Skip to main content

VPC Network

A VPC (Virtual Private Cloud) in Apache CloudStack is a private, isolated part of the cloud with its own virtual network topology. Customers create VPCs in CMP by selecting a VPC package that maps to CloudStack VPC Offering and VPC Network Offering values.

Setup vs feature
  • This page β€” how VPC works in CloudStack and how CMP exposes it (tiers, ACLs, Source NAT, VPN/private gateway overview, limitations).
  • Admin package setup β€” Virtual Router/VPC packages.
  • Provider Config β€” Connecting CMP to CloudStack (Default VPC ACL Allow ID, Default Network Strategy).

What is a VPC?​

In CloudStack, a VPC lets you:

  • Define a super CIDR (for example 10.0.0.0/16) for all guest tiers
  • Create one or more network tiers (subnets) inside that CIDR
  • Use a single VPC virtual router for routing, DHCP, DNS, Source NAT, ACLs, and optional VPN / load balancing

CloudStack reference: Configuring a Virtual Private Cloud.

Building blockRole
VPCIsolated private cloud for one account / project, with a super CIDR
Network tierGuest subnet inside the VPC (own VLAN segment and CIDR); one ACL list per tier
VPC virtual routerSystem VM that connects tiers, public gateway, VPN, and NAT
Public gateway / Source NATOutbound internet; one Source NAT public IP allocated when the VPC is created
Network ACLNumbered allow/deny rules for ingress/egress on a tier
Private gatewayOptional route to a private / enterprise network
VPN gatewayOptional site-to-site VPN endpoint for the VPC
Isolated Network vs VPC
Isolated NetworkVPC
StructureSingle guest networkSuper CIDR + one or more tiers
Virtual routerOne VR per isolated networkOne VPC VR for the whole VPC
OfferingsNetwork offeringVPC offering + VPC guest network offerings
Firewall modelIsolated network firewall at public IP levelNetwork ACL on tiers
CMP packagesNetwork packages (when billing enabled)Virtual Router/VPC

See Isolated Network.

How CMP provisions a VPC​

  1. Enable VPC/Virtual Router in Cloud Provider Setup (Wizard Step 1)
  2. Set Default VPC ACL Allow ID in Provider Config (Wizard Step 2) so new VPCs get a usable default ACL
  3. Create CloudStack system service offerings, VPC offerings, and VPC guest network offerings (with User Data and Network ACL)
  4. Create CMP Virtual Router/VPC packages per zone/tier
  5. Customer opens Create VPC, selects a package (or CMP auto-selects when only one package exists), and CMP creates the VPC via CloudStack APIs
CMP VPC package
β†’ CloudStack VPC Offering (+ system service offering = VR size)
β†’ VPC created (Source NAT IP allocated)
β†’ Customer adds tiers using VPC Network Offering
β†’ ACL list applied per tier (default from Default VPC ACL Allow ID, then custom rules)

Screenshot: CMP β€” Create VPC with package selection

Default VPC ACL Allow ID​

FieldPurpose
Default VPC ACL Allow IDCloudStack ACL list UUID applied when CMP creates a new VPC

Obtain the UUID from CloudStack β†’ Network β†’ VPC β†’ ACL Lists (typically a default_allow-style list, or a custom allow list you maintain). Customers can replace or edit ACL rules in the CMP portal after creation.

Network tiers​

  • Each tier is an isolated guest network inside the VPC with its own CIDR (must be unique and inside the VPC super CIDR)
  • Tiers do not freely reach each other by default β€” Network ACL rules control tier-to-tier and tier-to-public traffic
  • Only one tier in a VPC can use an LB-enabled network offering (CloudStack limitation)
  • A public IP attached to one tier for Static NAT / Port Forwarding / LB cannot be reused for another tier’s services at the same time

Customers add tiers from the VPC details view in CMP after the VPC exists.

Source NAT and public IPs on VPC​

  • When a VPC is created, CloudStack allocates a Source NAT public IP. It is released only when the VPC is deleted.
  • The VPC Source NAT IP cannot be used for VM association or load balancer rules. Customers must acquire a separate public IP (for example Static NAT) for LB or dedicated VM public access.
  • Details: Load Balancer β€” VPC Source NAT and IP Address packages.

For automated public IP attach during Create Instance, see Default Network Strategy. Manual IP association outside create-instance is chosen by the customer.

Network ACL (VPC firewall)​

Network ACL is the CloudStack / CMP control plane for allow/deny traffic on a VPC tier. The VPC offering and guest network offerings must include the Network ACL service.

How ACL works in CloudStack​

ConceptBehaviour
ScopeRules apply to the network tier (subnet), not to an individual VM as a first-class target
EvaluationNumbered rules, lowest number first
Traffic typeIngress or Egress
ActionAllow or Deny
Protocol / portsTCP, UDP, ICMP, ALL (plus ICMP type/code when applicable)
CIDR fieldSingle cidrlist on the API β€” Source CIDR for Ingress, Destination CIDR for Egress
StatefulACL rules in CloudStack are stateful (return traffic for an allowed flow follows connection state)
Ingress vs egressNot mirrored β€” an egress deny-all does not block replies to an allowed ingress connection

Official wording: β€œThe CIDR acts as the Source CIDR for the Ingress rules, and Destination CIDR for the Egress rules.” β€” CloudStack VPC ACL.

