5.9. Integrated Network Appliance¶
Important
- When starting to use the Integrated Network Appliance service, the stateful packet inspection function used for blocking illegal access by reading data of packets that pass through the Integrated Network Appliance and opening/closing ports according to its contents is enabled. This function cannot be disabled.
Note
- Either the Integrated Network Appliance or vFirewall needs to be contracted for one Data Center in one Enterprise Cloud service contract. These services cannot be used simultaneously or multiple services cannot be used.
5.9.1. Available Features¶
Connection to each networkDestination Network | Connection Conditions |
Internet Transit | If the Internet Connectivity service is selected, connection to the Internet transit is always established. |
VPN Transit | If the VPN Connectivity service is selected, connection to the VPN transit is always established. |
Server Segment | If a Server Segment is added, connection to the Server Segment is provided. However, if “Do not connect to the Integrated Network Appliance.” is selected when adding a Server Segment, connection to the Server Segment is not provided. |
Interface | Allocatable IP Addresses |
Virtual Network Interface for connecting to Internet Transit (called the “network interface on the Internet Transit-side” below) | NTT Communications selects IP addresses from the block for Global IP Addresses that are ordered separately |
Virtual Network Interface for connecting to VPN Transit (called the “network interface on the VPN Transit-side” below) | NTT Communications selects IP addresses from the block for IP addresses of customer’s VPN (called the “IP address block for VPN Transit” below). |
Virtual Network Interface for connecting to a Server Segment (called the “network interface on the Server Segment-side” below) | Customers can select the Virtual Network Interface from the available IP addresses in Server Segment (You can specify the IP address on the Server Segment-side network interface only when the Server Segment is created based on the application form. If IP addresses have not been specified, they will be allocated automatically). |
Important
- IP addresses allocated to each interface of the Integrated Network Appliance cannot be changed after allocating them.
Features | Name of Available Rules | Details |
Firewall feature | Firewall rule | This is the feature used for setting to allow/deny communications that pass through the Integrated Network Appliance. |
NAT/NAPT feature | SNAT rule
DNAT rule
|
This is the feature used for converting the IP address and ports for communications that pass through among Internet Transit, VPN Transit and Server Segment. |
Routing feature | Static routing | This is the function used for providing the routing for communications that are made among Internet Transit, VPN Transit and Server Segment. |
Load balancing feature | Load balancing rule | This is the function used for balancing load of communications from Internet Transit and VPN Transit. |
IPsec termination feature | IPsec termination rule | This is the function used for terminating IPsec communications. |
Plans | Performance | Configurations |
Compact | For customers who do not use the load balancing feature and IPsec termination feature. | Single configuration |
Compact (Redundant) | For customers who do not use the load balancing feature and IPsec termination feature. | Redundant configuration |
Large | For customers who use the load balancing feature and IPsec termination feature. | Single configuration |
Large (Redundant) | For customers who use the load balancing feature and IPsec termination feature. | Redundant configuration |
Important
- The Integrated Network Appliance plan can be specified at the time of submitting the application form. After the network is opened, the plan cannot be changed from Compact to Large or vice versa. (It is possible to change the plan from single configuration to redundant configuration or vice versa.)
Note
- If the redundant configuration plan is selected, the hot standby configuration is provided and the plan is switched in approximately 30 seconds. Even if the single configuration plan is selected, the redundant configuration is adopted for basic equipment, equipment restart with the basic equipment for backup in case of failure and the configuration is switched approximately 5 to 10 minutes.
- All functions are available with Compact plan. However, Large plan is recommended when using the Load Balancing function and IP sec termination function due to the plunge in performance.
