Overview

This guide is designed to assist you in creating and managing your private subnets within Ubicloud. Private subnets offer a secure environment for your virtual machines (VMs), ensuring private and secure internal communication without the need for public IP addresses.

Key Features

Fully Encrypted Communication: Every resource within a subnet is connected through IPSec tunnels, ensuring secure communication.

Supports both IPv4 and IPv6: IPv4 and IPv6 support ensures scalable security solutions for Ubicloud's private subnets. We use /26 subnet size for IPv4 and /80 for IPv6, allowing up to 63 resources in a single subnet.

Automatic Key Rotation: IPSec tunnels are automatically rekeyed every 24 hours, ensuring continuous secure communication without traffic disruption.

Firewall Integration: Attach and detach multiple firewalls to control access to resources within your private subnet.

Getting Started

Creating a Private Subnet

Navigate to Private Subnet: On the dashboard, select the "Private Subnet" option from the left menu.

Create a Private Subnet: Click on the "+ New Private Subnet" button. You will be directed to a new page, where you can specify the subnet's name and its cloud region.

Creating a New VM in a Private Subnet

Provisioning: When creating a new VM, choose an existing private subnet to provision the resource in.

Connectivity: Start connecting to other VMs within the same private subnet using their private IPv4 or IPv6 addresses, visible on the Overview page.

IPSec Tunnels: Upon successful VM creation, Ubicloud automatically establishes IPSec tunnels to and from every other resource in the subnet.

Private Subnet Details

Viewing Resources in a Private Subnet

Access the Private Subnet: From the dashboard's left menu, select the "Private Subnet" option.

Show Private Subnet Details: Click to the name of  the desired private subnet to view its details, including name, region, private IP blocks, and attached VMs and firewalls.

Overview Page

The overview page of your Private Subnet provides a comprehensive view of your subnet's configuration and resources. Here, you'll find:

Subnet Name and Region: Easily identify your subnet and its Ubicloud region.

IP Blocks: View the assigned private IPv4 and IPv6 blocks for your subnet.

Attached Resources: See a list of all VMs and firewalls currently attached to the subnet.

IPSec Tunnel Implementation in Ubicloud Private Subnets

Ubicloud leverages IPSec tunnels to ensure secure and private communication between virtual machines (VMs) within its private subnets. This section provides a detailed overview of how Ubicloud uses IPSec tunnels, focusing on their creation, management, and encryption processes.

Overview of IPSec Tunnels in Ubicloud

IPSec (Internet Protocol Security) is a suite of protocols designed to secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a session. Ubicloud employs IPSec tunnels in tunnel mode, which encapsulates the entire IP packet within an Encapsulation Security Payload (ESP) packet. This encapsulation is crucial for maintaining the confidentiality and integrity of data as it moves between VMs within a private subnet.

Key Components of Ubicloud's IPSec Implementation

ESP Packet Creation and Encryption

In Ubicloud's environment, ESP packets are generated using the ip xfrm command, which establishes specific rules and policies for packet handling.These ESP packets encapsulate the original IP packet in its entirety. The encapsulation process involves encrypting the data, thereby ensuring that the packet's contents are secure from unauthorized access or eavesdropping.

Use of Public IPv6 Addresses

Ubicloud uniquely uses public IPv6 addresses to manage and route IPSec tunnels. This approach not only leverages the extensive address space provided by IPv6 but also enhances the security and efficiency of data transmission within the private subnet.

Automatic Key Management

Security keys for the IPSec tunnels are automatically generated and refreshed daily. This practice of frequent key rotation significantly enhances the security posture by minimizing the risk of key compromise.

Tunnel Mode Operation

Ubicloud's IPSec tunnels operate in tunnel mode, where the entire IP packet, including the original header, is encapsulated within an ESP packet. This method is particularly effective for creating a secure communication channel between VMs, as it ensures that all aspects of the packet are protected.