API reference: createNetworkACL parameters include protocol, traffictype, action, cidrlist, startport / endport, icmpcode / icmptype, number, aclid / networkid. There are no separate sourcecidr + destinationcidr (or sourceip / destinationip) parameters in current CloudStack ACL APIs.

What you can express today​

Supported todayExample
Allow/deny by protocol and portAllow TCP 443
Scope CIDR as source (ingress) or destination (egress) β€” one CIDR role per ruleIngress source 192.168.28.0/24, or egress destination 10.0.0.0/8
Subnet ↔ subnet (tier) controlTier A ACL egress allow to Tier B CIDR
Partial host match via /32 in the single CIDR slotEgress destination 192.168.26.6/32 (all hosts on this tier may reach that host, subject to other rules)

What you cannot express as classic host-level ACL​

Host-level Source + Destination on one rule β€” not supported

CloudStack VPC ACL does not provide independent source host and destination host fields on the same rule.

Desired classic rule (not supported as two independent ends):

Allow any TCP traffic on port 53 from subnet 192.168.28.0/24 to host 192.168.26.6.

Most granular rule today:

Direction + one CIDR (cidrlist) + protocol + port (for example allow egress TCP 53 from this tier to 192.168.26.6/32).

That egress /32 targets the destination host for traffic leaving the tier, but it does not simultaneously constrain source to a specific host and destination to another specific host as separate fields. Ingress /32 constrains source only for traffic entering the tier.

QuestionAnswer (CloudStack + CMP model)
Does ACS natively support host-level ACLs (source host and destination host)?No β€” one cidrlist per rule, meaning source or destination depending on traffic type
Can /32 be used in cidrlist?Often yes for that single CIDR role (test in your ACS version). It does not add a second independent end
Is destination CIDR a separate enforced field?Only as the egress interpretation of cidrlist β€” there is no paired destination field on ingress rules
Is this a CMP-only limit?Primarily CloudStack ACL engine design. CMP must map to createNetworkACL / listNetworkACLs. If CMP UI only offers subnet pickers, that can add a further UX limit β€” but even with free-form CIDR, ACS still lacks dual-end host ACL
Would CMP alone implement classic host ACLs?No β€” would require CloudStack (API + VR firewall generation) to support source and destination matchers, then CMP UI/API changes

If you must confirm behaviour on a specific ACS build:

  1. API β€” Create a rule with cidrlist=192.168.26.6/32, traffictype=Egress, TCP port 53; confirm save succeeds
  2. Router β€” On the VPC VR, inspect iptables / ipset / nftables for -d 192.168.26.6/32 (or equivalent). Absence of destination match means the /32 is not enforced as expected
  3. Traffic test β€” VM-A (192.168.28.10) β†’ VM-B (192.168.26.6) allowed vs β†’ VM-C (192.168.26.7) blocked only if destination host matching works for that rule direction
  4. CMP β€” Confirm whether the UI accepts free-form CIDR (including /32) or only subnet selection; UI restriction is separate from ACS capability

UI clarity (direction, source, destination)​

CMP should present ACL rules so traffic flow is obvious β€” not only protocol and port.

Recommended columns / editor labels:

DirectionSourceDestinationProtocolPortAction
Egress(this tier / implied)192.168.26.6/32TCP53Allow
Ingress192.168.28.0/24(this tier / implied)TCP443Allow

Because CloudStack stores a single CIDR whose meaning depends on Ingress vs Egress, the UI should:

  • Show Direction prominently
  • Label the CIDR as Source for Ingress and Destination for Egress
  • Avoid implying that both Source and Destination are independently editable until the orchestrator supports it

img/screenshots/cmp-vpc-network-acl-rules.png

Screenshot: CMP β€” VPC Network ACL rules

Private gateway and VPN (overview)​

FeaturePurpose in CloudStack VPC
Private gatewayRoute VPC traffic to/from a private or enterprise network; optional Source NAT on the private gateway; ACL on the private gateway interface
Site-to-site VPNHardware/VPN connection between the VPC VPN gateway and a customer gateway
Remote access VPNNot supported on VPC networks in CloudStack (VPN users / remote access apply to other network models)

Offer these only when the VPC offering includes VPN (and related services) and your CloudStack zone is configured for private gateways / VPN. Exact CMP customer UI flows for private gateway and VPN connections can be expanded on dedicated pages as documentation is completed.

Load balancing inside a VPC​

  • Enable Load Balancer on the VPC offering and use an acquired public IP β€” never the VPC Source NAT IP
  • Conserve mode on offerings can allow VMs from multiple tiers on one public IP when enabled in CloudStack

See Load Balancer packages.

Billing​

VPC billing is driven by Virtual Router/VPC packages. When pricing, include virtual router capacity, default Source NAT IP, and Network Rate (Mb/s) differentiation between tiers (for example Basic vs High-Performance).

How CMP implements VPC (summary)​

AreaCloudStackCMP
Create VPCVPC offering β†’ VPC + Source NAT IPPackage selection on Create VPC
TiersGuest network offerings (For VPC)Add network / tier in VPC UI
FirewallNetwork ACL (cidrlist + traffic type)ACL editor in customer portal
Public IPSeparate public IPs for Static NAT / PF / LBDefault Network Strategy on Create Instance; manual choice afterward
Default ACLdefault_allow / default_deny / custom listsDefault VPC ACL Allow ID on provider setup