and will be able to click manage to make any changes or review any information about the device.
2.3 Add additional NICs
2.3.1 Click the Manage button next to your firewall.
This will take you to the Manage page of your Firewall where you can add Network Interface Cards, connect to your firewall using VNC, check Firewall information, reboot your firewall to name a few.
2.3.2 Click add NIC
In addition to adding you DMZ NIC to your firewall, it will be a good idea to add your DEV network NIC to your Firewall. This means that you will be able to access your firewall from your Development VPN. You will need to add the address that is allocated to the NIC to your firewall manually as a static IP address – simple scroll across in the network box to see what the address is. The below example is VLAN-113.
2.3.3 Reboot the firewall
Once you can see the NIC added in the portal you will need to reboot the firewall so that the NIC is picked up by the firewall.
2.4. Configure the Firewall IP addresses and assign interfaces
2.4.1 Login to your Firewall
http://91.203.x.x – simply browse to the firewall GUI by entering your IP address in the address bar of your browser.
You will be able to find the default username and password of the firewall under the heading Operating System Info on the Manage page
2.4.2 Assign DMZ and Management NIC to firewall interface.
You will need to assign the firewall interface to the additional NIC/s that you have added for the DMZ and Management.
Click Interfaces / Assignments (located in the main menu bar at the top of the page)
Click add and this will assign the pfSense’s interface to your Virtual NIC. You will see that the mac addresses correspond with the mac addresses of your Virtual NIC in the Manage section of the Virtual machine where you added your Virtual Nic. Simply move the slider across to view the mac address.
2.4.3 Configure interface IP address
You will need to configure your gateway address for your LAN network and your DMZ network.
Click Interfaces / LAN
By default this will have an IP address configured including the dhcp server setup. You can change this to your desired Subnet. You will need to update your dhcp server to reflect the changed subnet.
The DHCP server is configured under Services / DHCP Server.
Click Interfaces / OPT (You will change this description to DMZ)
Click Interfaces / OPT2 (You will change this description to Management)
Make sure you change the management address to the address that is allocated to the NIC on your Piggybank Customer Portal.
Your interfaces should be as follows:
Having a management interface ensures that you don’t get locked out of you device and that you access the device securely over VPN.
2.5 Firewall NAT
2.5.1 Outbound Firewall NAT
You will need to NAT your traffic from your private network to your WAN interface as private networks are not publicly routable.
The rules should be created automatically
2.5.2 Inbound Firewall NAT or Port Forward
Click Firewall / NAT / Port Forward
In this example I have forwarded port 80 (http) to the Webserver with an IP address of 192.168.200.1. This is the Webserver connected to the DMZ interface. You will need to configure a corresponding rule on the WAN interface to allow this traffic.
2.6 Firewall Rules
You will need to make sure your two networks are allowed out to the internet. You will also need to control any incoming traffic to your web server.
You can also limit any traffic destined for your private network, for example: if you have a port forward for SSH to one your private server, you can limited this to a particular host IP, range or subnet. Ideally access to your private network should be done using a VPN.
Also ensure that you control traffic between your LAN and DMZ network. You do not want your DMZ network to have access to your Private LAN as per example below.
You configure rules on the incoming interface – simple select each interface to configure your desired rule set.
WAN / NAT rule example:
3. Deploy and configure Virtual Servers
3.1 Click Cloud / Deploy Virtual Server
3.2 Select your Operating system (in this case Ubuntu 18.04)
3.2.1 Define your Virtual Machine Name and Root Password
3.3 Allocate Server Resource
You will see towards the bottom of the screen an Operating System Info TAB – this will give your recommended minimum resource per Operating System.
3.4 Add NICs
You will see that I have allocated two NICs. One for the LAN subnet that connects to the Firewall and one for the Management of the device (VLAN-113) Dev Network which is accessible over your Development VPN, The Dev Network IP address is allocated automatically to your Virtual Machine.
Once you are happy with the configuration and pricing – simple agree to the terms and conditions and Click Create Virtual Server.
You repeat this process for both the LAN server and DMZ server – making sure you allocate the correct VXLAN NIC to each.
3.5 Development VPN access
You can download the VPN Client and config through your portal – simply click on Dev Net VPN on the right hand side menu under cloud.
Once connected to the VPN you will be able to access your Virtual Machines on SSH using putty. If you have configured your firewall with the management IP address you will be able to access this on port 80. You will need to make sure the firewall rules are in place to allow this traffic.
3.6 Configure interface IP address (VXLAN Only)
On the Database server or LAN server I have configured it to use DHCP. By default the Firewall has a DHCP server on the LAN interface.
Normally on your Web server you would have the IP address statically configured.
Please follow the following two guides to set up either a static IP or dhcp.
Static IP configuration:
You can search the Piggybank Cloud Blog from within your portal – simply type in the top search bar a topic and this will take you to the Piggybank cloud blog.
You will want to test connectivity to and from your servers.
root@WebServer:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.200.254 0.0.0.0 UG 0 0 0 eth0
10.0.113.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
root@WebServer:~# ping 192.168.1.3
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
--- 192.168.1.3 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1020ms
root@WebServer:~# ping 10.0.113.11
PING 10.0.113.11 (10.0.113.11) 56(84) bytes of data.
64 bytes from 10.0.113.11: icmp_seq=1 ttl=64 time=1.43 ms
64 bytes from 10.0.113.11: icmp_seq=2 ttl=64 time=0.794 ms
5. Remove Dev Management NICs
The Development Network is only for development and deploying of your cloud infrastructure – I would recommend removing this and controlling access to your networking using the firewall VPN.
Simply scroll across and click the BIN icon to remove the NIC.
Thank you for reading and please feel free to leave any feedback.
If you need any help please do not hesitate to contact us.
Simply use the inbuilt ticket system to raise a support request.