Providing a dedicated NIC for guest operating systems is the standard method in non-cloud environments. However, this configuration poses some challenges in cloud environments where MAC address / IP address combinations are fixed parameters set by the cloud provider.
This section will provide some information about how to configure such a setup in a cloud environment.
Basic Concept
The following images illustrates the basic concept when working with a dedicated network interface for the guest operating system. There are, of course, many variations depending on the specific environment.
Scenario: host and guest system have direct Internet access. Each Charon host NIC has a private and a public IP address.
If the NIC dedicated to the guest OS does not have a public IP address, additional means must be implemented for any external communication of the guest system, e.g., a VPN gateway or a NAT gateway.
The basic steps to implement the above configuration are as follows:
- Create a cloud instance in which the Charon host system runs.
- Add two NICs to the Charon host system. One for the Charon host and one for the guest system.
- Configure the appropriate access rules for instance and NICs.
- Each NIC has a private and public IP address.
- One NIC is dedicated to the Charon host, one to the guest system.
- On the Charon host remove the private IP address from the NIC dedicated to the guest system if it was automatically configured.
- Assign the appropriate NIC to the guest system.
- Configure the guest system MAC address to be the same as the the one of the NIC selected for the guest.
- After booting the guest system, configure the private IP originally assigned to the guest NIC by the cloud provider as the IP address of the guest Ethernet interface.
- Set the default route of the guest system to the default gateway of the LAN.
The guest system should then be able
- to communicate with the host system,
- other systems in cloud-internal network (e.g. other guest and host systems),
- the Internet.
Additional sections in this manual show the basic configuration steps for the above examples.
In this scenario any traffic between the guest system and external systems is not encrypted by default. If this traffic runs across a public network, it is exposed to being monitored and even modified by third parties. The user is responsible for ensuring data protection conforming to the user's internal security rules. It is strongly recommended to use encrypted VPN connections as described above.
Guest operating systems are often old and no longer maintained by the original vendor. This means they are more easily compromised by attacks from the Internet. External access to a guest system should therefore be controlled by a firewall that conforms to the user's internal security rules.
The actual configuration steps vary depending on the cloud environment used. Some examples are provided in further sections of this document.
Description of detailed configuration steps: