5.9. Integrated Network Appliance

Integrated Network Appliance service is the service where the virtual network devices equipped with the firewall function, NAT/NAPT function, routing function, load balancing function and IPsec termination function are provided. With the Integrated Network Appliance service, one virtual network device dedicated for customers (called “Integrated Network Appliance” below is provided. Various parameters can be changed from Customer Port.

Important

  • When starting to use the Integrated Network Appliance service, the stateful packet inspection function used for blocking illegal access by reading data of packets that pass through the Integrated Network Appliance and opening/closing ports according to its contents is enabled. This function cannot be disabled.
../../_images/image195.png

Note

  • Either the Integrated Network Appliance or vFirewall needs to be contracted for one Data Center in one Enterprise Cloud service contract. These services cannot be used simultaneously or multiple services cannot be used.

5.9.1. Available Features

Connection to each network
The Integrated Network Appliance can connect to the following networks.
Destination Network Connection Conditions
Internet Transit If the Internet Connectivity service is selected, connection to the Internet transit is always established.
VPN Transit If the VPN Connectivity service is selected, connection to the VPN transit is always established.
Server Segment If a Server Segment is added, connection to the Server Segment is provided. However, if “Do not connect to the Integrated Network Appliance.” is selected when adding a Server Segment, connection to the Server Segment is not provided.

Interfaces of the Integrated Network Appliance
Interfaces and allocable IP addresses that are provided by the Integrated Network Appliance are shown below.
Interface Allocatable IP Addresses
Virtual Network Interface for connecting to Internet Transit (called the “network interface on the Internet Transit-side” below) NTT Communications selects IP addresses from the block for Global IP Addresses that are ordered separately
Virtual Network Interface for connecting to VPN Transit (called the “network interface on the VPN Transit-side” below) NTT Communications selects IP addresses from the block for IP addresses of customer’s VPN (called the “IP address block for VPN Transit” below).
Virtual Network Interface for connecting to a Server Segment (called the “network interface on the Server Segment-side” below) Customers can select the Virtual Network Interface from the available IP addresses in Server Segment (You can specify the IP address on the Server Segment-side network interface only when the Server Segment is created based on the application form. If IP addresses have not been specified, they will be allocated automatically).

Important

  • IP addresses allocated to each interface of the Integrated Network Appliance cannot be changed after allocating them.
Main Features of the Integrated Network Appliance
Features and rules that can be set for the Integrated Network Appliance are shown below.
Features Name of Available Rules Details
Firewall feature Firewall rule This is the feature used for setting to allow/deny communications that pass through the Integrated Network Appliance.
NAT/NAPT feature
SNAT rule
DNAT rule
This is the feature used for converting the IP address and ports for communications that pass through among Internet Transit, VPN Transit and Server Segment.
Routing feature Static routing This is the function used for providing the routing for communications that are made among Internet Transit, VPN Transit and Server Segment.
Load balancing feature Load balancing rule This is the function used for balancing load of communications from Internet Transit and VPN Transit.
IPsec termination feature IPsec termination rule This is the function used for terminating IPsec communications.

Plans of the Integrated Network Appliance
You can choose from the following four Integrated Network Appliance plans. Available performance and configurations vary depending on the plan that you order.
Plans Performance Configurations
Compact For customers who do not use the load balancing feature and IPsec termination feature. Single configuration
Compact (Redundant) For customers who do not use the load balancing feature and IPsec termination feature. Redundant configuration
Large For customers who use the load balancing feature and IPsec termination feature. Single configuration
Large (Redundant) For customers who use the load balancing feature and IPsec termination feature. Redundant configuration

Important

  • The Integrated Network Appliance plan can be specified at the time of submitting the application form. After the network is opened, the plan cannot be changed from Compact to Large or vice versa. (It is possible to change the plan from single configuration to redundant configuration or vice versa.)

Note

  • If the redundant configuration plan is selected, the hot standby configuration is provided and the plan is switched in approximately 30 seconds. Even if the single configuration plan is selected, the redundant configuration is adopted for basic equipment, equipment restart with the basic equipment for backup in case of failure and the configuration is switched approximately 5 to 10 minutes.
  • All functions are available with Compact plan. However, Large plan is recommended when using the Load Balancing function and IP sec termination function due to the plunge in performance.

