Creating network paths


This topic describes how to create a network path. It also provides some background information about network paths and some recommendations for creating them. It contains the following sections:

Background information

Expand any of the links below to access background information about network paths.

What is a network path?

 Click here to see a high-level description network paths.

A network path within a network container functions much the same as does a firewall rule. It regulates network traffic flow below between two endpoints by either permitting or denying the flow. Like a firewall rule, a network path contains the following features:

  • Source endpoint
  • Destination endpoint
  • Transport protocol
  • Application protocol
  • Port number
  • Option to permit or deny traffic

Distinction between a firewall rule and a network path

 Click here to see the differences between a firewall rule and a network path.

The chief distinction between a firewall rule and a network path lies in how each is applied to the topology of a network container. The topology of a network container is complex. It can contain multiple networks, load balancers, and firewalls.

When applying a firewall rule to a network container, the administrator must decide where to place the rule in the hierarchy of the topology. For example, the administrator must

  • Specify the firewall devices
  • Identify the firewall network interface for each device
  • Identify the access control lists (ACLs) for each firewall network interface

When applying a network path to a network container, the administrator only needs to define the security constraint of the firewall rule. The network path feature dynamically calculates where to add the firewall rule on the various points in the network container for the ACLs of the firewall network interfaces. Similarly, upon a network path deletion request, the feature dynamically calculates from where to remove the firewall rule.

Inbound and outbound network paths

 Click here to see the differences between inbound and outbound network paths.

Defining inbound and outbound network paths provides a perspective into the directional flow of network traffic in relation to a specified network, segment, or virtual load balancer (VLB). Specifically, the terms inbound and outbound do not refer to the direction of the created network path. Instead they serve as contextual cues. The inbound selection indicates that the destination is predefined. The outbound selection indicates that the source is predefined.

For example, if you choose to define an inbound path for a selected context, such as a network, load balancer pool, or server NIC, you depict the traffic that arrives at the selected context object – in this case, the destination. If you define an outbound path for a selected context, you depict the traffic that originates from the selected context – in this case, the source. Inbound and outbound are terms to orient the user.

The creation of inbound and outbound network paths makes the traffic flow between networks and VLBs more transparent and easier to understand.

Note

When creating an inbound network path for a selected VLB, you depict the traffic that arrives at the VLB, which serves always as the destination.

Guidelines for creating network paths

 Click here to view recommendations for creating network paths.

These guidelines address different components of network paths.

Note

In addition defining network paths within a network container, you must also add those network paths to the definition of a service blueprint (see Creating, copying, or editing a service blueprint).

Source and destination endpoints

If the source and destination endpoints are networks, then they should reside on different subnets and not be connected on the same subnet. In other words, the source and destination endpoints cannot be the same. To illustrate, the following network path definitions are invalid:

  • Between a server network interface card and the network itself
  • Between a load balancer pool and a network where the load balancer pool resides

When specifying source and destination endpoints, do not use hard-coded IP addresses or subnet values.

A source endpoint can be a

  • Server network interface card
  • Network instance

A destination endpoint can be a

  • Server network interface card
  • Network instance
  • VLB pool

Customer networks

When specifying an inbound path for a customer network, the destination is the customer network. The source can be another network in the same container or a server network interface card (NIC) on the network. When specifying an outbound path for a customer, the source is the customer network. The destination can be be server NIC, another network in the same container, or VLB pool.

You can attach load balancer pools to a customer network whereby the load balancer pool acquires the virtual IP (VIP) address of the network. This VIP address serves as the "client" network address that other endpoints communicate with. The VIP address is distributed to the servers on the "server" networks in the load balancer pool.

A virtual machine or physical server network interface card can also attach to a customer network and acquire the network address. Customer networks support both the NIC and VIP network capabilities.

External networks

Traffic can originate from and travel to external networks in much the same way as they do in customer networks. External networks identify subnets that reside outside the container.

Note

The external network zero-address 0.0.0.0/0 (all routes) acts as a mask for all network addresses and ports that are not in the container and not specified by other external networks.

External networks do not host virtual machine or physical server network interface cards that are provisioned by BMC Cloud Lifecycle Management. However, external networks can host virtual machine or physical server network interface cards that are managed outside the container.

