2.7. Network¶

2.7.1. Internet Connectivity¶

2.7.1.1. Overview¶

By using Internet Connectivity, Customer is able to connect Enterprise Cloud to Internet Transit.

The Internet Gateway provides a redundant Internet Connectivity by use of multi-link or multi home configuration and supports the Internet Protocol IPv4.

Menu			Japan			North America	Europe
			JP			US	UK	FR	ES
			Yokohama No.1 Data Center	Kansai1 No.1 Data Center	Saitama No.1 Data Center	San Jose Lundy Data Center	Hemel Hempstead2 Data Center	Paris2 Data Center	Madrid2 Data Center
Internet Connectivity	Best Effort	10Mbps	Yes	Yes	Yes	Yes	Yes	Yes	Yes
		100Mbps	Yes	Yes	Yes	Yes	Yes	Yes	Yes
		1Gbps	Yes	Yes	Yes	Yes	Yes	N/A	N/A
	Guaranteed	1Mbps~100Mbps	Yes	Yes	Yes	Only 10Mbps/ 100Mbps	Only 10Mbps/ 100Mbps	Only 10Mbps/ 100Mbps	Only 10Mbps/ 100Mbps
	Guaranteed	200Mbps~1Gbps	Yes	Yes	Yes	Yes	Yes	N/A	N/A
	Global IP Address		Yes	Yes	Yes	Yes	Yes	Yes	Yes

Menu			APAC
			SG	HK	MY	TH
			Serangoon Data Center	Tai Po Data Center	Cyberjaya3 Data Center	Bangna Data Center
Internet Connectivity	Best Effort	10Mbps	Yes	Yes	Yes	Yes
		100Mbps	Yes	Yes	Yes	Yes
		1Gbps	Yes	N/A	N/A	N/A
	Guaranteed	1Mbps~100Mbps	Only 10Mbps/ 100Mbps	Only 10Mbps/ 100Mbps	Only 10Mbps/ 100Mbps	Only 10Mbps/ 100Mbps
	Guaranteed	200Mbps~1Gbps	Yes	N/A	N/A	N/A
	Global IP Address		Yes	Yes	Yes	Yes

Table: Internet Connectivity Availability

2.7.1.2. Features¶

2.7.1.2.1.Best Effort¶

A plan that the maximum value of available bandwidth for Customer is fixed.
Best Effort 10Mbps: Bandwidth burstable up to 10Mbps (both upstream and downstream)
Best Effort 100Mbps: Bandwidth burstable up to 100Mbps (both upstream and downstream)
Best Effort 1Gbps: Bandwidth burstable up to 1Gbps (both upstream and downstream)
Transmission speed is not Guaranteed; the availability of bandwidth communication can change according to congestion of the lines.

2.7.1.2.2.Guaranteed¶

A plan that is designed to Guarantee the usable bandwidth for Customer.
Transmission speed is Guaranteed.
The Guaranteed type only guarantees the communication bandwidths that pass through the Internet GW. In order to guarantee the communication bandwidth that the vFirewall and vLoad Balancer pass through, it is necessary to have separate contracts for a suitable number of firewall resources and load balancer resources.
*Please contact individually for the Guaranteed type higher than 100Mbps.
Guaranteed 1Mbps~9Mbps: The speed is incremented by 1Mbps
Guaranteed 10Mbps~30Mbps: The speed is incremented by 5Mbps
Guaranteed 40Mbps~100Mbps: The speed is incremented by 10Mbps
Guaranteed 200Mbps/300Mbps/500Mbps/700Mbps/1Gbps

For US/UK/DE/FR/ES/SG/TH　（provided menu is different）
Guaranteed 10Mbps
Guaranteed 100Mbps
Guaranteed 200Mbps/300Mbps/500Mbps/700Mbps/1Gbps

2.7.1.2.3.Global IP Address¶

Global IP Address is provided to customer differently whether they select vFirewall or Integrated Network Appliances.

Global IP Address cannot be assigned by the customer nor can be changed.
Global IP Address will be assigned according to NTTCom’s Global IP Address Block.