5.9.2. Firewall Feature

With this feature, the firewall rules for allowing or denying specific IP packets of communications that pass through the Integrated Network Appliance can be configured.
The following conditions can be specified for each firewall rule as the condition for IP packet to which the firewall rule is applied.
Item Details
Firewall Rule Customer can configure arbitrary rule names.
Source IP Address Specifies a source IP address for IP packets.
Source Service Specifies the source service for IP packets with the port number when setting TCP/UDP ports for protocol. If ICMP is specified for protocol, ICMP Type cannot be specified.
Destination IP Address Specifies a destination IP address for IP packets.
Destination Service Specifies the destination service for IP packets with the port number when setting TCP/UDP ports for protocol. If ICMP is specified for protocol, ICMP Type cannot be specified.
Protocol Specifies the protocol used for IP packets (TCP, UDP or ICMP).
Actions Specifies whether to allow or deny the passage of IP packets that match the conditions set by the above-mentioned items.
Enable Enables/ disables this rule.

Important

  • The firewall feature is set to deny all communications at the time of opening. Settings for enabling specific communications are required to allow communications.

Note

  • Priority of firewall rules can be set by changing the display order on the Customer Portal. Higher display order on the Customer Portal has higher priority level.

5.9.3. NAT/NAPT Feature

You can set IP Address Translation and IP Address Port Translation (called “SNAT/DNAT” below) rules for communications that pass through the Integrated Network Appliance.
There are 2 types of NAT/NAPT rules for the Integrated Network Appliance.
  • NAT/NAPT for converting the source IP (called “SNAT” rule below)
  • NAT/NAPT for converting the destination IP (called “DNAT” rule below)
SNAT Feature
The following items can be set for one SNAT rule.
Item Details
Targeted network Selects the destination network for communications to which the SNAT rule is applied from Internet Transit, VPN Transit and Server Segments that are connected to the Integrated Network Appliance.
Source IP address before conversion Specifies the IP address that is not converted according to this rule.
Source IP address after conversion Specifies the IP address that is converted according to this rule.
Enable Enables or disables this rule.

DNAT Feature
The following items can be set for one DNAT rule.
Item Details
Targeted network Selects the destination network for communications to which the DNAT rule is applied from Internet Transit, VPN Transit and Server Segments that are connected to the Integrated Network Appliance.
Source IP address before conversion Specifies the IP address that is not converted by this rule.
Destination port number before conversion/ ICMP Type If TCP or UDP is specified for protocol, specify the port number that is not converted according to this rule. If ICMP is specified for protocol, ICMP Type needs to be specified.
Source IP address after conversion Specifies the IP address that is converted according to this rule.
Destination port number after conversion/ ICMP Type If TCP or UDP is specified for protocol, specify the port number that is not converted according to this rule. If ICMP is specified for protocol, ICMP Type needs to be specified.
Protocol Specifies the protocol (TCP/ UDP/ ICMP) for communications to which this rule is applied.
Enable Enables or disables this rule.

Note

  • You can translate IP addresses either 1 to 1 or 1 to N.

  • The IP addresses that can be set to NAT/NAPT differ depending on the network that executes NAT/NAPT.

    Internet Transit

    • Global IP Address that is not allocated to Internet GW in global IP addresses that are used for Internet Connectivity

    VPN Transit

    • Unused IP address from the IP address block that is allocated to VPN Transit

    Server Segment

    • Any IP address in the IP address block allocated to the Server Segment
  • If using the VPN connectivity supporting the Customer Portal, the maximum number of NAT rules in which the IP address assigned to VPN transit can be used and set is 1.


5.9.4. Routing Feature

The Integrated Network Appliance is equipped with the feature that establishes connection of Internet Transit, VPN Transit and Server Segment and executes the routing among them. In addition, the static routing can be set.
Static Routing
Static routing can be set to the Integrated Network Appliance.
Following are routing conditions that can be configured for each routing setting.
Item Details
Static routing name Customer can set arbitrary rule name.
Network Specifies the destination L3 network for target communications.
Next hop Specifies the next hop.
Targeted network Selects the L2 network that is the next destination of communications to which this rule is applied from Internet Transit, VPN Transit and Server Segment that are connected to the Integrated Network Appliance.

Note

  • If Internet Connectivity and VPN Connectivity are used simultaneously, communications that directly relay back between Internet and VPN. If NTT Communications detect the settings that execute such communications, we may delete settings or restrict communications without advanced notice.
  • The routing in which the same interface is used for the input interface and output interface cannot be set.
Default Route
Default route of the Integrated Network Appliance can be set.
Following are items that can be set for the default route.
Item Conditions
Internet Transit When using the Internet Connectivity, Internet Transit can be selected for the default route.
VPN Transit When using the VPN Connectivity, VPN Transit can be selected for the default route.

