At AppNexus every customer has a private VLAN, or Virtual Local Area Network, made of list of IP addresses (do they have to be sequential?) than can be assigned to the instances that they launch on the AppNexus system. Every AppNexus customer has at least one VLAN in each datacenter where they have equipment. Every VLAN has bi-directional Access Control List (ACL) that protects traffic to and from the VLAN. Extensive use of VLANs provides segregation of each customer's traffic from AppNexus traffic and other customers' traffic. meaning only explicitly permitted traffic is allowed to pass. The use of TCP-based protocols provides connection reliability and allows for session protection via ACLs and host firewalling.
with 8, 24, 56 or 120 IP addresses (how many are used for equipment already?). By default, all ports between your two VLANs will be open. Traffic between LAX1 and NYM1 travels over the Internet and is not encrypted. Customers can request multiple VLANs in a single datacenter if desired.
Bi-directional ACLs are applied on every routing interface with a Default Deny policy,
ACLs (Access Control Lists) are controlled by the customer. ACL refers to a list IP addresses, both origin and destination, and ports where traffic is permitted to pass. The *router* does this?
Relevant here? There is extensive use of encryption (SSH, SSL-VPN) throughout the network.
VLANs and datacenters
Firewall and ACLs
If you run out of IP addresses in your VLAN.
Assignment of new VLANs could take up to workday, as it involves changes in ACL rules for all your VLANs.
You can either migrate to a larger one or, have a second one. Migration currently requires brief downtime.
We will have an API for ACLs. Also the portal.
Relevant tickets: #4128 /#4625/#3952
5. Will migrating be available through the API in the future?
What about instructions:
1. When you launch new instance, please use --ip= flag of `manage-instance launch` command to explicitly declare IP address of instance in new address block.
2. Please note new command `manage-instance bundle` implemented in last CLI release. With this command you're able to migrate your instances to new address space right now. You need to create images from every your instance and launch instances from these images in new address space. Please note that making image requires shutting down origianl
Migrating to new addressspace is not mandatory right now - in case if you don't need PTR (reverse DNS) records for your old instances. You may wait till we will implement and release features for more convenient migration.
By default when we assign second VLAN in the same datacenter, we apply to the new VLAN all general (not host-specific) rules from the old VLAN, and open all traffic between VLANs in the same datacenter. Let us know if we should change these rules.
Meanwhile I'll prepare instructions on how to deal with multi-VLAN environment, how to migrate instances from old IP space to the new one with the existing API/CLI functionality, et cetera.
Assigning IP addresses from your VLAN
Stateful firewalls vs. ACLs.
A firewall with a stateful packet inspection looks at packets in groups rather than individually. It keeps track of which packets have passed through the firewall and and can detect patterns that indicate unauthroized access. Imn some cases, teh firewall may hold on to pakcets as they arrive until the firewall gathers enough infomration to make a decision about authorization or rejection. Appnexus does not use a stateful firewall but instead an ACL. Stateful inspection is most useful for protecting outbound traffic, but with hosting, the servers tend to receive traffic instead of initiate it. Also, because we are dealing with an unknown amount of traffic, the ability to scale is very important. Stateful inspection is an expensive task for a device to perform and therefore subject to strict capacity limitations (we're talking sub Gigabit for most firewalls). On the other hand, Cisco routers perform ACL packet filtering at line rate with absolutely no performance hit. So, while stateful inspection is appropriate for small, stable amounts of outbound traffic or for protecting niche pieces of the network, (like e-commerce databases), ACLs are more scalable and efficient for protecting inbound traffic to servers. If a customer still desires a stateful firewall, we can add it for a fee.