For vFirewall Customer,

If the Customer is using vFirewall, Global IP would be provided as follows. The distributed Global IP Address can be set as the IP address for NAT/NAPT rule in the vFirewall.

	Minimum	Maximum	Increment
Global IP Address	4	64	4

An address block, which is randomly selected from Global IPv4 Address blocks owned by NTT Com Group, is distributed as Global IPv4 Address. Please note however due the method of distribution we are unable to provide continuous address blocks if you apply for more than 8 GIPs.
NTT Com Group plan to upgrade the platform to IPv6 as soon as this is supported by all the necessary hardware and software vendors.
Customer can order blocks of addresses from 1 to 64 blocks by pack of 4 increments per Virtual Room.

For Integrated Network Appliance Customer,

If the Customer is using the Integrated Network Appliance, Global IP can be purchased according to the following subnet units. The Global IPs will be assigned to the Internet Transit and will be used for transmission between each devices connected to the Internet Transit. Also, Global IPs can be utilized for the NAT, Load Balancing, and IP sec termination rules.

	Subnet	Available number of rules set for NAT/NAPT,LoadBalancing, and IPsec termination
Global IP Address	/29	3
	/28	11
	/27	27

A single subnet contract can be made for a single Internet Connectivity contract.
Customer can assign either one of the subnet when making a contract. The Global IP subnet cannot be changed after the Internet Connectivity installation.

2.7.2. VPN Connectivity¶

2.7.2.1. Overview¶

NTT Com Group can provide a secure VPN Connectivity onto a global network backbone called Arcstar Universal One. The VPN Connectivity GW is a gateway that connects Arcstar Universal One to vFirewall or Integrated Network Appliance.This low latency network provides a service level agreement backed network service. The function of plan change and routing setting and Ping is available with the VPN Connectivity Service supported on the Customer Portal which is available in Japan DC.

Menu			Japan			North America	Europe
			JP			US	UK	FR	ES
			Yokohama No.1 Data Center	Kansai1 No.1 Data Center	Saitama No.1 Data Center	San Jose Lundy Data Center	Hemel Hempstead2 Data Center	Paris2 Data Center	Madrid2 Data Center
VPN Connectivity	Best Effort	100Mbps	Yes	Yes	Yes	Yes	Yes	Yes	Yes
	Guaranteed	100Gbps	Yes	Yes	Yes	Yes	Yes	N/A	N/A
		200Mbps	Yes	Yes	Yes	Yes	Yes	N/A	N/A
		1Gbps	Yes	Yes	Yes	N/A	N/A	N/A	N/A

Menu			APAC
			SG	HK	MY	TH
			Serangoon Data Center	Tai Po Data Center	Cyberjaya3 Data Center	Bangna Data Center
VPN Connectivity	Best Effort	100Mbps	Yes	Yes	Yes	Yes
	Guaranteed	100Gbps	Yes	Yes	Yes	Yes
		200Mbps	Yes	Yes	Yes	Yes
		1Gbps	N/A	N/A	N/A	N/A

Table: VPN Connectivity Availability

2.7.2.2. Features¶

2.7.2.2.1.Best Effort:¶

A plan that the maximum value of available bandwidth for Customer is fixed.
The actual bandwidth that is available for Customer is depending on the usage of the other Customers, the circumstances of infrastructure, and so on.
Best Effort 100Mbps: allows a maximum bandwidth upstream and downstream burstableup to 100Mbps.

2.7.2.2.2.Guaranteed¶

A plan that is designed to Guarantee the usable bandwidth for Customer.
Transmission speed is Guaranteed.
The Guaranteed type only guarantees the communication bands that pass through the VPN Gateway. In order to guarantee the communication bandwidth that the vFirewall and vLoad Balancer pass through, it is necessary to have separate contracts for suitable number of firewall resources and load balancer resources.
Guaranteed 100Mbps/200Mbps/1Gbps

