Networking¶
The Networking tab is the per-project home for VPCs, subnets, routers, security groups, public IPs, load balancers, and VPN gateways. The console groups related objects under sub-tabs.
Overview¶
Networking tab. Sub-tabs across the top: VPCs · Subnets · Routers · Security Groups · Floating IPs · Load Balancers · VPN Gateways.
Sub-tabs:
| Sub-tab | What lives here |
|---|---|
| VPCs | Virtual private clouds — the top-level network container |
| Subnets | IP ranges + AZ pinning + DHCP config |
| Routers | Logical routers between subnets and external gateways |
| Security Groups | Stateful firewall rules attached to ENIs |
| Floating IPs | Persistent public IPv4 addresses (and dual-stack IPv6) |
| Load Balancers | L4 (Network) and L7 (Application) load balancers |
| VPN Gateways | IPsec / IKEv2 gateways for site-to-site and client VPN |
The default VPC (10.0.0.0/16, one subnet per AZ) is created for every new project — you can ignore it and define your own.
Administration¶
Quotas¶
Project Settings → Quota → Networking:
| Resource | Default per project | Cap |
|---|---|---|
| VPCs | 5 | 50 |
| Subnets per VPC | 50 | 200 |
| Security groups per VPC | 250 | 500 |
| Rules per security group | 60 | 200 |
| Public IPv4 | 25 | bumpable |
| Floating IPs (reserved) | 25 | bumpable |
| Load balancers | 25 | bumpable |
| NAT gateways per AZ | 5 | 25 |
CIDR planning¶
Pick non-overlapping CIDRs across your projects if you ever plan to peer them. The default 10.0.0.0/16 is fine for prototypes; production should use a documented CIDR plan that doesn't collide with your on-prem RFC1918 ranges or any future cross-VPC peering.
Default security group policy¶
Every VPC gets a default security group with these rules:
- Inbound: deny all
- Outbound: allow all
This is intentionally strict on inbound. Customize per project — typically open SSH from your bastion / VPN range, and HTTP/HTTPS for public-facing tiers.
Operation¶
Creating a VPC¶
VPCs → + Create VPC:
- Name
- CIDR block —
/16to/24 - Region
- Subnets — at least one (you can add more later)
- Tags
Adding a subnet¶
Subnets → + Create Subnet — pick the parent VPC, AZ, CIDR within the VPC's range, and gateway address.
Creating a security group¶
Security Groups → + Create Group → name + description.
Then + Add rule:
- Direction — Ingress / Egress
- Protocol — TCP / UDP / ICMP / Any / specific (e.g.
ESP) - Port range —
22,80-90,8000-9000, etc. - Source (ingress) / Destination (egress) — CIDR or another security group ID
- Description — short note for the rule (audit-friendly)
Attach the group to ENIs via Servers → pick VM → Security Groups → +.
Allocating a floating IP¶
Floating IPs → + Reserve floating IP:
- Pool — General / BDIX-only / BYOIP
- Address family — IPv4 / IPv6
- Tags
Then Associate with a VM, LB, or NAT gateway. Idle reserved IPv4 incurs a small per-hour charge; IPv6 is free.
Creating a load balancer¶
Load Balancers → + Create Load Balancer:
- Name
- Type — Network (L4) / Application (L7)
- Scheme — Internet-facing / Internal
- Subnets — pick the subnets the LB lives in (one per AZ for HA)
- Listeners — protocols + ports + (for L7) routing rules
- Target group — backends + health check config
L7 features (path/host routing, sticky sessions, TLS termination with managed cert) are configured under the LB's detail panel after creation.
Setting up a VPN¶
VPN Gateways → + Create Gateway:
- Name + Tier (Small 500 Mbps / Medium 1.5 Gbps / Large 5 Gbps / XL 10 Gbps)
- VPC + subnets (placed in an HA pair)
- Tunnel mode — Site-to-site IPsec / IKEv2 client VPN
- Peer config — far-side IP, PSK or certificate, IKE / ESP params
Once provisioned, generate the peer configuration (downloadable as a .conf you give to your far-end network team) and bring up tunnels.
Troubleshooting¶
| Symptom | Likely cause | Fix |
|---|---|---|
| Cannot reach VM from internet | Security group denies inbound; or no floating IP attached; or NACL blocks | Check the security group on the VM's ENI; confirm public IP attached; review NACL on the subnet |
| Cannot reach private VM from public VM in the same VPC | Security groups blocking cross-tier; or different subnets without a route | Add a security-group rule (source = the other group's ID); confirm the route table |
| Floating IP shows "associated" but VM unreachable | OS-side firewall (iptables, Windows Firewall) blocking | Check inside the VM (sudo ufw status); allow the relevant ports |
Load Balancer target shows Unhealthy | Health-check path returns non-2xx, or wrong port, or security group on target blocks LB | Test the health check directly from the LB subnet; allow inbound from the LB's security group |
| VPN tunnel won't come up | IKE / ESP param mismatch with peer | Both sides must agree; compare phase-1 and phase-2 settings exactly |
| NAT gateway egress drops on large transfers | NAT gateway port-allocation per-source-IP exhausted | Use a multi-NAT-gateway pattern; or move egress to an LB pattern; or check for retry storms |
| New VPC peering still failing after Accept | Routes not added in both VPCs' route tables | Add explicit routes for the peer CIDR in both directions |
For BDIX-direct topologies, see BDIX Peering Direct Connect — that's not a self-service Console flow (it requires a fibre cross-connect).
Pricing¶
- VPC, subnets, security groups, NACLs — free
- Public IPv4 attached to a running VM — free (one per VM); extra/idle — per-hour
- NAT gateway — per-hour + per-GB
- Load balancer — per-hour + LCU + international egress
- VPN — per-gateway-hour + international egress
- Floating IP (reserved, unattached IPv4) — per-hour
See Pricing model.