OVH Private (vRack) Networks
We're generally fans of OVH Cloud - it's simple, it's cost effective and they have some interesting options and features available. One of those features is of course private networks, which they call vRack.
Private networks make it possible to have your OVH servers communicate with each other via a direct connection, rather than needing to use the Internet. You can also create servers that are entirely internal, making them immune from direct Internet threats.
OVH's vRack also provides VLANs. This is essentially a way to have multiple separate private networks. This sounds cool, and plenty of people probably use this feature, but given OVH is quite a "small" cloud, we're left wondering just how useful it really is.
Slightly strangely, you can't really see much of your private networks with
the standard UI. You can use Horizon (which is the OpenStack UI) to get a bit
closer, or else use the API (perhaps with Terraform). However you decide to
proceed, things seem unnecessarily confusing. You can optionally include a
gateway (which seems to be something they want you to have, as to turn it off
you have to set no_gateway
to True
). You can have a DHCP service, and
can define the range of IPs used by DHCP, so you can mix fixed and DHCP
addressing if you like. Once DHCP gives you an address, it never changes.
It's worth noting that OVH has no "NAT Gateway" or similar. If your private networks want Internet access, you either have to have an Internet IP on your servers, or else construct a "router" that can provide Internet access for all your private servers. This all seems simple enough, after all, you can just create a server and set it up as a router. Making a resilient service is a good deal trickier however.
Another gotcha is that if you change your mind about needing a gateway (or not), then you have to disconnect everything from the network before you can make the change. This is a real drawback, and probably best resolved by creating a whole new network and migrating to it - quite a lot of work for a seemingly simple change, and always attracts some disruption.
Terraform
Getting down to some code, setting up a private network is pretty simple:
# Create a private network
resource "ovh_cloud_project_network_private" "network" {
service_name = var.ovh_cloud_project_id
name = "my-private-network"
vlan_id = 0 # VLAN ID for vRack
}
# Create a subnet in the previously created private network
resource "ovh_cloud_project_network_private_subnet" "subnet" {
service_name = var.ovh_cloud_project_id
network_id = ovh_cloud_project_network_private.network.id
start = var.dhcp_start # First IP of the subnet
end = var.dhcp_end # Last IP of the subnet
network = var.network_cidr # Subnet IP address location
dhcp = true # Enables DHCP
no_gateway = true # true = No default gateway
region = var.region
}
Once you have a private network, you can add it to servers you create. For example, something like this:
resource "openstack_compute_instance_v2" "server" {
name = var.name
image_name = var.image
flavor_name = var.type
key_pair = var.keypair
region = var.region
network {
"Ext-Net"
}
network {
ovh_cloud_project_network_private.network.name
}
}
Here we're creating a server with an Internet connection (Ext-Net
), which
if specified is always the "default interface" of the server. We've additionally
asked for an interface connected to the private network. We can do this as
many times as we like to connect to as many private networks as we like.
Conclusions
Creating private networks in OVH Cloud isn't hard, but it's a lot harder than it ought to be. Making changes to private networks is similarly problematic and seems to always cause disruption. There are no "NAT gateway" type options, so getting from the private networks to the Internet is a do-it-yourself proposition.
Pre-Emptive can help with clouds, networks, routing and firewalling. Contact us to see how we can help you.