2.7.2.3. Restrictions¶

The Guaranteed type only guaranteed the communication bandwidth that pass through the VPN Gateway. In order to guarantee the communication bandwidth that the vFirewall and vLoad Balancer pass through, it is necessary to have separate contracts for a suitable number of fireall resources and load balancer resources.
NTT Communcations may change VPN settings for maintenance and monitoring. You cannot change or delete the settings that are set bu NTT Communications.
Communication interruptions might occur when VPN Connectivity settings are changed,
If you use the Internet Connectivity and VPN Connectivity in combination, direct back and forth communication between Internet and VPN via vFirewall or Integrated Network Appliance will not be possible.
Cloud-GW Connectivity segment setting is not necessary in Customer Portal supported VPN Connectivity(only available in Japan DC. And 1Gbps Guaranteed plan is not available.

2.7.3. Server Segment¶

2.7.3.1. Overview¶

Server Segment is a L2 segment which interconnects multiple network objects that constitute Enterprise Cloud.

One Server Segment will be provided as a standard menu. Server Segments are used to connect VMs, vFirewall, vLoad Balancer and Service Interconnectivity to architect a system with complex network configuration.

Menu

Japan

North America

Europe

JP

US

UK

FR

ES

Yokohama No.1 Data Center

Kansai1 No.1 Data Center

Saitama No.1 Data Center

San Jose Lundy Data Center

Hemel Hempstead2 Data Center

Paris2

Data Center

Madrid2

Data Center

Server Segment

Yes

Menu

APAC

SG

HK

MY

TH

Serangoon

Data Center

Tai Po

Data Center

Cyberjaya3

Data Center

Bangna

Data Center

Server Segment

Yes

Table: Server Segment Availability

2.7.3.2. Feature¶

One Server Segment is provided as a standard at each Virtual Room at the beginning, which is free of charge (It is free up to two Server Segments.). According to orders by Customer, the number of Server Segments can be changed within the limits from 1 at minimum to 24 at maximum per Virtual Room. Any modification or additional Server Segment is subject to additional Charges

Server Segment	Minimum	Maximum	Increment
When using vFirewall	1	24	1
When using Integrated Network Appliance	1	24*	1

*Maximum Server Segments which can connect to INA are up to 7.

For IP allocation, the following IPv4 segments are available to assign to Server Segments /24, /25, /26, /27,/28, and /29.

Diagram: Server Segment

2.7.3.3. Restrictions¶

There are IP Addresses which cannot be specified as IP address range (Non-duplicable IP Address) for Server Segments. Be aware that the IP address range that cannot be specified differ according to Data Center. For details about Non-duplicable IP Address range, refer to separate volume “Functional Description (IP Address)”

IP Address Setting for DNS Server(Primary/Secondary) ,Default Gateway, and DNS Suffix.

The parameter setting for each address differs depending on whether customer uses vFirewall or Integrated Network Appliance.

vFirewall

Integrated Network Appliance

IP Address for DNS Server(Primary/Secondary)

IP address specified by Customer or NTT Comunications.

IP Address for Default Gatway

Customer can assign the IP Address when creating Server Segment (Cannot be changed after use.)If it was not specified, vFirewall Active IP address is assigned.

NTTCom will assignthe IP Address. When the segment is connected to INA, Active IP address is assigned. It cannot be changed.

When the segment is not connected to INA, Customer can specify the IP Address. It cannot be changed. When the IP Address is not specified, NTT Communacitions will assign.

DNS Suffix

IP address specified by Customer or no value.

One Server Segment which is provided as a standard menu when Customer start using the Data Center is always connected to vFirewall or Integrated Network Appliance.
Server Segment cannot be deleted as long as the template exist on Private Catalog, when Virtual Machine which vNIC connecting the Server Segment is converted.
Customer’s carried-in Global IP Address can be assigned to Server Segment.
However, please not that there are following restrictions.

Please apply via Service Order Form when adding Server Segment with Customer’s carried-in Global IP Address.
The direct Internet transmission is not possible via vFirewall nor Integrated Network Appliance when using the Customer carried-in Global IP Address. NAT setting is necessary for the Global IP Address provided by NTT Communications.
If the registered name for IP Address under NIC organization and the representative contractor name of Enterprise Cloud Service does not match, the carried-in IP address would be considered as illegal Global IP Address and it cannot be supported. Also, we cannot guarantee the sustainability.