5.9.5. Load Balancing Feature

You can set load balancing rules that realize distribution of communication load by distributing communications that are terminated with the specific IP address allocated to the Integrated Network Appliance.
You can set the following items for each load balancing rule.
Item Details
Load balancing rule name Customer can set arbitrary rule name.
Explanation Customer can arbitrarily input the explanation of this rule.
IP address
This is the IP address disclosed to client.
This rule is applied to communications in which this IP address is set for the destination IP address.
Pool Specified the destination server pool in this rule (server pool is described later).
Protocol Specifies the protocol to which this rule is applied.
Session Maintenance Method Selects the method for maintaining sessions according to this rule.
Enable Enables or disables this rule.

Server Pool of Load Balancing
Multiple servers to which load are distributed according to the load balancing rules can be registered as server pool. You can set the following items for each server pool.
Item Details
Server pool name Customer can set arbitrary pool name.
Explanation Customer can arbitrarily input the explanation of this server pool.
Member Registers one server or multiple servers in this server pool.
Protocol Specifies the protocol of communication to be distributed and transmitted to each server.
Port Specifies the port number of communication to be distributed and transmitted to each server.
Protocol for monitoring Selects the protocol for executing the health check for servers registered in the server pool.
Load balancing method Selects the load balancing method when load is distributed to this server pool.

Note

  • IP addresses that can be specified for the load balancing rule differ depending on the network in which communication is established.

    • Internet Transit
      Global IP Address that is not allocated to Internet GW in global IP addresses that are used for Internet Connectivity.
    • VPN Transit
      Unused IP address from the IP address block that is allocated to VPN Transit
  • Regarding the IP address specified in the load balancing rule, any IP address in the server segment was able to be specified, but from February 19, 2020, it will not be possible due to the change of service specification. If you use any IP address of the server segment before the change of service specification, you can continue to use it. However, once you delete the IP address specified in the load balancing rule, you cannot do the same setting again. Please do not delete the IP address. Also, if you try to change to any IP address of the other server segments, an error will occur. Please do not change the IP address.

  • Health check is executed for each server that is registered as a member in the server pool with the following settings.

    • Intervals
      Health check intervals:5seconds
    • Timeout
      Threshold value for determining as timeout:15seconds
    • Threshold value for healthiness
      Number of times of success for determining as it is recovered:2 times
    • Threshold value for unhealthiness
      Number of times of failure for determining as it is failed:3times
  • The source IP of communication in which the load balancing rule is applied and delivered to each server in the server pool is the IP address allocated to the Server Segment-side interface in the Integrated Network Appliance. However, x-forwarded-for setting is enabled in default setting; therefore the source IP address in which SNAT is not applied can be checked by checking the http header.


5.9.6. IPsec Termination Function

It is possible to configure settings for terminating the IPsec communication in the Integrated Network Appliance. IPsec communication, which is the target of this function, is the IPsec communication that enables L3 communication between the Server Segment and the external VLAN by encrypting the Server Segment and the Server Segment in the customer’s base or other Enterprise Cloud Service contract (called “external VLAN” below for these Server Segments).
You can set the following items for the IPsec termination rule.
Item Details
IPsec termination rule name Customer sets arbitrary rule name.
Explanation Customer inputs the explanation of this IPsec termination rule.
Local Network Specifies the Server Segment that is connected to external VLAN via IPsec communication.
Peer Network Specifies the IP subnet of the external VLAN connected by using IPsec communications.
Local Endpoint Specifies the interface of the Integrated Network Appliance that terminates IPsec communication.
Local ID Specifies a unique ID that is configured at the Integrated Network Appliance in use arbitrarily in order to certify the target party’s VPN device.
Peer ID Inputs the ID specified by the IPsec termination equipment at the external VLAN side in order to certify the target party’s VPN device.
Peer IP Inputs the fixed IP used for IPsec communication that is allocated to the IPsec termination equipment at the external VLAN side.
Encryption Protocol Specifies the encryption protocol (AES [128bit], AES256 [256bit], 3DES) that is used for IPsec communications (the common encryption protocol is used at Phase 1 and Phase 2).
Shared key Specified the shared key used for authentication.
MTU Sets the maximum value of one frame that is sent/ received through IPsec communications.
Enable Selects whether to enable or disable this rule.

Important

  • This is the feature that enables the setting for terminating IPsec communication. Actual connectivity is not included in this service. A question about the setting contents and an investigation of the communication state are support outside of service.
  • To establish IPsec communications, equipment for IPsec communication is required at the external VLAN side apart from this function. Customer needs to prepare equipment at the external VLAN side. Equipment at the external VLAN side is not supported by NTT Communications. (If the external VLAN is the Server Segment within the Enterprise Cloud service contract, the setting for establishing IPsec communications with mutual Integrated Network Appliance is available.)

