CloudStack Isolated Networks provide a dedicated, multi-tenant environment where network traffic is strictly partitioned at Layer 2. Within the complex landscape of cloud infrastructure, managing guest traffic requires a balance between high throughput and rigorous security. In a standard shared network model, multiple tenants occupy the same broadcast domain; this increases the risk of packet-loss and limits the granular control available to administrators. Isolated networks solve this by providing each guest with a private gateway, typically manifested as a Virtual Router (VR). This VR manages critical services such as DHCP, DNS, and Source NAT, ensuring that the payload of one tenant remains invisible to others. This architectural choice is essential for high-concurrency environments where signal-attenuation in physical fiber runs and thermal-inertia in high-density server racks demand efficient, software-defined isolation to prevent physical hardware bottlenecks from translating into logical service failures. By utilizing VLAN or VXLAN encapsulation, CloudStack ensures that guest traffic is idempotent and secure across the entire physical fabric.
Technical Specifications
| Requirement | Default Port / Operating Range | Protocol / Standard | Impact Level (1-10) | Recommended Resources |
| :— | :— | :— | :— | :— |
| Management API | Port 8080 / 443 | RESTful JSON/XML | 10 | 4 vCPU / 8GB RAM |
| Guest Isolation | VLAN 1-4094 / VXLAN VNID | IEEE 802.1Q / RFC 7348 | 9 | Support for Jumbo Frames |
| Virtual Router | Port 3922 (SSH) | Debian-based Linux | 8 | 1 vCPU / 512MB RAM |
| DNS / DHCP | Port 53 / 67-68 | UDP/TCP | 7 | Local VR Storage |
| VPN Access | Port 500 / 4500 | IPsec / L2TP | 6 | Hardware AES-NI Support |
The Configuration Protocol
Environment Prerequisites:
Successful implementation of CloudStack Isolated Networks requires a functional Management Server running version 4.15 or higher. The underlying hypervisor (KVM, XenServer, or VMware) must be configured with a physical network labeled for Guest traffic. Ensure that the physical switch fabric is configured to trunk the required VLAN range to all host nodes. Root-level permissions or an administrative account within the CloudStack UI or via cloudmonkey CLI are mandatory.
Section A: Implementation Logic:
The logic behind isolated networks centers on the automated provisioning of a System VM known as the Virtual Router. When a guest network is instantiated, CloudStack does not merely allocate an IP range; it creates a dedicated routing instance that encapsulates tenant traffic within a specific tag. This design reduces congestion on the management plane and allows for high concurrency of network requests without impacting the latency of other tenants. By moving the firewalling and NAT functions to the edge of the guest network, the system minimizes the overhead on the core physical routers.
Step-By-Step Execution
1. Define the Network Offering
Navigate to Service Offerings and select Network Offerings. Click Add Network Offering. Name the offering IsolatedNetworkHighPerf, select the Guest Type as Isolated, and enable services such as SourceNat, StaticNat, PortForwarding, and Dhcp.
System Note: This action defines the metadata in the CloudStack database (cloud.network_offerings). It ensures that any network created with this offering will automatically trigger the deployment of a Virtual Router to handle the service definitions.
2. Configure Guest Network Prefixes
In the Network tab, click Add Guest Network. Reference the IsolatedNetworkHighPerf offering. Define the Gateway (e.g., 192.168.1.1) and the Netmask (e.g., 255.255.255.0). Ensure the VLAN ID is either set to a specific tag or left as null for the system to auto-allocate from the physical network pod range.
System Note: The management server uses an idempotent logic-controller to verify that the requested VLAN tag is not currently active in the vlan_vhp table before committing the record.
3. Deploy the Virtual Router
Deploy a Virtual Machine instance and attach it to the newly created Isolated Network. CloudStack will detect that no gateway exists for this network segment and will automatically start a System VM based on the SystemVM Template.
System Note: The hypervisor uses libvirt or vpxd to launch the VR. Once the VR is up, the management server executes ssh via port 3922 to push configuration files to /etc/cloudstack/hotplug_devices and triggers the networking scripts to initialize the interfaces.