2.7.4. Service Interconnectivity¶

2.7.4.1. Overview¶

With Service Interconnect Gateway, Customer can connect Customer’ existing networks to the Enterprise Cloud without compromising on security.

Menu

Japan

North America

Europe

JP

US

UK

FR

ES

Yokohama No.1 Data Center

Kansai1 No.1 Data Center

Saitama No.1 Data Center

San Jose Lundy Data Center

Hemel Hempstead2 Data Center

Paris2

Data Center

Madrid2

Data Center

Service Interconnectivity

Yes

Menu

APAC

SG

HK

MY

TH

Serangoon

Data Center

Tai Po

Data Center

Cyberjaya3

Data Center

Bangna

Data Center

Service Interconnectivity

Yes

Table : Service Interconnectivity Availability

2.7.4.2. Features¶

Diagram 05: Service Interconnectivity logical network diagram

2.7.5. Colocation Interconnectivity (CIC)¶

2.7.5.1. Overview¶

Colocation Interconnectivity is a service that provides a secure L2 connection between the Server Segment that NTT Communications provides and your system environment inside our colocation via our inter-Data Center network.

Menu

Japan

North America

Europe

JP

US

UK

FR

ES

Yokohama No.1 Data Center

Kansai1 No.1 Data Center

Saitama No.1 Data Center

San Jose Lundy Data Center

Hemel Hempstead2 Data Center

Paris2

Data Center

Madrid2

Data Center

Colocation Interconnectivity

Yes

N/A

Yes

N/A

Yes

Menu

APAC

SG

HK

MY

TH

Serangoon

Data Center

Tai Po

Data Center

Cyberjaya3

Data Center

Bangna

Data Center

Colocation Interconnectivity

Yes

N/A

Yes

Table : Colocation Interconnectivity Availability

2.7.5.2. Features¶

You can use the following featuers in Colocation Interconnectivity.

Feature	Overview
Layer 2 (L2) Connection	A feature that connects the Server Segment NTT Communications provides and your system environment inside our colocation using the same Server Segment.

2.7.5.3. Layer 2 (L2) Connection¶

For one colocation connection, you can have L2 connections with Server Segments (a maximum of 24 Server Segments) using tagging VLAN.

The colocation connection is contructed of redundant physical devices (equipment and lines).
The maximum bandwidth that can be used by one colocation is 1Gbps.
After starting use, you can start/stop using the service by changing the communication bandwidth settings (1000Mbps/0Mbps), and add/delete VLAN from the Customer Portal.

Connectable Colocations

The colocations that can be connected differ according to Enterprise Cloud Service Data Center. The following are the colocations that can be connected.

Enterprise Cloud Service Data Center	Destination Colocation Data Center
Yokohama No.1	Yokohama No.1, Tokyo No.2 and Tokyo No.3,Tokyo No.4, Tokyo No.5, Tokyo No.6, Tokyo No.7 and Saitama No.1
Kansai 1	Kansai 1 Data Center, Osaka (Dojima), Kyoto No.2
Saitama No.1	Yokohama No.1, Tokyo No.2, Tokyo No.3, Tokyo No.5, Tokyo No.6 and Saitama No.1
Hemel Hempstead 2	Hemel Hempstead 2
Thailand Bangna	Thailand Bangna
Singapore Serangoon	Singapore Serangoon
Hong Kong Tai Po	Hong Kong Tai Po
Spain Madrid2	Spain Madrid2
Malaysia Cyberjaya3	Malaysia Cyberjaya3

*Available only in Colocation Room GS-04-13.

You can connect to multiple colocations at each Enterprise Cloud Service Data Center.