Outside networks

An outside network acts as a bridge on which traffic passes back and forth between an external network that resides outside the container and an internal customer network residing within the container. Traffic does not originate from or go to an outside network, which works in the background as a conduit between external and customer networks. Consequently, you do not need to create network paths for an outside network.

Management networks

Likewise, management networks do not involve network paths because the assumption is that management traffic is trusted and does not need to be regulated.

Back to top

Creating an inbound network path for a network instance

When defining an inbound path for a selected network, you describe the route by which traffic arrives at the selected network.

When creating an inbound path for a selected network instance, you specify a source endpoint—either a server network interface or a network endpoint. You accept the destination endpoint, which defaults to your network instance selection. Then you add the firewall constraints that regulate the traffic between the two endpoints.

Note

Load Balancer pools cannot serve as source endpoints.

The following table describes the network types.

Network type

Description

Customer networks

When specifying an inbound path for a customer network, the destination is the customer network. The source can be another network in the same container or a server network interface card (NIC) on the network. When specifying an outbound path for a customer, the source is the customer network. The destination can be be server NIC, another network in the same container, or VLB pool.

You can attach load balancer pools to a customer network whereby the load balancer pool acquires the virtual IP (VIP) address of the network. This VIP address serves as the "client" network address that other endpoints communicate with. The VIP address is distributed to the servers on the "server" networks in the load balancer pool.

A virtual machine or physical server network interface card can also attach to a customer network and acquire the network address. Customer networks support both the NIC and VIP network capabilities.

External networks

Traffic can originate from and travel to external networks in much the same way as they do in customer networks. External networks identify subnets that reside outside the container.

Note

The external network zero-address 0.0.0.0/0 (all routes) acts as a mask for all network addresses and ports that are not in the container and not specified by other external networks.



External networks do not host virtual machine or physical server network interface cards that are provisioned by BMC Cloud Lifecycle Management. However, external networks can host virtual machine or physical server network interface cards that are managed outside the container.

Outside networks

An outside network acts as a bridge on which traffic passes back and forth between an external network that resides outside the container and an internal customer network residing within the container. Traffic does not originate from or go to an outside network, which works in the background as a conduit between external and customer networks. Consequently, you do not need to create network paths for an outside network.

Management networks

Likewise, management networks do not involve network paths because the assumption is that management traffic is trusted and does not need to be regulated.

To select the network instance

  1.  Select the Network or Load Balancer Pool radio button, and click the drop-down arrow to display the corresponding entries.
  2. Select a Network or Load Balancer Pool entry from the drop-down list. This is the network type or load balancer pool for which you will create a network path. This example in the previous figure shows an Customer NIC Segment as the network type.  
  3. Click the Create Network Path icon to display the Create Network Path wizard.

Continue with one of the following procedures:

This example uses a "Customer NIC Segment" network instance. The network serves as the network instance to which the inbound network path is added.

To create an inbound network path

  1. On the initial the Create Network Path wizard panel, select the direction choice Create Inbound Network Path and specify a description for the network path.
  2. Click Next to display the Source Endpoint dialog. Here you specify the origin of the inbound traffic. For the source endpoint, you can choose between the Server Network Interface or the Network Endpoint option. The default selection is Server Network Interface. This example uses the default Server Network Interface as the source endpoint selection.
  3. See Selecting source or destination endpoints to complete your source endpoint selection. Once completed, your source endpoint data will look similar to that in this example:

  4. After specifying your source endpoint, click Next to access the Destination Endpoint dialog. It defaults to the selected Customer NIC Segment network instance, which is the destination of the inbound traffic.
  5. Click Next to access the Path Constraints dialog.
  6. Specify the following items:

    ItemDescription
    Transport ProtocolIndicates the required protocol, for example, TCPUDP, and so on.
    Application ProtocolSelect an application protocol or enter a single port number or port range in the Port Range field.
    Allow TrafficSelect to permit traffic on the path.
    LogSelect to enable logging.
    LockedSelect to lock the path, which prevents end users and tenant administrators from deleting or editing the path.
    HiddenSelect to hide the path from end users and tenant administrators.
  7. Click Save to add the inbound network path to the selected network (a Customer NIC Segment network in this example) in the Manage Network Paths dialog. The action is queued under Pending Activity and, providing no errors occur, completes in stages. After it is complete, the network path is posted under the Network Paths pane for the selected network. The highlighted row below illustrates the network path created in this example.


