Managing virtual routers

Virtual routers provide Layer 3 (L3) networking services such as routing and Source Network Address Translation (SNAT) between virtual and physical networks, as well as between different virtual networks.

A virtual router connecting a virtual network to a physical network enables virtual machines to access external networks, such as the Internet. When a router connects multiple virtual networks, it enables communication between VMs on those networks.

A virtual router has two types of ports:

  • An external gateway is connected to a physical network and used for outbound traffic and floating IP access.
  • An internal interface is connected to a virtual network and used for communication with VMs.

Traffic flow and address translation

Virtual routers apply different types of network address translation depending on traffic direction.

  • For outbound traffic, SNAT is used: the VM's private IP address is translated to the router's external IP.
  • For inbound traffic, floating IPs are used: traffic sent to a floating IP is translated (DNAT) to the VM's internal IP address.

When a floating IP is assigned to a VM, inbound traffic is forwarded through the virtual router using DNAT. The original source IP address of the external client is preserved, and no source NAT is applied. As a result, the VM sees the real client IP address.

This allows source IP–based access control inside the VM (for example, using firewall rules).

In some cases, the source IP may not be preserved, for example, when traffic passes through a load balancer or proxy. In such scenarios, the VM may see the IP address of the intermediary instead of the original client.

Routing architecture

Virtuozzo Infrastructure uses a distributed routing architecture. Routing and floating IP processing are performed directly on compute nodes where VMs run. This allows traffic between VMs and inbound traffic from external networks to be handled locally, reducing latency and improving performance. At the same time, outbound traffic that requires SNAT is processed on management nodes.

Limitations

  • A router can only connect networks that have IP management enabled.
  • You can delete a virtual router if no floating IP addresses are associated with any network it is connected to.

Prerequisites

  • Compute networks are created, as described in Managing virtual networks.
  • The compute networks that are to be connected to a router have a gateway specified.

To create a virtual router

  1. Navigate to the Routers screen, and then click Add router.

  2. In the Add router window:

    1. Specify a router name.
    2. From the Network drop-down menu, select a physical network through which external access will be provided via an external gateway. The new external gateway will pick an unused IP address from the selected physical network.
    3. In the Add internal interfaces section, select one or more virtual networks to connect to a router via internal interfaces. The new internal interfaces will attempt to use the gateway IP address of the selected virtual networks by default.

    4. Select or deselect the SNAT check box to enable or disable SNAT on the external gateway of the router. With SNAT enabled, the router replaces VM private IP addresses with the public IP address of its external gateway.

  3. Click Create.