2.7.5.4. Restrictions¶

Please set active and standby redundant configuration in Customer L2 switch interface.
Communication cutting by operation of a Customer’s redundant control becomes the outside of SLA.
If a failure occurs on the communication path is automatically switched to another route and communications are restored in approximately 30 seconds.
Within the Customer system environment that is connected by colocation interconnectivity, one MAC address can be used for 1 IP Address.
Multiple Links (two or more contracts) can be increased connection bandwidth between Enterprise Cloud and Colocation. But one Server Segment can be connected to one link.
Two or more Enterprise Cloud connection via Colocation Interconnectivity is not supported. There is a possibility that MAC address assigned to Virtual Machine is overlapped and communication trouble might happen.

2.7.6. On-Premises Interconnectivity (OPIC)¶

2.7.6.1. Overview¶

On-Premises Interconnectivity (OPIC) enables Customer to connect Customer’s on-premises systems with Enterprise Cloud via the Internet using SDN technology.

Customers can continue to use the existing IP Addresses of their on-premises systems.

Menu

Japan

North America

Europe

JP

US

UK

FR

ES

Yokohama No.1 Data Center

Kansai1 No.1 Data Center

Saitama No.1 Data Center

San Jose Lundy Data Center

Hemel Hempstead2 Data Center

Paris2

Data Center

Madrid2

Data Center

On-Premises Interconnectivity

Yes

N/A

Menu

APAC

SG

HK

MY

TH

Serangoon

Data Center

Tai Po

Data Center

Cyberjaya3

Data Center

Bangna

Data Center

On-Premises Interconnectivity

N/A

Table : On-Premises Interconnectivity Availability

2.7.7. vFirewall (Hardware Type)¶

2.7.7.1. Overview¶

NTT Com Group offers a vFirewall which can be configured and managed from Customer Portal.

Firewall employs mainstream security technology that has been optimized for virtual environments. The following diagram explains the security zone policies deployed within the virtualized environment to ensure security.

Menu

Japan

North America

Europe

JP

US

UK

FR

ES

Yokohama No.1 Data Center

Kansai1 No.1 Data Center

Saitama No.1 Data Center

San Jose Lundy Data Center

Hemel Hempstead2 Data Center

Paris2

Data Center

Madrid2

Data Center

vFirewall Availability

Yes

Menu

APAC

SG

HK

MY

TH

Serangoon

Data Center

Tai Po

Data Center

Cyberjaya3

Data Center

Bangna

Data Center

vFirewall Availability

Yes

Table : vFirewall Availability

2.7.7.2. Features¶

The following actions can be completed within Customer Portal for vFirewall:
Set Filter Rules
Set NAT/NAPT Rules
Set Routes
Set Services
Set Addresses
Set Resources
View Performance
View Alerts
Providing the log dedicated portal

The portal is provided at Saitama No.1 data center.

NTT Com Group currently provides vFirewall in packages of resources.

Table : vFirewall package of Resources

vFirewall is mandatory for every Virtual Room and subject to Charge.

1 vFirewall is available per Virtual Room;
Minimum value: Resource Level 1 per vFirewall;
Maximum value: Resource Level 50 per vFirewall;

* You can change the number of vFWs from Customer Portal up to 10. If the number of vFW that customer requires is above 11, please contact NTTCom separately.
In increments of 1 Resource Level;

2.7.7.2.1.Internet Transit Connection¶

If Customer are using Internet Connectivity at the same Data Center vFirewall will establish a connection with Internet Transit.

The unique IP address block provided by NTT Com Group is then allocated to the Internet Transit and IP connectivity to the Internet Gateway is provided.

2.7.7.2.2.VPN Transit Connection¶

For Customer using VPN Connectivity to connect to Arcstar Universal One, vFirewall will establish a connection with the VPN Transit.

The IP address block for the VPN Transit is borrowed from the Customer VPN and allocated to VPN Transit. Once this is authorised the IP connectivity to VPN Gateway is then provided.

As for the IP addresses allocated to the vFirewall, 2 arbitrary IP addresses are selected from the IP address block for VPN Transit and these addresses are configured as active or standby, respectively.

2.7.7.2.3.Packet Filtering Settings¶

NTT Com Group will provide the function for setting the policy of packet filtering through vFirewall.

The following settings can be specified /amended from within Customer Portal for filtering IP packets.