Note

  • It is possible to configure the settings where one Server Segment and one external VLAN can be connected. When attempting to establish 1-to-N or N-to-1 connections, multiple IPsec termination rules need to be combined.
  • It is possible to terminate IPsec communications that pass Internet Transit or VPN Transit. IPsec communication that passes through the Server Segment cannot be terminated.
  • Do not perform multicast communications or broadcast communications through IPsec communications. If NTT Communications finds these communications, we may take actions, such as restriction on communications, without prior notice.
  • Active mode is not supported by this feature; therefore Peer IP needs to be the fixed IP that can be connectable from the Integrated Network Appliance.
  • DPD(Dead Peer Detection) based on RFC3706 is set effective conpulsorily in IPsec function. Therefore IPsec disconnection is detected in real time.
  • If disconnection is detected, reconnection try continues 110 seconds with 10 seconds pose. This process will repeat unlimitedly until reconncection.
  • The following items are configured as default settings of the Integrated Network Appliance.
  Parameter Value
  Key management protocol IKEv1(ISAKMP + Oakley)
Phase1 Authentication Method pre-shared key
DH group 2
Hash Algorithm SHA1
ISAKMP SA life time 28800 seconds
key exchange mode Main mode
Phase2 IPsec SA life time 3600 seconds
Security protocol ESP
Authentication Algorithm HMAC-SHA1
Perfect Forward Secrecy Enable
DH group 2
Capsuling mode Tunnel
key exchange mode Quick mode

5.9.7. Important Points

Rules Set by NTT Communications (Global Rule)
Multiple rules (called “Global Rule” below) are configured for the Integrated Network Appliance in default setting to allow NTT Communications to perform monitoring, maintenance and operation and provide various services.
  • Customer can refer the Global Rule. However, please note that we may not be able to answer questions regarding specific purpose and details of the Global Rule.
  • Customer cannot edit or delete the Global Rule.
  • The Global Rule is set as the rule having the higher priority than various rules set by customer.
  • Please note that the Global Rule may be added, changed or deleted by us without prior notice.

Important

  • When monitoring the virtual server starts, SNAT rule and DNAT rule are added to the virtual server to be monitored for each virtual server to be monitored.
Number of Configurable Rules
For the Integrated Network Appliance, the following number of rules can be set regardless of the plan.
Feature Maximum number of rules that can be set
Firewall rule Approximately 100 rules (including Global Rules)
SNAT rule
DNAT rule
Approximately 100 rules (including Global Rules and SNAT rule and DNAT rule)
Static routing Maximum 64 rules
Load balancing rule Approximately 3 rules
IPsec termination rules Approximately 50 rules

Note

  • Performance is likely to be degraded when the number of rules set increases.
Restrictions and Disclaimers
  • Although it is possible to set various communication rules by using this service, customers are responsible for setting contents; therefore NTT Communications cannot guarantee validity and accuracy of setting contents. In addition, we cannot compensate damages caused by defects of the setting contents (However, we are responsible for setting the Global Rules).
  • Communication interruptions might occur when you change the settings of the Integrated Network Appliance from the Customer Portal.
  • The case where IP address below and routing settings are the same NTT Communications does not support the operation.
    • Global IP address
    • VPN transit IP address block
    • Server Segment IP address block
    • Non-duplicable IP Address Bands indicated to Important Point in Server Segment section
  • IP address assigned as static routing destination cannot be set in following IP address block.
    • VPN transit IP address block
    • Server Segment IP address block

5.9.8. Reference Information

Various Recommended Values of the Integrated Network Appliance
Various recommended values are as follows.
Item Recommended Value Details
Performance Approximately up to 100Mbps Although performance is not restricted, approximately up to 100Mbps is expected regardless of plans based on results of verification. In addition, performance is degraded in inverse proportion to increase of the number of rules set.
Number of load balancing rules 3 Although it may be possible to set 3 or more rules depending on customer’s usage situation, we can only support up to 3 rules.
Number of virtual servers in use Approximately 20 Two NAT rules are set for one VM as Global Rules in order to execute VM monitoring. Along with these rules, a maximum of 4 NAT rules are consumed if NAT rules are set for communications for Internet; therefore using approximately 20 VMs is expected.
Downtime in case of redundancy plan Approximately 30 seconds When using the redundant plan, recovery with downtime of approximately 30 seconds is expected.

Recommended Environment for IPsec Termination Function
The checking-of-operations model by our company is as follows.
  • ASA5510
  • Vyatta Core 6.6R1
  • Integrated Network Appliance (this service)
* NTT Communications does not support about actual connectivity.