Volterra Private Link

Objective

This guide presents information on Volterra Private Link, provides instructions on how to enable it, deploy Volterra sites using it, and perform advertisement/discovery on the Private Link. Volterra Private Link provides private connectivity between private customer networks, services of Volterra Software-as-a-Service (SaaS), and other SaaS endpoints, without exposing traffic to the public internet. Volterra Private Link makes it easy to securely connect services across environments and abstracts the functionality as Private Network.​ For more information on network concepts, see Networking.

Using the instructions provided in this guide, you will be able to request for Volterra Private Link, obtain a Virtual Network, and setup a static route from this network. You can also deploy sites and perform adverstiment/discovering using the Virtual Network.


Volterra Private Link is a Virtual Network configuration managed by Volterra for customers who request for it. This private virtual network is only visible and usable to that customer.

In case of customers sites to be deployed on networks that are isolated from internet, the sites require the following as part of installation and registration:

  • Downloading a set of configurations
  • Downloading of images from docker repositories for various site services
  • Establish IPsec/SSL tunnels to the Volterra Regional Edge (RE) sites
  • Communicating with PKI/Identity Authority

After site installation, it is also required to enable the ability to advertise services, configure end points, and enable service discovery for these isolated networks.

Volterra Private Network connects the isolated networks to a set of Volterra RE sites using the Private Link. Volterra sites in the isolated network are provisioned using this Private Network as opposed to the regular sites that connnect to the RE sites and Global Controller over internet.

The following list presents the benefits of using Volterra Private Link:

  • Secure traffic ​- You can connect sites to SaaS services in a secure and scalable manner using the Private Link. In this way, network traffic that uses Private Link does not traverse the public internet, reducing exposure to brute force and Distributed Denial-of-Service (DDoS) attacks, along with other threats. You can use private IP connectivity so that services function as though they are hosted directly on Private Network. This provides better control to define precise network and service access policies while delivering visibility, scalability, and performance.​ ​
  • Simplified network management​ ​- The Private Link simplifies DC network extensions to Volterra edge. This makes it easier to manage, observe, and monitor​. ​
  • Accelerate Secure SaaS and Cloud Adoption​ ​- You can easily migrate additional traditional on-premises applications to Volterra edge, hosted and managed by Volterra using Private Link. The data is not exposed to the internet, reducing the risk of data compromise so that you can migrate more cloud services. ​

After the Private Network is enabled, the following objects are created for your tenant:

  • Virtual Network object representing the Private Network
  • Global configuration object containing DNS IP address to be used in the private virtual network
  • HTTP Connect/DRP Proxy object for site installation and management over the Private Network

Note: The created Virtual Private Network represents the enabled Volterra Private Link.

Prerequisites

The following prerequisites apply:

Note: If you do not have an account, see Create a Volterra Account.

  • Hardware devices or VMs on networks isolated from internet.

Note: See Supported Hardware for hardware that is supported for installing Volterra site.

  • HTTP load balancer to advertise services.

Note: If you do not already set up a load balancer, see HTTP Load Balancer.


Configuration

To use Volterra Private Link, it is required to first enable it via raising a support request. After the Private Link is enabled for your tenant, a Virtual Private Network object is created and you can deploy Volterra sites using the created Private Network. You can also perform various activities such as advertising services, configuring endpoints, setting up discoveries, etc.

The process of enabling Private Link requires you to raise a support request.