5.9.2. Firewall Feature¶
Item | Details |
Firewall Rule | Customer can configure arbitrary rule names. |
Source IP Address | Specifies a source IP address for IP packets. |
Source Service | Specifies the source service for IP packets with the port number when setting TCP/UDP ports for protocol. If ICMP is specified for protocol, ICMP Type cannot be specified. |
Destination IP Address | Specifies a destination IP address for IP packets. |
Destination Service | Specifies the destination service for IP packets with the port number when setting TCP/UDP ports for protocol. If ICMP is specified for protocol, ICMP Type cannot be specified. |
Protocol | Specifies the protocol used for IP packets (TCP, UDP or ICMP). |
Actions | Specifies whether to allow or deny the passage of IP packets that match the conditions set by the above-mentioned items. |
Enable | Enables/ disables this rule. |
Important
- The firewall feature is set to deny all communications at the time of opening. Settings for enabling specific communications are required to allow communications.
Note
- Priority of firewall rules can be set by changing the display order on the Customer Portal. Higher display order on the Customer Portal has higher priority level.
5.9.3. NAT/NAPT Feature¶
- NAT/NAPT for converting the source IP (called “SNAT” rule below)
- NAT/NAPT for converting the destination IP (called “DNAT” rule below)
Item | Details |
Targeted network | Selects the destination network for communications to which the SNAT rule is applied from Internet Transit, VPN Transit and Server Segments that are connected to the Integrated Network Appliance. |
Source IP address before conversion | Specifies the IP address that is not converted according to this rule. |
Source IP address after conversion | Specifies the IP address that is converted according to this rule. |
Enable | Enables or disables this rule. |
Item | Details |
Targeted network | Selects the destination network for communications to which the DNAT rule is applied from Internet Transit, VPN Transit and Server Segments that are connected to the Integrated Network Appliance. |
Source IP address before conversion | Specifies the IP address that is not converted by this rule. |
Destination port number before conversion/ ICMP Type | If TCP or UDP is specified for protocol, specify the port number that is not converted according to this rule. If ICMP is specified for protocol, ICMP Type needs to be specified. |
Source IP address after conversion | Specifies the IP address that is converted according to this rule. |
Destination port number after conversion/ ICMP Type | If TCP or UDP is specified for protocol, specify the port number that is not converted according to this rule. If ICMP is specified for protocol, ICMP Type needs to be specified. |
Protocol | Specifies the protocol (TCP/ UDP/ ICMP) for communications to which this rule is applied. |
Enable | Enables or disables this rule. |
Note
You can translate IP addresses either 1 to 1 or 1 to N.
The IP addresses that can be set to NAT/NAPT differ depending on the network that executes NAT/NAPT.
Internet Transit
- Global IP Address that is not allocated to Internet GW in global IP addresses that are used for Internet Connectivity
VPN Transit
- Unused IP address from the IP address block that is allocated to VPN Transit
Server Segment
- Any IP address in the IP address block allocated to the Server Segment
If using the VPN connectivity supporting the Customer Portal, the maximum number of NAT rules in which the IP address assigned to VPN transit can be used and set is 1.
5.9.4. Routing Feature¶
Item | Details |
Static routing name | Customer can set arbitrary rule name. |
Network | Specifies the destination L3 network for target communications. |
Next hop | Specifies the next hop. |
Targeted network | Selects the L2 network that is the next destination of communications to which this rule is applied from Internet Transit, VPN Transit and Server Segment that are connected to the Integrated Network Appliance. |
Note
- If Internet Connectivity and VPN Connectivity are used simultaneously, communications that directly relay back between Internet and VPN. If NTT Communications detect the settings that execute such communications, we may delete settings or restrict communications without advanced notice.
- The routing in which the same interface is used for the input interface and output interface cannot be set.
Item | Conditions |
Internet Transit | When using the Internet Connectivity, Internet Transit can be selected for the default route. |
VPN Transit | When using the VPN Connectivity, VPN Transit can be selected for the default route. |
5.9.5. Load Balancing Feature¶
Item | Details |
Load balancing rule name | Customer can set arbitrary rule name. |
Explanation | Customer can arbitrarily input the explanation of this rule. |
IP address | This is the IP address disclosed to client.