4. Enable Public IP Association
Select the newly created network, go to Public IP Addresses, and click Acquire New IP. Once allocated, set up a Port Forwarding rule to map a public port to the internal IP of your guest instance.
System Note: This command triggers an iptables update on the Virtual Router. The iptables -t nat -A PREROUTING command is executed within the VR namespace to ensure the payload is correctly routed from the public interface to the guest instance interface.
Section B: Dependency Fault-Lines:
Installation failures frequently occur when the Management Server cannot reach the VR via the private link local IP. This is often caused by a mismatch in the management.network.cidr setting or physical signal-attenuation on the management network switches. Another common bottleneck is the depletion of the global VLAN pool; if no tags are available, network creation will fail with a ResourceAllocationException. Always verify that the SystemVM template is correctly seeded in secondary storage, as a missing template prevents the VR from spawning, leaving the guest network in a Setup state indefinitely.
THE TROUBLESHOOTING MATRIX
Section C: Logs & Debugging:
When an isolated network fails to provide DHCP addresses, the first point of inspection is the VR internal log. Use the management server to find the link local IP of the VR and access it:
1. Use ssh -i /var/cloudstack/management/.ssh/id_rsa -p 3922 root@
2. Inspect /var/log/cloud.log for orchestration errors.
3. Check /var/log/router.log for specific service failures like dnsmasq or haproxy.
If a guest instance shows high latency or packet-loss, check the hypervisor host using top or htop to ensure the VR process is not being throttled. Thermal-inertia in overcrowded racks can cause CPU frequency scaling on the host, which directly impacts the throughput of the software-defined router. For L2 connectivity issues, use tcpdump -i eth0 -n vlan on the physical host to verify that packets are being tagged with the correct VLAN ID as defined in the CloudStack database.
OPTIMIZATION & HARDENING
– Performance Tuning: To increase concurrency and minimize latency, modify the Virtual Router offering to use a higher CPU frequency. In environments with high throughput requirements, enable Redundant Router mode. This uses Keepalived to maintain a hot-standby VR, ensuring that failing over to the secondary node results in zero packet-loss and maintains stateful firewall connections.
– Security Hardening: Apply strict ingress and egress rules. Use the Egress Default Policy set to Deny in the network offering; this forces an explicit “Allow” logic for all outbound traffic, preventing compromised internal instances from participating in DDoS attacks. Regularly audit the VR using iptables -L -n -v to ensure that no stale rules exist from deleted instances.
– Scaling Logic: As the number of guest instances grows, the VR may become a bottleneck for DNS and DHCP requests. Scale the network by splitting large subnets into multiple isolated networks or by increasing the RAM assigned to the VR to accommodate larger connection tracks in the conntrack table.
THE ADMIN DESK
How do I recover a corrupted Virtual Router?
In the CloudStack UI, navigate to Network, select the affected isolated network, click on Virtual Router, and select the Recreate icon. This destroys the existing VR and spawns a new one using the same configuration parameters and IP addresses.
Why are my Port Forwarding rules not working?
Verify that the Source NAT service is enabled on the network offering. Ensure that the guest VM has its default gateway set to the VR internal IP. Check for conflicting iptables rules on the guest OS itself.
Can I change a Shared network to an Isolated network?
No; the network type is defined at creation. To migrate, you must create a new Isolated Network, deploy new instances (or move existing volumes), and manually migrate the data. This ensures the integrity of the L2 isolation boundaries.
What is the maximum throughput of an Isolated Network?
Throughput is primarily limited by the hypervisor host physical NIC and the vCPU performance of the VR. On modern hardware, a single VR can typically handle 1-2 Gbps of NAT traffic before latency becomes significant.
How do I manage VLAN overlap?
CloudStack prevents overlap by tracking VLAN IDs in the vlan_vhp table. Ensure that your physical switch does not have these VLANs assigned elsewhere; signal-attenuation or cross-talk at the physical layer can result in flapping interfaces or packet-loss.