Back to top

Creating an outbound network path for a network instance

When defining an outbound path for a selected network instance, you describe the route by which traffic leaves the selected network.

When creating an outbound path for a selected network instance, you accept the source endpoint, which is the selected network instance. You specify a destination endpoint—a server network interface, a network endpoint, or a VLB pool. Then you add the firewall constraints that regulate the traffic between the two endpoints.

To select the network instance

  1.  Select the Network or Load Balancer Pool radio button, and click the drop-down arrow to display the corresponding entries.
  2. Select a Network or Load Balancer Pool entry from the drop-down list. This is the network type or load balancer pool for which you will create a network path. This example in the previous figure shows an Customer NIC Segment as the network type.  
  3. Click the Create Network Path icon to display the Create Network Path wizard.

Continue with one of the following procedures:

This example uses a "Customer NIC segment" network. The Customer NIC network serves as the network to which the outbound network path is added.

To create an outbound network path

  1. On the initial the Create Network Path wizard panel, select the direction choice Create Outbound Network Path.
  2. Click Next to display the Source Endpoint dialog. It defaults to the selected network instance from which the outbound traffic originates—the Customer NIC Segment in this example.
  3. After viewing the source endpoint, click Next to access the Destination Endpoint dialog. Here you specify the destination of the outbound traffic. For the destination endpoint, you can choose among the Server Network Interface, the Network Endpoint, and the Virtual Load Balancer Pool options. The default selection is Server Network Interface. This example uses the Network Endpoint option as the destination endpoint selection.
  4. See Selecting source or destination endpoints to complete your destination endpoint selection. Once completed, your destination endpoint data will look similar to that in this example:
    .
  5. Click Next to access the Path Constraints dialog.
  6. Specify the Transport Protocol, the Application Protocol or Port Number if either is required, and the Allow Traffic selection to permit or allow traffic that matches the protocol definition.

    ItemDescription
    Transport ProtocolIndicates the required protocol, for example, TCPUDP, and so on.
    Application ProtocolSelect an application protocol or enter a single port number or port range in the Port Range field.
    Allow TrafficSelect to permit traffic on the path.
    LogSelect to enable logging.
    LockedSelect to lock the path, which prevents end users and tenant administrators from deleting or editing the path.
    HiddenSelect to hide the path from end users and tenant administrators.
  7. Click Save to add the outbound network path to the selected network (a Customer NIC Segment in this example) in the Manage Network Paths dialog. The action is queued under Pending Activity and, providing no errors occur, completes in stages. After it is complete, the network path is posted under the Network Paths pane for the selected network.

Back to top

Creating an inbound network path for a load balancer pool

A VLB always functions as the destination of a network path.

You can specify an inbound network path that has the selected VLB pool as the destination endpoint.

To create a network path for load balancer pool

  1. In the Manage Network Paths panel, choose the Load Balancer Pool option, and select an entry from the drop-down menu.
  2. Click the Create Network Path icon  to display the Create Network Path wizard. Note that when creating a network path for a load balancer pool, it defaults to the Source Endpoint dialog (the second panel in the wizard).
  3. Specify the origin of the inbound traffic. For the source endpoint, you can choose between the Server Network Interface or the Network Endpoint option. The default selection is Server Network Interface. This example uses the Network Endpoint option as the source endpoint selection.
  4. See Selecting source or destination endpoints to complete your source endpoint selection. Once completed, your source endpoint data will look similar to that in this example:

  5. After specifying your source endpoint, click Next to access the Destination Endpoint dialog. It defaults to the selected VLB instance, which is the destination of the inbound traffic.
  6. Click Next to access the Path Constraints dialog.
  7. Specify the Transport Protocol, the Application Protocol or Port Number if either is required, and the Allow Traffic selection to permit or allow traffic that matches the protocol definition.

