Gandi Private VLANs

What are Gandi Private VLANs?

Private VLANs (Private Virtual Local Area Networks) are, as the name implies, virtual networks. They allow your machines to exchange data securely on a private dedicated network, inaccessible to the public Internet. You can create one or more PVLANs, and access them with private interfaces that you attach to your servers. Only the interfaces associated with the same virtual network can communicate with each other.

The advantages:

  • More security: The interfaces are private and are not accessible from outside
  • Faster: The maximum throughput of a private interface is 200 Mbit/s (as opposed to 100Mb/s for a public interface).

This feature allows you to create clusters of servers to support multi-host applications. You do not need to purchase additional bandwidth as you might have to when using public network interfaces. The most common use case (and the simplest) is making a secure connection between an edge server (for example a web server) and a backend server (like a database server).

Installation

  1. Create a PVLAN
  2. Create private interfaces
  3. Attach interfaces to your servers

The allocation of IP addresses is done dynamically, though you can specify the subnet.

Management of PVLANs

You can create up to 128 PVLANs for your servers, each of which can contain up to 64 interfaces.

VLANs can't communicate between different datacenters. For example, a server located in France can't be connected to a VLAN created in Luxembourg.

Click the Servers tab to access the Server control panel. Then click the “Vlans”” tab to go to the VLAN management page.
This shows a page where you can edit, create, or delete your VLANs.

To create a new VLAN, click “Create a VLAN”

Choose a name for the VLAN, and click “Create”.

Once you choose the location, you can then choose either default configuration (network mask and gateway will be set automatically) or choose advanced configuration, where you can specify your network and mask (in CIDR format, eg 10.0.0.0/29). Please stick to RFC 1918 (private) IPv4 ranges.

You will also need to specify a gateway address, preferably the first interface you assign, in case you want to set up routing.

Then you can add the private interfaces by clicking the + icon to the right of the line for the relevant VLAN.

Create private network interfaces

You can create interfaces either through the 'add an interface' action on an existing VLAN, or via the interface management page (under the interfaces tab). Just chose the type of interface as “Private”.

You can then specify which VLAN this interface will attach to, and the desired IP address (in the subnet you specified in the VLAN). Then, you can attach the interface to a server.

If you do not specify the IP address, it will be automatically allocated in ascending order.

Add static IP configuration to the server

DHCP is not provided for private network interfaces. In order for a the interface to come up automatically at boot, you'll need to add a static IP-address configuration to your server.

For example, on a Debian-based distro, add the following lines to /etc/network/interfaces :

auto eth1
iface eth1 inet static
address 192.168.22.2
netmask 255.255.255.0

Be sure to substitute the interface (ethX), IP-address, and netmask with your interface's values.

Last modified: 02/14/2017 at 00:51 by Richard M. (Gandi)