Home > Articles > Web Services > Cloud Computing

  • Print
  • + Share This
From the author of

Extended Scenario: Accessing Virtual Machines on a VLAN

Provisioning virtual machines on a private VLAN in the cloud gives you far greater security than on the open Internet. This technique is similar to deploying physical machines in your own data center. The machines won't be visible from the Internet and therefore are protected from many threats. Just as servers in a private data center must be accessed using a private connection to the data center, virtual machines provisioned on a VLAN must be accessed through a special connection. This connection is usually provided by a server with two IP addresses, one on the Internet and the other on the VLAN. You must also have a way of routing network traffic from the Internet to the VLAN. If you wanted to route traffic from many users to a web server, you would use a firewall to route the traffic. However, in our scenario we only want to route traffic from the owner of the virtual machine, so we'll use SOCKS.

To complete this scenario, perform the following steps:

  1. Discover the available VLANs.
  2. Allocate an IP address on a VLAN.
  3. Create a SOCKS Proxy virtual machine with two IP addresses.
  4. Provision a virtual machine instance on the VLAN.
  5. Verify access to the VLAN:
    1. Start PuTTY with the SOCKS proxy option.
    2. Access both virtual machines.

Figure 8 shows the configuration.

Figure 8 Accessing a virtual machine on a VLAN with SOCKS.

We'll demonstrate how to do this with the SCE command line, but it's also possible with the web portal.

Step 1: Discover the Available VLANs

You can discover the VLANs available in SCE with this command:

> ic-describe-vlans.cmd -u <user id> -w <passphrase> -g <key file>
Executing action: DescribeVLANs  ...
----------------------------------
. . .
ID: 288
Name: Private VLAN Singapore
Location: 141
----------------------------------
Executing DescribeVLANs  finished

We'll use the VLAN with ID 288 in the Singapore data center (location ID 141), which we found from the command output above.

Step 2: Allocate an IP Address on a VLAN

The next step is to allocate an IP address on the selected VLAN. To do that, we need to find the address offering for private IP addresses in Singapore, for which we use the describe-address-offerings command:

> ic-describe-address-offerings.cmd -u <user id> -w <passphrase> -g <key file>
. . .
ID: 20027868
Location: 141
Ip Type: PRIVATE
Price: $0/UHR
. . .

The command output shows that the address offering ID is 20027868.

The next part is to allocate the IP addresses. We can do that with the allocate-address command:

> ic-allocate-address.cmd -u <user id> -w <passphrase> -g <key file> -L 141 -O 20027868 -x 288
Executing action: AllocateAddress  ...

In this command, the -L argument is the data center ID, -O is the address offering ID, and -x is the VLAN ID.

The address will take a little while to be allocated. We can check the status of the IP address-allocation process with the describe-addresses command:

>ic-describe-addresses.cmd -u <user id> -w <passphrase> -g <key file>
...
ID: 277993
InstanceId: null
IP: 10.10.10.66
State: FREE
Location: 141
Owner: <user id>
. . .

The address must be in the FREE state before we can use it. Note the ID of the IP address; we'll use it in the next step.

To perform the equivalent action in the SCE web portal, navigate to the Account tab and click the Add IP button. A dialog like the one in Figure 9 will appear.

Figure 9 Allocating an IP on a VLAN by using the SCE web portal.

Step 3: Create a SOCKS Proxy Virtual Machine

We'll use a server running RHEL 6.2, with secondary IP address on the VLAN, and primary IP address on the public Internet to act as the SOCKS proxy. The particular server that we use will be configured as a firewall. The image name in the SCE image library is "IBM Firewall Image on Red Hat EL 6 32-bit PAYG." It's configured with more strict security than other images, which is appropriate for use as an entry point into a VLAN. All unnecessary software has been removed and unnecessary services disabled.

> ic-create-instance.cmd -u <user id> -w <passphrase> -g <key file>
 -t "COP32.1/2048/60" -n SOCKSProxy -k 20036705 -c <my key> -m "{se
condary.ip.0:<address ID>,root_user_password:***}" -L 141
Executing action: CreateInstance  ...
The request has been submitted successfully.
1 instances!
----------------------------------
ID: 266635
Name: SOCKSProxy
Hostname: vhost0677
InstanceType: COP32.1/2048/60
IP: 170.225.160.53
Secondary IP(s): 10.10.10.66
KeyName: <my key>
. . .

In the command above, the -t argument is the instance size, -n is the instance name, -k is the image ID, -c is the key name, -m is the ID of the secondary IP address, and -L is the data center ID.

After executing the command above, wait for instance to be provisioned.

Figure 10 shows the screen from the SCE web portal.

Figure 10 Provisioning the SOCKS proxy with the SCE web portal.

Use the ic-describe-instance command to find the provisioning status and public IP address. After the instance has been provisioned, the public IP address will be enabled, but the secondary IP address will not. To enable the secondary address, use the Linux ifup command:

$ sudo /sbin/ifup eth1

You can check the status of the network interfaces with the Linux ifconfig command. Follow the same steps as in the basic scenario to enable the firewall.

Step 4: Provision a Virtual Machine Instance on the VLAN

In this step, we'll create the virtual machine that we want to access. It will be RHEL 6.2 with a primary IP address on the VLAN. Following is the command to provision the virtual machine:

> ic-create-instance.cmd -u a.user@cn.ibm.com -g mykey.ext
 -w unlock -t "BRZ64.2/4096/60*500*350"
 -n ServerVLAN -k 20025211 -c july26 -x 288 -L 141
Executing action: CreateInstance  ...
The request has been submitted successfully.
1 instances!
----------------------------------
ID: 266635
Name: ServerVLAN
Hostname: vhost0677
InstanceType: BRZ64.2/4096/60*500*350
IP: 10.10.10.74
KeyName: <my key>
. . .

In this command, the -t argument is the instance size, -n is the instance name, -k is the image ID, -c is the key name, -x is the VLAN ID, and -L is the data center.

Step 5: Verify Access to the VLAN

Steps 5a and 5b are the same as steps 2 and 3 of the basic scenario. For starting PuTTY with the SOCKS proxy option, see step 2 of the basic scenario ("Step 2: Start PuTTY with the SOCKS Proxy Option"). To access both virtual machines, see step 3 of the basic scenario ("Step 3a: Start the Web Server and Configure the Firewall").

To verify access to the VLAN, enter the address of the virtual machine on the VLAN. Test with and without proxy settings in the browser. Figure 11 shows the results. Notice that you can see the private IP now, even though you're accessing the virtual machine over the Internet. Notice that the IP address in the web browser is a private IP that is not visible on the Internet.

Figure 11 Verifying access to the VLAN.

  • + Share This
  • 🔖 Save To Your Account