Running in Google Cloud

Introduction

This guide describes the basic steps to create a VNS3 Image and setup a VPC where you plan on running a VNS3 controller and GCE instances for your cloud use-case. A simple deployment scenario is presented with some best practice pointers. For more complex deployments please open a support ticket via the Cohesive Networks Support Site or email to support@cohesive.net.

Requirements

You have a GCE account that Cohesive can use for enabling your access to the VNS3 Controller Images (GCE Marketplace coming soon).

  • Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software.
  • You have a compliant IPsec firewall/router networking device:
  • Preferred: Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.

  • Best Effort: Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5, and most importantly NAT-Traversal standards.

  • Known Exclusions: Checkpoint R65-R80 require native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards in these versions. In Checkpoint R80+, GuiDBedit must be used to force either native IPsec or NAT-T in order to maintain a reliable connection. (See https://support.cohesive.net/support/solutions/articles/31000156433-nat-t-compatibility-with-check-point-devices)

    Cisco ASA 8.4(2)-8.4(any) bugs prevent a stable connection from being maintained.

Firewall Setup

VNS3 Controller instances use the following TCP and UDP ports:

  • UDP port 1194 - For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients.

  • UDP 1195-1203* - For tunnels between Controller peers; must be accessible from all peers in a given topology. VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering.

  • TCP port 8000 - HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.

  • UDP port 500 - UDP port 500 is used for the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection.

  • Protocol 50 - This is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec.

  • UDP port 4500** - This is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.

*VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering.
_** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500_

*Google Firewall Rules allow ESP Protocol 50 past its edge.

Address Considerations

The Overlay Network functionality is optional but an Overlay Network configuration is required for the VNS3 controller to function. When choosing between the default Overlay Network subnet range or a custom subnet defined by your specific topology needs, avoid any address overlap. Warning: Your overlay network range cannot overlap with the cloud subnet/vpc/vnet the controller is running in.

Define an Overlay Network Subnet that does not overlap with:

  • Cloud VLAN (VPC, VNET, or similar) where the VNS3 controller or cloud-clients are running
  • Datacenter subnets you you plan on connecting to via IPsec (however overlaps can be worked around with cooperation between connecting parties)

VNS3 Image Sharing via Compute Image User IAM

Cohesive Networks provides access to VNS3 Images via IAM sharing.

In order to share, Cohesive Networks Support needs the email address associated with the Google Cloud Platform account where you will run the VNS3 controller.

Please send an email to support@cohesive.net with a subject line referencing GCE Image Sharing Request and include the email in the body. Cohesive Networks Support will respond with the Image name when the Image has been shared.

VNS3 SKUs (Free, Lite, and BYOL) will be available in the Google Cloud Marketplace in 2019.

Step 1: VPC Deployment Setup

Virtual Network Addressing - Don’t Overlap with VNS3 Overlay

Google VPCs provide an isolated address space where you run your instances. VPCs allow you to define Subnet address spaces, and associated Firewall Rules to allow control of access control policies via the hypervisor firewall.

Cohesive Networks recommends creating a separate VPC Subnet for the VNS3 Controllers that is different from the subnet or subnets defined for the application instances.

The VPC CIDR you configure CANNOT overlap with the VNS3 Overlay Network you create during initialization/configuration of your VNS3 Controller instance.

Cohesive Networks typically recommends configuring a small subnet at the top of the VPC CIDR for the VNS3 Controller(s). You can then logically segment the lower part of the subnet for your application instances in a single subnet or multiple subnets per instance role (e.g. web server, app server, db, etc.)

The diagram shows a recommended segmentation of a /24 (255 addresses) VPC for this example deployment.

Cohesive Networks typically recommends configuring a small subnet at the top of the VPC CIDR for the VNS3 Controller(s). You can then logically segment the lower part of the subnet for your application instances in a single subnet or multiple subnets per instance role (e.g. web server, app server, db, etc.)
VNS3 Cloud Setup Addressing Diagram

Create VPC Network

This guide shows how to create a VPC Network and launch a VNS3 Controller instance inside that network. If you already have an existing VPC, we recommend launching in a separate subnet for maximum flexibility and security.

To create a new VPC Network, navigate to the VPC Network console via the Google Cloud Platform left column menu.

Click on VPC networks.