This rule is applied to communications in which this IP address is set for the destination IP address.
|
Pool | Specified the destination server pool in this rule (server pool is described later). |
Protocol | Specifies the protocol to which this rule is applied. |
Session Maintenance Method | Selects the method for maintaining sessions according to this rule. |
Enable | Enables or disables this rule. |
Item | Details |
Server pool name | Customer can set arbitrary pool name. |
Explanation | Customer can arbitrarily input the explanation of this server pool. |
Member | Registers one server or multiple servers in this server pool. |
Protocol | Specifies the protocol of communication to be distributed and transmitted to each server. |
Port | Specifies the port number of communication to be distributed and transmitted to each server. |
Protocol for monitoring | Selects the protocol for executing the health check for servers registered in the server pool. |
Load balancing method | Selects the load balancing method when load is distributed to this server pool. |
Note
IP addresses that can be specified for the load balancing rule differ depending on the network in which communication is established.
- Internet TransitGlobal IP Address that is not allocated to Internet GW in global IP addresses that are used for Internet Connectivity.
- VPN TransitUnused IP address from the IP address block that is allocated to VPN Transit
Regarding the IP address specified in the load balancing rule, any IP address in the server segment was able to be specified, but from February 19, 2020, it will not be possible due to the change of service specification. If you use any IP address of the server segment before the change of service specification, you can continue to use it. However, once you delete the IP address specified in the load balancing rule, you cannot do the same setting again. Please do not delete the IP address. Also, if you try to change to any IP address of the other server segments, an error will occur. Please do not change the IP address.
Health check is executed for each server that is registered as a member in the server pool with the following settings.
- IntervalsHealth check intervals:5seconds
- TimeoutThreshold value for determining as timeout:15seconds
- Threshold value for healthinessNumber of times of success for determining as it is recovered:2 times
- Threshold value for unhealthinessNumber of times of failure for determining as it is failed:3times
The source IP of communication in which the load balancing rule is applied and delivered to each server in the server pool is the IP address allocated to the Server Segment-side interface in the Integrated Network Appliance. However, x-forwarded-for setting is enabled in default setting; therefore the source IP address in which SNAT is not applied can be checked by checking the http header.
5.9.6. IPsec Termination Function¶
Item | Details |
IPsec termination rule name | Customer sets arbitrary rule name. |
Explanation | Customer inputs the explanation of this IPsec termination rule. |
Local Network | Specifies the Server Segment that is connected to external VLAN via IPsec communication. |
Peer Network | Specifies the IP subnet of the external VLAN connected by using IPsec communications. |
Local Endpoint | Specifies the interface of the Integrated Network Appliance that terminates IPsec communication. |
Local ID | Specifies a unique ID that is configured at the Integrated Network Appliance in use arbitrarily in order to certify the target party’s VPN device. |
Peer ID | Inputs the ID specified by the IPsec termination equipment at the external VLAN side in order to certify the target party’s VPN device. |
Peer IP | Inputs the fixed IP used for IPsec communication that is allocated to the IPsec termination equipment at the external VLAN side. |
Encryption Protocol | Specifies the encryption protocol (AES [128bit], AES256 [256bit], 3DES) that is used for IPsec communications (the common encryption protocol is used at Phase 1 and Phase 2). |
Shared key | Specified the shared key used for authentication. |
MTU | Sets the maximum value of one frame that is sent/ received through IPsec communications. |
Enable | Selects whether to enable or disable this rule. |
Important
- This is the feature that enables the setting for terminating IPsec communication. Actual connectivity is not included in this service. A question about the setting contents and an investigation of the communication state are support outside of service.
- To establish IPsec communications, equipment for IPsec communication is required at the external VLAN side apart from this function. Customer needs to prepare equipment at the external VLAN side. Equipment at the external VLAN side is not supported by NTT Communications. (If the external VLAN is the Server Segment within the Enterprise Cloud service contract, the setting for establishing IPsec communications with mutual Integrated Network Appliance is available.)
Note
- It is possible to configure the settings where one Server Segment and one external VLAN can be connected. When attempting to establish 1-to-N or N-to-1 connections, multiple IPsec termination rules need to be combined.
