From a logical network point of view, the server is a NAT router/firewall with physical WAN and LAN interfaces, and a virtual internal interface to which virtual machines (VMs) running on the server are connected.
The following diagram shows a server in terms of its logical networking:
- The physical LAN and WAN interfaces must not be patched to the same L2 network segment (broadcast domain) – they must be on separate physical network segments or VLANs.
- The VM IP subnet range is uniquely determined by us and can be viewed in the Commissioning Console.
- The LAN and WAN interfaces must be configured such that the LAN, WAN and VM subnets are all on separate (non-overlapping) IP subnets.
- The virtual router inside the server will route traffic between the LAN and VM ranges, and will route, and NAT, any traffic from the LAN and VM ranges going to the WAN.
- The VMs cannot be configured to sit on the LAN interface with LAN IPs – they must sit on their own network segment with the allocated IP range.
- The server must be able to reach the Internet via its WAN interface at all times and this must be patched at all times during normal operation.
- The Internet connection provided by the gateway on the WAN side of the server must have no outbound traffic restrictions in terms of ports or protocols - the server will establish outbound management VPN connections to a management cloud, as well as direct connections to a number of different Internet servers for updates, in addition to general end user Internet access.