In case of enabling a physical direct connection between the Private Network and your on-premises network, the following apply:

  • Volterra provides 1 (or 2 if you require 2 links) Letter of Authorization (LOA) so that you can order the inter-connects in the datacenter towards Volterra.
  • In case of 2 physical interconnections, Volterra will deliver them on 2 separate devices for resiliency.
  • Only 10GBase-LR and 100GBase-LR4 modules are supported.
  • You can assign the interconnection subnets (preferably /31 IPv4 networks) over the direct private physical link between the on-prem network and Volterra network. If required, Volterra also can assign the IPv4 interconnection subnet and validate with you that there is no overlap with your network.
  • Volterra uses public IP addresses for its network so that there is no overlap with the your on-prem network.
  • Volterra transports the Private Network over Volterra Global Backbone using a dedicated L3VPN for you.
  • You can use multiple Regional Edge (RE) sites on multiple Points of Presence (POPs) in Volterra Backbone. Unicast traffic is directed to the corresponding POP using the shortest path in the network. Anycast traffic is directed to the closest location using the shortest path.

Perform the following to enable Volterra Private Link for your tenant:

Step 1:Log into VoltConsole and start creating a support request.
  • Click General on the selector bar on the left configuration menu.
  • Click Requests in the Support section.
  • Click `Add new request. This opens a new support request form.
Step 2:Fill the request information and create request.
  • Select Request for the Type field and Others for the Topic field.
  • Choose a priority in the Priority field.
  • Enter subject for the Please choose a subject for your issue field.
  • Enter the details in the Please explain the problem below field.
  • Click Send.

Note: Volterra support enables the Private Network and configures it for your tenant in the shared namespace.

Step 3:Verify the Private Link after it is enabled.
  • Log into VoltConsole and navigate to Manage -> Networking -> Virtual Networks in the System namespace.
  • Verify that there is a network entry whose name is in the adn-private-vn-<tenant-name> format and listed in shared namespace.

volt adn pvn
Figure: Volterra ADN Private Network in Shared Namespace

  • Expand the network object to view its details in JSON format. The value VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK for the legacy_type field indicates that it is the Volterra Private Network configured for this tenant.

You can use the Volterra Private Link in one of the following 2 ways:

  • Using HTTP-Connect proxy - This is a recommended method.
  • Using Dyamic Reverse Proxy (DRP)

Perform the following to deploy Volterra sites using the Volterra Private Link:

Step 1:Install Volterra site image in your isolated network location.
  • Start installing Volterra site on a location in your isolated network. You can download and install the image on a VM or a hardware device.

Note:

  • For information on site installation requirements and instructions, see the documentation in the Site Management guides.
  • For information on the software image, see the image downloads in the Images guides.
  • In case of Volterra hardware such as IGW or ISV, the box is shipped with pre-installed image. Therefore, you do not require performing installation.
  • Power up the VM or the device.
Step 2:Perform post-installation configuration.

After switching on the VM or device with the Volterra site image installed, perform initial configuration using one of the following methods:

Using HTTP Proxy
  • You will be prompted to enter login credentials. Enter admin username and Volterra123 password. Login for the first time prompts you to update the password for the admin user.
  • Enter configure and enter the Volterra Private Virtual Network name.
  • Perform rest of the configuration as per your requirements. For more information, see Site Management guides.
Using DRP

In case of DRP, make sure that your corporate HTTP proxy is resolving against Volterra DNS or manually configure all DNS records. Perform the following:

  • You will be prompted to enter login credentials. Enter admin username and Volterra123 password. Login for the first time prompts you to update the password for the admin user.
  • Enter configure-network. Enter the HTTP proxy for the ? Set HTTP_PROXY field. Ensure that you configure your HTTP Proxy used internally.

Note: Enter the HTTP proxy in the http://username:password@10.0.0.1:3129 format.

  • Optionally, enter configure and enter the Volterra private virtual network name. However, you can also set this option at the registration time.
  • Perform rest of the configuration as per your requirements. For more information, see Site Management guides.
Step 3:Perform site registration
  • Log into VoltConsole. Go to Manage -> Site Management -> Registrations in the System namespace. Click ✅ to load the registration acceptance form.
  • Set Volterra Private Network using one of the following:

    • In case you are using HTTP Proxy method for site installation, verify that the Private Network name is reflecting in the registration acceptance form in the Private Network Name field.
    • In case you are using DRP Proxy method and did not set the Volterra Private Network during the post-install configuration, enter the Volterra Private Network name in the Private Network Name field.

volt adn reg
Figure: Volterra ADN Private Network During Registration

  • Set the rest of the registration fields as per your requirement and click Save and Exit.