The network interface for vFirewall on which packet filtering is performed can be selected from Internet Transit, VPN Transit and Server Segment
The IP address or IP address group can be configured for the source IP address
The type of service group of TCP/ UDP ports and ICMP can be configured for the source service.
The IP address or IP address group can be specified for the destination IP address.
Type or service group of TCP/ UDP ports and ICMP can be configured for the destination service.
A permission or rejection can be specified for action.

Please note that Packet filtering is not set when starting to use this service. If packet filtering is not set, all communications will be rejected.

Customer Portal also includes a packet inspection function, blocking illegal access by reading packet data which pass through the vFirewall and dynamically open and close the port according to contents.

2.7.7.2.4.NAT/NAPT settings¶

On vFirewall, the NAT/NAPT setting function for configuring address conversion and address port conversion between the Internet Transit and the VPN Transit, and Server Segments is provided.

An IP address can be configured for NAT/NAPT but varies depending on the network on which NAT/NAPT is performed.

For the Internet Transit, a Global IPv4 Address used in the Internet Connectivity can be configured.
For the VPN Transit, an IPv4 address allocated to VPN Transit can be configured in the VPN Connectivity.
For the Server Segment, any IP address can be configured.

Please note that the maximum number of NAT/NAPT setting rules that can be configured for one vFirewall is 256.

2.7.7.2.5.Other Settings¶

The following settings can also be configured within Enterprise Cloud Customer Portal

Routing:

This allows configuration of the static routing

Address group setting:

This allows for grouping IP addresses in order to enhance the convenience of setting on Customer Portal. These can then be used in the packet filtering and NAT/NAPT, and routing settings.

Service group setting:

This allows Customer to define and group types of TCP/UDP ports and ICMP which can then be used in the packet filtering setting.

2.7.7.2.6.Adding additional resources¶

If Customer would like to upgrade/downgrade their vFirewall resource as per the table above, they are able to complete this using Customer Portal. Once a Customer has selected which resource they require this will be changed immediately.

2.7.7.2.7.Fetures that the log dedicated portal provides¶

Account for the log dedicated portal is provided. It is possible to view and download the filter log by logging in to the portal.

Following features are provided.

Feature	Item
Displaying the log	Filtering log of vFirewall is displayed on the log dedicated portal. The latest log can be displayed by updating the browser. The log for a maximum of 500 lines appears.
Saving the log file	One uncompressed log file including the log displayed on the screen is saved. If the size of this file reaches 5MB, the file is automatically compressed and saved in zip format as another file. A maximum of 60 log files are saved.
Downloading the log file	The saved log file can be downloaded on customer environment from the portal.
Changing the password	It is possible to change the account password for the log dedicated portal.

2.7.8. vLoad Balancer (Hardware Type)¶

2.7.8.1. Overview¶

Within the Customer Portal Customer can easily configure and manage their load balancing rules.

Menu

Japan

North America

Europe

JP

US

UK

FR

ES

Yokohama No.1 Data Center

Kansai1 No.1 Data Center

Saitama No.1 Data Center

San Jose Lundy Data Center

Hemel Hempstead2 Data Center

Paris2

Data Center

Madrid2

Data Center

vLoad Balancer Availability

Yes

N/A

Menu

APAC

SG

HK

MY

TH

Serangoon

Data Center

Tai Po

Data Center

Cyberjaya3

Data Center

Bangna

Data Center

vLoad Balancer Availability

Yes

Table: vLoad Balancer Availability

2.7.8.2. Features¶

The following actions can be completed within Customer Portal for vLoad Balancer:
Set Virtual IP and Balance Rules
Set Server Groups
Set Real Servers
Set Health Checks
Set Routes
Set Resources
View Performance
View Alerts
vLoad Balancer offers three types of load balancing algorithms, round robin, Source IP Hash and Least Connection.
Server persistency is also available using Source IP and Cookie Insert. Please note however that cookie insert is only available for balancing HTTP traffic.

NTT Com Group currently sells vLoad Balancer in packages of resources. The below table illustrates the different resources that are available.