    ItemDescription
    Transport ProtocolIndicates the required protocol, for example, TCPUDP, and so on.
    Application ProtocolSelect an application protocol or enter a single port number or port range in the Port Range field.
    Allow TrafficSelect to permit traffic on the path.
    LogSelect to enable logging.
    LockedSelect to lock the path, which prevents end users and tenant administrators from deleting or editing the path.
    HiddenSelect to hide the path from end users and tenant administrators.
  8. Click Save to add the inbound network path to the selected VLB in the Manage Network Paths dialog. The action is queued under Pending Activity and, providing no errors occur, completes in stages. After it is complete, the network path is posted under the Network Paths pane for the selected VLB.

Back to top

Selecting source or destination endpoints

  • When creating an inbound network path, you have the option of selecting a server network interface or a network endpoint as the source endpoint. The destination endpoint in the inbound context is the selected network instance.
  • When creating an outbound network path, you have the option of selecting a server network interface, a network endpoint, or a VLB as the destination endpoint. The source endpoint in this context is the selected network instance.

To select a server network interface as a source or destination endpoint

In this example, an inbound path is being created, so the server network interface is added as a source endpoint. The steps are the same for an outbound path in which you would add a server network interface as a destination endpoint.

Note

The server network interface is derived from running service instances. To preview your available running service instances, go to the Service Instances workspace, and select the My Services > Services subtab to display the running instances.

Follow these steps to select a server network interface.

  1. Accept the Server Network Interface default selection in the endpoint dialog. In this example, it is the Source Endpoint dialog.

  2. Click the Select Service Offering Instances icon to open the Service Instance Search dialog. By default, only service instances with a status of Running can be retrieved. To narrow the search, you can specify values for the Name, Tenant, and Owner fields.

  3. Click Search to retrieve the matching instances. Then choose an instance, and click Select to return to the dialog screen—in this example the Source Endpoint dialog.

  4. Using the drop-down selections, choose the server and NIC. The network address is automatically populated.
  5. Click Next to proceed to the next wizard dialog, and continue with your procedure steps. See Creating an inbound network path for a network instance, Creating an outbound network path for a network instance, or Creating an inbound network path for a load balancer pool.

To select a network endpoint as a source or destination endpoint

In this example, an outbound path is being created, so the network endpoint is added as a destination endpoint. The steps are the same for an inbound path in which you would add a network endpoint as a source endpoint.

Follow these steps to select a network endpoint:

  1. Select Network Endpoint in the endpoint dialog. In this example, it is the Destination Endpoint dialog.

  2. Complete the Network Endpoint Details choosing one of the following three options:
    • To chose an available network by name, click the Select Network Endpoint icon next to the Name field in the Source Endpoint dialog to display the Network Type Picker.

    • In the Network Type Picker, select the type and network name. If you select Zone as a type, specify a zone. The Network Address and Network Mask are populated automatically. Then click OK to copy the information to the Destination Endpoint dialog.

    • To use a host address, select the Host Address field, and enter a valid IP address.

    • To use a network address, select the Network Address field, and enter valid IP addresses for the Network Address and Network Mask.

  3. Click Next to proceed to the next wizard dialog, and continue with your procedure steps. See Creating an inbound network path for a network instance, Creating an outbound network path for a network instance, or Creating an inbound network path for a load balancer pool.

Selecting a VLB as a destination endpoint

Because a VLB does not serve as a source endpoint, you have the option to select it as a destination endpoint for an outbound network path of a selected network instance.

  1. In the Destination Endpoint dialog, select the Virtual Load Balancer Pool instance.
  2. Using the drop-down lists, select a Load Balancer entry and a Load Balancer Pool entry. The Virtual IP address field is populated automatically.

  3. Click Next to proceed to the next wizard dialog, and continue with your procedure steps. See Creating an outbound network path for a network instance.

Back to top

Related BMC Communities video

The following BMC Communities video (4:04) describes how to use NIC segments in network blueprints in BMC Network Automation. The blueprints can then be used in BMC Cloud Lifecycle Management.

 https://youtu.be/dzYncazJXgg

Related topics

Managing network paths

Was this page helpful? Yes No Submitting... Thank you

Comments