Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

VLANs and Firewalls

Introduction

At AppNexus every customer has a private VLAN, or Virtual Local Area Network, in each datacenter where they operate equipmentreserve servers.  Your VLAN is a list of sequential of IP addresses that can to be assigned to the instances you launch on in the AppNexus systemenvironment.  Your VLAN can consist of 8, 24, 56 or 120 , ..., (2^N-8) IP addresses (; eight addresses in each range are reserved for networking equipment so they it can act as if belonging to an behave as though it was part of your individual VLAN). This VLAN provides .

IP Addresses

  • You can assign specific IP addresses to your equipment by using the optional "--ip" parameter for the manage-instance launch command.  If no specific IP is selected, the next available IP in the range will be automatically assigned.  For more information, see manage-instance.
  • Instance IPs are static; if the server reboots or the instance goes offline, the IP will remain the same.

ACLs/Firewall

VLANs provide security by segregating each customer's traffic from AppNexus and other customers' traffic and controlling also by regulating traffic from the Internet via according to a customer-controlled Access Control List (ACL).

...

  You can view your current ACLs in the customer portal at https://portal.appnexus.com/networking.php?index=acl.

  • By default we deny all inbound traffic from the Internet to your IP block is denied except for ping (ICMP Echo---used to verify that the host is up). Initial access rules are configured based on the customer questionnaire.For incoming traffic, customer may request ACL (Access Control Lists) change: for TCP/UDP/ANY,   With your ACL, you can explicitly permit TCP, UDP, or ANY traffic for particular source and destination IPs and ports, request ALLOW or DENY rule.  Default rule is deny all explicitly permitted traffic is allowed to pass.You will be assigned a separate VLAN in each datacenter where you have equipment. .
  • You'll set your inital ACL via the customer questionnaire, and you can change it at any time. At the moment, ACL changes must go through Support.  Please see How to Set Firewall Rules for more information.  Soon there will be an API for ACLs and you will also be able to use the customer portal.
  • All traffic within a VLAN is allowed so all instances can freely communicate with each other.
  • All outgoing traffic from your VLAN is allowed.
  • By default, all ports between your two /traffic between same-customer VLANs in different datacenters will be is open. Traffic   (Note that traffic between LAX1 and NYM1 travels over the Internet and is not encrypted.
  • All outgoing traffic is allowed.
  • )

If you run out of IP addresses in your VLAN

...

If you outgrow a VLAN, AppNexus will assign you a larger one.  This can take up to one workday , as it involves changes in ACL rules for all your VLANs.  As we assign second VLAN temporarily (just for the migration time), you'll have as support staff configures the ACL for the new VLAN.  You will then need to migrate instances from the old VLAN to the new one.  This doesn't require instance downtime, you'll get detailed instructions on the migration from Support when second VLAN is created.

We will have an API for ACLs. Also the portal.
Relevant tickets: #4128 /#4625/#3952

What about instructions:

1. When you launch new instance, please use "--ip" flag of "manage-instance launch" command to explicitly declare IP address of instance in new address block. – Really it'll be part of instruction – Vladimir

Meanwhile I'll prepare instructions on how to deal with multi-VLAN environment, how to migrate instances from old IP space to the new one with the existing API/CLI functionality, et cetera. – Actually Alexander Novitskiy is communicating with GiftReal (RT:5483) and OpenAds (RT:5118) on this.

Assigning IP addresses from your VLAN

manage-instance launch --name, --cpu-units, --server-id, --memory, --disk, --share-name,
--path, --ip, --upload, --authorized-keys, --async

Further Reading

can be done without downtime; you will assign each item in your VLAN a second IP address for the duration of the migration.  Detailed instructions on VLAN migration will be provided when you make your request to Support.

Note: We assume that customer IP requests are for usable IP addresses; the eight addresses used for network gear have already been accounted for when an IP range is allocated.

Further Information

Network Architecture
How to Set Firewall Rules
Enabled Port Ranges
Direct Connection to 3rd Party Datacenters
Software VPN
VLAN Tagging and Instance Security
manage-vlan CLI tool

Troubleshooting

Connectivity Issues

As always, please create a ticket at https://portal.appnexus.com/ or contact us at support@appnexus.com if you have any questions or concerns.