Note: Enter all mandatory fields marked with the * character.

  • Wait for the site status to become ONLINE. You can check this in the Sites -> Site List for your site in the Site Admin State column.

Advertising services on the Private Link requires you to select the Private Network for advertising. In case you set the default VIP in advertising configuration, the VIP of the Private Network is used as listener IP.

Perform the following to advertise on the Private Network:

Note: This step only shows advertisement configuration of load balancer. For full set of load balancer creation instructions, see HTTP Load Balancer guide.

Step 1:Log into VoltConsole and start creating load balancer.
  • Click on App in the selector bar and select your namespace from the drop-down list.
  • Select Manage -> Load Balancers -> HTTP Load Balancers from the options. Click Add HTTP load balancer to start creating the load balancer.
  • Set a name, domain, and type of load balancer in the basic configuration section.
  • Configure origin pool in the default origin servers section.
Step 2:Perform VIP configuration for advertising on the Private Network.
  • In the VIP configuration section, enable the Show Advanced Fields option.
  • Select Advertise Custom for the Where to Advertise the VIP field.
  • Click Configure under the Advertise Custom field. Custom VIP advertise configuration page opens.
  • Enable the Show Advanced Fields option.
  • Select Virtual Network for the Select Where to Advertise field.
  • Click on the Virtual Network field and select the Private Network object from the displayed list of network objects.
  • Click Apply.

adv pol pvn
Figure: Advertising on Volterra Private Network

Note: The option Default VIP is set by default for the Select VIP option and the default VIP is used as a listener IP.

Step 3:Complete creating the load balancer.

In the load balancer configuration page, click Save and Exit.


Perform the following to discover services on the Private Link:

Note: This step only shows configuration of where the discovery is valid. For full set of service discovery creation instructions, see Service Discovery - K8s guide for K8s discovery. See Service Discovery - Consul guide for consul discovery.

Step 1:Log into VoltConsole and start creating service discovery.
  • Click System on the selector bar on the left configuration menu.
  • Select Manage -> App Management -> Service Discovery and click Add discovery.
  • Enter a name for the discovery object in the metadata section.
Step 2:Set that discovery is visible on the Private Network.
  • Navigate to the Where section and enable the Show Advanced Fields option.
  • Select Virtual Network for the Virtual-Site or Site or Network field.
  • Click on the Reference field and select the Volterra Private Network object from the displayed list.
Step 3:Complete creating the service discovery object.

Perform the following to configure origin server on the Private Link:

Note: This step only shows origin server configuration part of origin pool. For full set of origin pool creation instructions, see Origin Pools guide.

Step 1:Log into VoltConsole and start creating origin pool.
  • Click App on the selector bar on the left configuration menu. Select your namespace from the drop-down list to change to it.
  • Select Manage -> Load Balancers -> Origin Pools and click Add Origin Pool.
  • Enter a name for the origin pool in the metadata section.
Step 2:Specify the origin server IP address or DNS name reachable over the Private Network.

Navigate to the Basic Configuration section and select one of the following options for the Select Type of Origin Server field.

  • Select IP address on Virtual Network and enter the IP address of origin server in the IP field.
  • Select Name on Virtual Network and enter DNS name of the origin server in the DNS Name field. Click on Virtual Network field and select the Volterra Private Network from the displayed list of network objects.

Note: Ensure that origin servers are running so that the endpoint discovery will be succesfull while attempting to use the origin pools.

Step 3:Complete creating the origin pool object.
  • Perform configuration for the rest of origin pool sections as per your requirement; See Origin Pools guide for more information.
  • Click Save and Exit.