Then click on Create VPC Network.

VNS3 Cloud Setup GCE VPC

The Create VPC Network pane allows you to customize your cloud VLAN to your application’s specifications. This guide follows the network address scheme example provided above.

Provide the following information:

  • Name
  • Description (optional)
  • Subnets - in this example we create a subnet for the VNS3 controller and a subnet for the application servers in the same subnet. More complex application use-cases may require additional subnets and regions.

Click Create.

VNS3 Cloud Setup GCE VPC 2

Google Cloud Firewall Rules

Google Cloud Firewall Rules are stateful hypervisor rules that are applied at the network level.

Default/Implied rules allow all outbound (egress) traffic from a VPC instance and deny all inbound (ingress).

The following pages provide steps to open up inbound access to the controller to allow the various network and security functions.

To create a new Firewall Rule, navigate to the VPC Network console via the Google Cloud Platform left column menu.

Click Firewall Rules.

VNS3 Cloud Setup GCE FW 1

VNS3 Cloud Setup GCE FW 2

Firewall Rules: VNS3 UI/API

In order to access the VNS3 controller via the UI or API, TCP port 8000 inbound access needs to be allowed via the Firewall Rules.

Click create Firewall Rule.

Create a Firewall Rule with the following relevant information:

  • Network: VPC created on page 15, in this example application-vpc
  • Direction of traffic: Ingress
  • Action on match: Allow
  • Targets: this example uses target tags to associate this firewall rule with an instance or instances. Tags applied during instance creation that match with the Firewall Rule tags will associate the Firewall Rule with the instance.
  • Target tags: this example uses vns3.
  • Source Filter: this example uses IP ranges to specify the source of the traffic to be allowed.
  • Source IP ranges: the IP or limited set of IPs where you will be managing the VNS3 controller.
  • Specified Protocols and Ports: TCP 8000

Click Create.

VNS3 Cloud Setup GCE FW 3

Firewall Rules: IPsec

In order to create IPsec tunnels to the VNS3 controller UDP 500, UDP 4500 (for NATTraversal) and/or ESP protocol 50 (for native IPsec) inbound access needs to be allowed via the Firewall Rules.

Click create Firewall Rule.

Create a Firewall Rule with the following relevant information:

  • Network: VPC created on page 15, in this example application-vpc
  • Direction of traffic: Ingress
  • Action on match: Allow
  • Targets: this example uses target tags to associate this firewall rule with an instance or instances. Tags applied during instance creation that match with the Firewall Rule tags will associate the Firewall Rule with the instance.
  • Target tags: this example uses vns3.
  • Source Filter: this example uses IP ranges to specify the source of the traffic to be allowed.
  • Source IP ranges: the IP(s) of the remote VPN devices that will be connecting to VNS3 via IPsec VPN.
  • Specified Protocols and Ports: UDP 500, UDP 4500, and/or ESP protocol

Click Create.

VNS3 Cloud Setup GCE Firewall 4

Firewall Rules: Overlay Network

The VNS3 Overlay Network is optional. If you plan on taking advantage of the speed, flexibility and security of the Overlay Network UDP 1194 inbound access needs to be allowed via the Firewall Rules.

Click create Firewall Rule.

Create a Firewall Rule with the following relevant information:

  • Network: VPC created on page 15, in this example application-vpc
  • Direction of traffic: Ingress
  • Action on match: Allow
  • Targets: this example uses target tags to associate this firewall rule with an instance or instances. Tags applied during instance creation that match with the Firewall Rule tags will associate the Firewall Rule with the instance.
  • Target tags: this example uses vns3.
  • Source Filter: this example uses IP ranges to specify the source of the traffic to be allowed.
  • Source IP ranges: 0.0.0.0/0 or a smaller subnet depending on where the overlay connected clients are running.
  • Specified Protocols and Ports: UDP 500, UDP 4500, and/or ESP protocol

Click Create.

VNS3 Cloud Setup GCE Firewall 5

Firewall Rules: VNS3 Peering

Premium subscriptions of VNS3 (SME and larger) allow for more than on VNS3 controller to be peer together in a mesh to provide HA and federation capabilities. If you plan on building a peered VNS3 mesh UDP 1195-1210 (potentially smaller range depending on the number of peer controllers) needs to be allowed via the Firewall Rules.

Click create Firewall Rule.

Create a Firewall Rule with the following relevant information:

  • Network: VPC created on page 15, in this example application-vpc
  • Direction of traffic: Ingress
  • Action on match: Allow
  • Targets: this example uses target tags to associate this firewall rule with an instance or instances. Tags applied during instance creation that match with the Firewall Rule tags will associate the Firewall Rule with the instance.
  • Target tags: this example uses vns3.
  • Source Filter: this example uses target tags.
  • Source IP ranges: this example uses vns3
  • Specified Protocols and Ports: UDP 1195-1210

Click Create.

VNS3 Cloud Setup GCE Firewall 6

Step 2: Creating a VNS3 Controller Instance

Create a static IP for use when launching the VNS3 instance

Cohesive Networks highly recommends creating then associating a static public IP with any VNS3 controller instance launched in the cloud for maximum flexibility and recovery.

To create a static Public IP, navigate to the VPC Network console via the Google Cloud Platform left column menu.

Click External IP addresses.

Create an External IP address in the same region as the VPC Network created on page 15.

Click Reserve.

VNS3 Cloud Setup GCE Static IP 1

VNS3 Cloud Setup GCE Static IP 2

Create a VNS3 Controller Instance

To create a VNS3 Controller instance, navigate to the Compute Engine console via the Google Cloud Platform left column menu.

Click VM Instances.

Click Create.

VNS3 Cloud Setup GCE Create Ctrl 1

In order to create a VNS3 Controller instance you will need to specify the vns3 image shared to your account by Cohesive Networks as described previously.

To specify the shared VNS3 image, click Change under Boot Disk.

On the resulting popup, click on Custom Images.

Select the Cohesive Networks - dev project from the dropdown.

And select the image name provided by Cohesive Networks.

VNS3 Cloud Setup GCE Create Ctrl 2

VNS3 Cloud Setup GCE Create Ctrl 3

Launch a VNS3 Controller

Click the Management, security, disks, networking, sole tenancy dropdown to reveal additional configuration parameters.

Click on Networking.

If you are using Network tags for Firewall Rule association (as this example is), enter the appropriate tag.

Edit the Network interface and specify the correct VPC.

Turn IP forwarding On if needed (see page 27). NOTE: This setting cannot be updated after the instance has been created.

Click Done.

Click Create.

VNS3 Cloud Setup GCE Launch Ctrl

Unencrypted VPC Setup

Unencrypted VLAN Setup

In the event you choose to not use the Overlay Network, there are some additional steps required to allow VNS3 to act as the gateway for the VPC Subnet(s).

Remember even if you decide not to use the Overlay Network, you still need to define an Overlay Network address space as part of the initialization. Be sure to choose an address space that DOES NOT overlap with the Google VPC Subnet CIDR or remote network(s) you plan on connecting to via IPsec VPN.

You will need to make changes to the Routing Tables, add appropriate Firewall Rules and enabled IP Forwarding for the VNS3 controller instance.

In Google Cloud you can only enable IP forwarding when you create an instance. You cannot enable it by editing an instance later.

Unencrypted VLAN Setup: Routes

Google Cloud Route need to be configured so the instances running various VPC Subnets will send traffic destined for remote subnets connected to the VNS3 controller via IPsec to the VNS3 controller instead default Internet Gateway.

In this example we assume there is an IPsec tunnel connected to VNS3 that allows connectivity between the local VPC CIDR of 10.10.10.0/24 and a remote subnet 172.16.0.0/24.

To create a new Route, navigate to the VPC Network console via the Google Cloud Platform left column menu.

Click Routes.

Enter the appropriate destination IP range and specify the Next Hop as the VNS3 controller instance.

Click Create.

VNS3 Cloud Setup GCE Unencrypted VLAN 1

VNS3 Cloud Setup GCE Unencrypted VLAN 2

Unencrypted VLAN Setup: Firewall Rules

In order for the Application Server instances to send traffic through the VNS3 controller over the unencrypted VPC, Security Group rules need to be added to allow the traffic to flow.

As Security Groups are stateful, you only need to open Inbound rules in the direction of the initiating traffic as all response traffic will be allowed.

In this example we show opening up All Traffic between the VNS3 Controller instance Security Group and Application Server instance security group via the Security Group IDs.