Configuring data-in-transit encryption

To protect networks against eavesdropping attacks and traffic hijacking, Virtuozzo Hybrid Infrastructure supports data-in-transit encryption between cluster nodes. Data transmitted over a network is encrypted by using the AES-128 standard. Data-in-transit encryption is implemented via the IP Security (IPsec) protocol in transport mode. Authentication is based on X.509 certificates, which are installed on nodes during registration when installing the product, or during an upgrade to version 5.2 and later. Node certificates are rotated automatically once per year.

By default, data-in-transit encryption is disabled. You can enable it for an infrastructure network to encrypt all traffic that moves between cluster nodes in this subnet.

If you have services that operate in the same subnet and exchange data externally, you need to add exceptions for them. In this case, a particular IP address, prefix, or port added to the exceptions will bypass the encryption.

When encryption is enabled for a network, the following traffic types bypass data-in-transit encryption if they are assigned to this network:

  • Backup (ABGW) private (this traffic is encrypted by default with the TLS protocol)
  • Compute API
  • SSH
  • iSCSI
  • S3 public
  • Backup (ABGW) public
  • Admin panel
  • NFS
  • VM public
  • Self-service panel
  • SNMP
  • Custom traffic types

Therefore, data-in-transit encryption only applies to the following exclusive traffic : Internal management, Storage, OSTOR private, VM private, and VM backups. When encryption is enabled for a network with the Storage traffic type, internal IP addresses of the storage services are automatically reconfigured to the IPv6 mode.

Limitations

  • You cannot reassign the Storage traffic type from an encrypted network to an unencrypted one. You can either disable encryption for the source network or enable it for the target network, and then proceed to the traffic type reassignment.
  • With data-in-transit encryption enabled, the iSCSI service has degraded write I/O performance, which may decrease by half, compared to clusters with encryption disabled.