Table: vLoad Balancer resource level

vLoad Balancer is Optional and subject to Charge.

1 vLoad Balancer is available per Server Segment;
Minimum value: Resource Level 1 per vLoad Balancer;
Maximum value: Resource Level 10 per vLoad Balancer;
In increments of 1 Resource Level;

2.7.8.3. Restrictions¶

When purchasing vLoad Balancer, multiple IP addresses for Server Segment would be used. Additional IPs would be required when increasing the resource level of vLoad Balancer.

IP addresses required:

to 2 Resources: 4
to 4 Resources: 5
to 6 Resources: 6
to 8 Resources: 7
to 10 Resources: 8

(Of the IPs, 3 IPs would be used to have a redundant connection between vLoad Balancer and Server Segment using methods such as VRRP. Additional IPs are used to successfully deliver traffic as a vLoad Balancer, which differ per vLoad Balancer.)

2.7.9. Integrated Network Appliance¶

2.7.9.1. Overview¶

Integrated Network Appliance is a service which provides the virtual network appliance which has following functions as a default.

Firewall
NAT
Static Routing
Load Balancing
IPsec termination

Menu		Japan			North America	Europe
		JP			US	UK	FR	ES
		Yokohama No.1 Data Center	Kansai1 No.1 Data Center	Saitama No.1 Data Center	San Jose Lundy Data Center	Hemel Hempstead2 Data Center	Paris2 Data Center	Madrid2 Data Center
Integrated Network Appliance	Compact	Yes	Yes	Yes	Yes	Yes	Yes	Yes
	Compact(Redundant)	Yes	Yes	Yes	Yes	Yes	Yes	Yes
	Large	Yes	Yes	Yes	Yes	Yes	Yes	Yes
	Large(Redundant)	Yes	Yes	Yes	Yes	Yes	Yes	Yes

Menu		APAC
		SG	HK	MY	TH
		Serangoon Data Center	Tai Po Data Center	Cyberjaya3 Data Center	Bangna Data Center
Integrated Network Appliance	Compact	Yes	Yes	Yes	Yes
	Compact(Redundant)	Yes	Yes	Yes	Yes
	Large	Yes	Yes	Yes	Yes
	Large(Redundant)	Yes	Yes	Yes	Yes

Table: Global File Storage Availability

2.7.9.1.1.Service Menu¶

Compact
- Compact plan is mainly recommended for the users, who is not requiring reliability for FW.
- And also this plan is mainly recommended for the users who does not use LB/IPsec function, because the performance will be dramatically decreased if these function is used on the compact plan.
Compact (Redundant)
- Compact(Redundant) plan is mainly recommended for the users who is requiring reliability for FW.
- This plan is mainly recommended for the users who does not use LB/IPsec termination function, because the performance will be dramatically decreased if these function is used on the compact plan.
Large
- Large plan is mainly recommended for the users who is not requiring reliability for FW.
- This plan is mainly recommended for users who would like to use LB/IPsec termination function.
Large (Redundant)
- Large (Redundant) plan is mainly recommended for the users who is requiring reliability for FW.
- This plan is mainly recommended for the users who would like to use LB/IPsec termination.

2.7.9.2. Features¶

2.7.9.2.1.Firewall¶

The Firewall rule function of this service can permit or deny the specific communication via this service to control the traffic for/from the customer’s environment in Enterprise Cloud.
Firewall function of INA deny all of the traffic (excluding the management tragic) as a default settings. Customer has to configure the “permit” rules for INA to communicate via INA.
Firewall function is always enabled, and cannot be disabled.

2.7.9.2.2.NAT¶

NAT modifies the source/destination IP addresses of packets arriving to and leaving from this service. The below two NAT are provided on this service.
- SNAT Rule: A source NAT rule changes the source IP address of outbound packets
- DNAT Rule: A destination NAT rule changes the destination IP address
Customer can utilize the NAPT, by setting IP range as a translated IP.
It is also available to set the NAT rule from IP range to IP range. But, on the other hand, even if range to range NAT is set, the mapping between IP addresses is random. Static mapping is not available.

