Managing virtual routers

Virtual routers provide Layer 3 (L3) networking services such as routing and Source Network Address Translation (SNAT) between virtual and physical networks, as well as between different virtual networks.

A virtual router connecting a virtual network to a physical network enables virtual machines to access external networks, such as the Internet. When a router connects multiple virtual networks, it enables communication between VMs on those networks.

A virtual router has two types of ports:

  • An external gateway is connected to a physical network and used for outbound traffic and floating IP access.
  • An internal interface is connected to a virtual network and used for communication with VMs.

Traffic flow and address translation

Virtual routers apply different types of network address translation depending on traffic direction.

  • For outbound traffic, SNAT is used: the VM's private IP address is translated to the router's external IP.
  • For inbound traffic, floating IPs are used: traffic sent to a floating IP is translated (DNAT) to the VM's internal IP address.

When a floating IP is assigned to a VM, inbound traffic is forwarded through the virtual router using DNAT. The original source IP address of the external client is preserved, and no source NAT is applied. As a result, the VM sees the real client IP address.

This allows source IP–based access control inside the VM (for example, using firewall rules).

In some cases, the source IP may not be preserved, for example, when traffic passes through a load balancer or proxy. In such scenarios, the VM may see the IP address of the intermediary instead of the original client.

Routing architecture

Virtuozzo Infrastructure uses a distributed routing architecture. Routing and floating IP processing are performed directly on compute nodes where VMs run. This allows traffic between VMs and inbound traffic from external networks to be handled locally, reducing latency and improving performance. At the same time, outbound traffic that requires SNAT is processed on management nodes.

Limitations

  • A router can only connect networks that have IP management enabled.
  • You can delete a virtual router if no floating IP addresses are associated with any network it is connected to.