- It is possible to terminate IPsec communications that pass Internet Transit or VPN Transit. IPsec communication that passes through the Server Segment cannot be terminated.
- Do not perform multicast communications or broadcast communications through IPsec communications. If NTT Communications finds these communications, we may take actions, such as restriction on communications, without prior notice.
- Active mode is not supported by this feature; therefore Peer IP needs to be the fixed IP that can be connectable from the Integrated Network Appliance.
- DPD(Dead Peer Detection) based on RFC3706 is set effective conpulsorily in IPsec function. Therefore IPsec disconnection is detected in real time.
- If disconnection is detected, reconnection try continues 110 seconds with 10 seconds pose. This process will repeat unlimitedly until reconncection.
- The following items are configured as default settings of the Integrated Network Appliance.
Parameter | Value | |
---|---|---|
Key management protocol | IKEv1(ISAKMP + Oakley) | |
Phase1 | Authentication Method | pre-shared key |
DH group | 2 | |
Hash Algorithm | SHA1 | |
ISAKMP SA life time | 28800 seconds | |
key exchange mode | Main mode | |
Phase2 | IPsec SA life time | 3600 seconds |
Security protocol | ESP | |
Authentication Algorithm | HMAC-SHA1 | |
Perfect Forward Secrecy | Enable | |
DH group | 2 | |
Capsuling mode | Tunnel | |
key exchange mode | Quick mode |
5.9.7. Important Points¶
Rules Set by NTT Communications (Global Rule)- Customer can refer the Global Rule. However, please note that we may not be able to answer questions regarding specific purpose and details of the Global Rule.
- Customer cannot edit or delete the Global Rule.
- The Global Rule is set as the rule having the higher priority than various rules set by customer.
- Please note that the Global Rule may be added, changed or deleted by us without prior notice.
Important
- When monitoring the virtual server starts, SNAT rule and DNAT rule are added to the virtual server to be monitored for each virtual server to be monitored.
Feature | Maximum number of rules that can be set |
Firewall rule | Approximately 100 rules (including Global Rules) |
SNAT rule
DNAT rule
|
Approximately 100 rules (including Global Rules and SNAT rule and DNAT rule) |
Static routing | Maximum 64 rules |
Load balancing rule | Approximately 3 rules |
IPsec termination rules | Approximately 50 rules |
Note
- Performance is likely to be degraded when the number of rules set increases.
- Although it is possible to set various communication rules by using this service, customers are responsible for setting contents; therefore NTT Communications cannot guarantee validity and accuracy of setting contents. In addition, we cannot compensate damages caused by defects of the setting contents (However, we are responsible for setting the Global Rules).
- Communication interruptions might occur when you change the settings of the Integrated Network Appliance from the Customer Portal.
- The case where IP address below and routing settings are the same NTT Communications does not support the operation.
- Global IP address
- VPN transit IP address block
- Server Segment IP address block
- Non-duplicable IP Address Bands indicated to Important Point in Server Segment section
- IP address assigned as static routing destination cannot be set in following IP address block.
- VPN transit IP address block
- Server Segment IP address block
5.9.8. Reference Information¶
Various Recommended Values of the Integrated Network ApplianceItem | Recommended Value | Details |
Performance | Approximately up to 100Mbps | Although performance is not restricted, approximately up to 100Mbps is expected regardless of plans based on results of verification. In addition, performance is degraded in inverse proportion to increase of the number of rules set. |
Number of load balancing rules | 3 | Although it may be possible to set 3 or more rules depending on customer’s usage situation, we can only support up to 3 rules. |
Number of virtual servers in use | Approximately 20 | Two NAT rules are set for one VM as Global Rules in order to execute VM monitoring. Along with these rules, a maximum of 4 NAT rules are consumed if NAT rules are set for communications for Internet; therefore using approximately 20 VMs is expected. |
Downtime in case of redundancy plan | Approximately 30 seconds | When using the redundant plan, recovery with downtime of approximately 30 seconds is expected. |
- ASA5510
- Vyatta Core 6.6R1
- Integrated Network Appliance (this service)