Page tree

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 35 Next »



At AppNexus every customer has a private VLAN, or Virtual Local Area Network.


Extensive use of VLANs provides segregation of each customer's traffic from AppNexus traffic and other customers' traffic meaning only explicitly permitted traffic is allowed to pass. Every VLAN has an Access Control List (ACL) that protects traffic to the VLAN.  The use of TCP-based protocols provides connection reliability and allows for session protection via ACLs and host firewalling.

Your VLAN is a list sequential of IP addresses that can be assigned to the instances you launch on the AppNexus system. VLAN can consist of 8, 24, 56 or 120 IP addresses (we assign 2^8^ addresses but eight of them are reserved for networking equipment so they can act as if belonging to an individual VLAN).  By default, all ports between your two VLANs in different datacenters will be open.  Traffic between LAX1 and NYM1 travels over the Internet and is not encrypted. 

All outgoing traffic is allowed.

For incoming traffic, customer may request ACL (Access Control Lists) change: for TCP/UDP/ANY, for particular source and destination IPs and ports, request ALLOW or DENY rule.  Default rule is deny all

VLANs and datacenters

Firewall and ACLs

Link to How to Request Firewall Changes

If you run out of IP addresses in your VLAN.

Assignment of new VLANs could take up to workday, as it involves changes in ACL rules for all your VLANs.  As we assign second VLAN temporarily (just for the migration time), you'll have to migrate instances from the old VLAN to the new one.  This doesn't require instance downtime, you'll get detailed instructions on the migration from Support when second VLAN is created.

We will have an API for ACLs. Also the portal.
Relevant tickets: #4128 /#4625/#3952

5. Will migrating be available through the API in the future?

Rather no than yes (at least, not in the nearest 6 months). – Vladimir

What about instructions:

1. When you launch new instance, please use "--ip" flag of "manage-instance launch" command to explicitly declare IP address of instance in new address block. – Really it'll be part of instruction – Vladimir

2. We can migrate without downtime now – Vladimir

Migration out of "8.10.*" IP space will be done soon systemwide. – Vladimir

No second VLANs in the same DC, no instructions on this. (wink) – Vladimir

Meanwhile I'll prepare instructions on how to deal with multi-VLAN environment, how to migrate instances from old IP space to the new one with the existing API/CLI functionality, et cetera. – Actually Alexander Novitskiy is communicating with GiftReal (RT:5483) and OpenAds (RT:5118) on this.

Assigning IP addresses from your VLAN

Info here.

Stateful firewalls vs. ACLs.

A firewall with a stateful packet inspection looks at packets in groups rather than individually.  It keeps track of which packets have passed through the firewall and can detect patterns that indicate unauthorized access.  In some cases, the firewall may hold on to packets as they arrive until the firewall gathers enough information to make a decision about authorization or rejection.  Appnexus does not use a stateful firewall but instead an ACL.  Stateful inspection is most useful for protecting outbound traffic, but with hosting, the servers tend to receive traffic instead of initiate it.  Also, because we are dealing with an unknown amount of traffic, the ability to scale is very important.  Stateful inspection is an expensive task for a device to perform and therefore subject to strict capacity limitations (we're talking sub Gigabit for most firewalls).  On the other hand, Cisco routers perform ACL packet filtering at line rate with absolutely no performance hit.  So, while stateful inspection is appropriate for small, stable amounts of outbound traffic or for protecting niche pieces of the network (like e-commerce databases), ACLs are more scalable and efficient for protecting inbound traffic to servers.  If a customer still desires a stateful firewall, we can add it for a fee. – This paragraph ideally should be checked by Peak / Mike – Vladimir.

  • No labels