Layer 2 & private networks

Latitude.sh servers are configured with a public and a private interface with a Layer 3 network topology by default. You can use the Layer 2 feature to change servers to a Layer 2 topology, creating a Private Network.

Introduction

Layer 2 allows you to group servers in the same project within the same facility, enabling private communication between them. This is useful when you don't want or need traffic from specific servers going through the internet.

For example, if you have a server running a database that needs to communicate with a web app on a different server, you could have the database server connect privately to the web app server, increasing security and reliability. Another common use case is if you are managing services like DHCP and setting up Kubernetes clusters.

Layer 2 packets don't go through the network layer and traffic is not filtered in any way. Latitude.sh does not charge for traffic from private networks, either inbound or outbound.

618

Representation of a Private Network where Server 1 and Server 2 can communicate through VLAN 123.

Creating a Virtual Network (VLAN)

The first step is to create a Virtual Network — commonly referred to as VLAN. You can do that from the dashboard or through the virtual networks endpoint.

  1. On your dashboard, click on the Networking menu, then on Layer 2.
  2. Click on Create VLAN on the top-right section of the page. Choose the region and add a description to your VLAN. The description is only used to help you identify what the VLAN is used for.

Assigning servers to a Virtual Network

After a virtual network is created, you have to assign at least two servers to it to allow for the server's private IPs to communicate with each other.

  1. Go to the Virtual Network you created and click on Assign.
  2. Select the server you'd like to assign — note that only servers from the facility the virtual network was created in will be listed.
  3. Save and wait a few seconds while the network is provisioned.

Adding the Virtual Network to a server

The provisioning of the network on our switches is handled automatically after you assign your first server to a VLAN. Seen that Latitude.sh has no access to your servers, an additional step is required and you need to configure the VLAN on your Operating System.

After creating and assigning your server to a Private VLAN, you need to set it up so it can actually send traffic through it. This is an additional step you need to make based on the Operating System you are using.

Windows

Windows

This will show you how to set up multiple VLANs on a single network interface when using Windows Server 2012 or later.

Required Setup

1200

Windows Server Private VLAN required setup.

  1. If you want to configure a single VLAN in the interface, go to Network Connections > Properties > Advanced tab > Select the VLAN ID field and add the desired value.

If you want multiple VLANs in the same interface, make sure that the property VLAN ID is set to 0 - otherwise, it will not work.

407

Setting the VLAN ID property to 0 when setting up multiple VLANs in the same interface.

  1. Access your server's IPMI via the Remote access feature.
  2. On your IPMI interface go to Server Manager > Local server and click on NIC Teaming.
1198

NIC Teaming on your server's IPMI interface.

  1. Create a new Team with a single interface by going to Teams > Tasks > New Team. Select the desired interface (e.g. 40GbE) and give it a name. Once you create the Team, your IP configuration will be cleaned and your server's internet connection will be lost until the end of the process. Select your secondary interface for the private VLAN.
533
  1. Go to Adapter and Interfaces and click on TASKS > Add Interface. The first interface needs to have the VLAN ID 0 (zero) or Default.
1200
  1. Configure the specific VLAN and click OK. The VLAN ID that you need to configure is the same displayed on your dashboard.
536
  1. To add another VLAN interface on the same port, repeat step #4.
1194
  1. To assign an IP address to the new interface, click on Network Connections, and find the VLAN interface you have just added. Then, configure the IP similarly to any other interface. You need to configure the VLAN 0 with your public IP.

You can configure any IP address in your private VLAN (e.g.: 10.10.10.1/24) and you don't need to configure a Gateway in the private interfaces. Gateway information is only mandatory for ' Public' Interfaces.

995

Let's say you created three VLAN interfaces (VLANs 1,2,3) on the teaming interface and add three IP addresses, here is what you should see on the Server Manager window:

782

Troubleshooting

  • If you try to configure multiple VLANs, make sure that the value of the VLAN ID field in the properties Advanced tab is equal to 0.
  • Do not configure the primary virtual interface with the VLAN ID, as it needs to be on its default configuration (VLAN ID 0). When the port configuration is set up to native VLAN, do not change this VLAN configuration.
Ubuntu

Ubuntu

This is mandatory for all Ubuntu versions.

  1. Load the 8021q module into the kernel.
sudo modprobe 8021q
  1. Install the VLAN package.
sudo apt install vlan

Ubuntu 18 and higher

  1. Change the Netplan configuration file in /etc/netplan/50-cloud-init.yaml and add the configuration below to the end of the file.
  • Replace {{VID}} with the VID value from the VLAN you created.
  • Replace addresses with the private a private address of your choice.
vlans:
            vlan.{{VID}}:
                    id: {{VID}}
                    link: eno2
                    addresses: [10.10.10.20/24]

The vlans section should be at the same identation level of the ethernet key.

  1. Save the file and apply the configurations with the command below.
sudo netplan apply

This configuration is permanent, you don't need to do anything else.

CentOS and RedHat Enterprise Linux

CentOS 7/8 and Red Hat Enterprise Linux

  1. In Red Hat Enterprise Linux and Centos 7, the 8021q module is loaded by default. If necessary, you can make sure that the module is loaded by issuing the following command as root:
modprobe --first-time 8021q
modprobe: ERROR: could not insert '8021q': Module already in kernel
  1. To display information about the module, issue the following command:
modinfo 8021q
  1. See the modprobe(8) main page for more command options.

Additional resources

Setting up 802.1Q VLAN tagging using IFCFG files

  1. Configure the parent interface in /etc/sysconfig/network-scripts/ifcfg-eno2.
DEVICE=eno2
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
  1. Set the VLAN interface configuration in the /etc/sysconfig/network-scripts/ directory. The configuration file name should be the parent interface plus a . character followed by the VLAN ID number. For example, if the VLAN ID is 192, and the parent interface is eth0, then the configuration file name should be ifcfg-eno2.192:
DEVICE=eno2.192
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.1.1
PREFIX=24
NETWORK=192.168.1.0
VLAN=yes
  1. If there is a need to configure a second VLAN, with, for example, VLAN ID 193, on the same interface, eno2, add a new file with the name eno2.193 with the VLAN configuration details. Restart the networking service in order for the changes to take effect. As root issue the following command:
systemctl restart network