2.7.9.2.3.Static Routing¶

Customer can establish L3 connectivity between local and outside EC.

Customer can manage the below parameters for each Static Routing on the portal by themselves.

Parameters	Description
Name	Name for this rule
Network	The destination network address
Next Hop IP	The next hop IP address
Target Network	The transit which the traffic will be forwarded to

2.7.9.2.4.Load Balancing¶

This service can support basic load balancing function.

When the load balancing rule is applied to the traffic, the traffic also be applied to the SNAT. It means, the source IP of the traffic which reach to the “members” of the rule is the IP which is assigned to the server segment side interface of INA.
For the http traffic, the x-forwarded-for function is always enabled.

2.7.9.2.5.IPsec Termination¶

Customer can terminate the LAN to LAN IPsec tunnel by themselves between server segment in EC site and Remote site, such as the Customer own LAN at the on-premise site or server segment at the other EC site.

This function is just a termination of IPsec. The settings of IPsec are under the customer responsibility, which means NTT do not guarantee/ support the connectivity from customer site to EC site.
IPsec tunnel should be connected only via internet connectivity or VPN connectivity and it cannot be connected via server segment side. (ex. SIG/OPIC/CIC)

※Important

The specification has been changed to strengthen security.

Specification Change

・The default value of DH(Diffie-Hellman) group, which is the IPsec configuration parameter, is changed from “2” to “14” if client performs the following operations in the client portal. If the DH value was changed, client will be disconnected from the peer device using IPsec.

[Operations(*1)]

Edit or save a configuration of Integrated Network Appliance(including saving without editing value)

(hereafter Operation 1)

Add or delete monitoring for vApp or virtual server (Install Monitoring / Uninstall Monitoring)

(hereafter Operation 2)

Caution

・Once the DH group is changed from “2” to “14” by client’ operation(*1), client cannot change the DH group by client operation.

・If the client does not perform the operations(*1), the DH group 2 will be used continuously. Client can utilize ECL1.0 service with existing configuration.

Request

Please confirm that DH group14 is supported on the device on the external VLAN side that faces the Integrated network appliance for IPsec communication.

If DH Group 14 is not supported for the the device on the external VLAN side, please do not perform the operations(*1) until DH Group is supported. Please consider replacing the device on the external VLAN side to DH value “14” supportive as soon as possible. From the viewpoint of enhancing security, it is highly recommended to switch to DH Group14.

If DH Group 14 is supported for the the device on the external VLAN side, please take it into account to switch DH group value to “14” as soon as possible.

Until switching DH value from “2” to “14” in sync with INA and external VLAN device, please use existing DH Group temporarily and please do not perform the operations(*1).

When client chane DH value from “2” to “14”, please perform the operations(*1) and configure the device on the external VLAN side to DH group 14.

2.7.9.3. Restrictions¶

Customer must select either vFirewall or Integrated Network Appliance for each Data Center. Once the contract is set, customer cannot change the plan from vFirewall to Integrated Network Appliance or vice versa.
Customer will select the service plan when applying for the Integrated Network Appliance. After the installation, Customer cannot change the service plan from Compact to Large or Large to Compact. (However, customer may change from single to redundant topology or vice versa.)
Once the IP Address is assigned to each interface of Integrated Network Appliance, it cannot be changed.
Global Rule

To provide some service or features of Enterprise Cloud, provider sets some NAT rules as default.

1. Customer can view these rules, however some of the questions focused on the details of the global rules may not be answered.

2. These rules cannot be added by the customer.

3. Global rules will be highly prioritised than rules set by the customer.

4. Global rules may be changed/added/deleted without notification beforehand.

Features	Maximum number of rules
Firewall Rule	Approx. 100 Rules
SNAT Rule DNAT Rule	Approx. 100 Rules (including both SNAT and DNAT rules)
Static Routing	Approx. 64 Rules
Load Balancing Rule	Approx. 3 Rules
IPsec Termination Rule	Approx. 50 Rules

Performance data is not available on customer portal for Integrated Network Appliance.

2.6. Backup

2.8. External Storage