Setting Up Private Networks

Before you start setting up a private network, you need to decide on the following:

1. The name to assign to the private network.
2. The range of IP addresses to allocate to the private network.
3. The number of subnets and hosts in the private network.

Let us assume that you want to create two private networks with the following parameters:

• The first network has the name privnet1 and includes the IP addresses from 10.10.0.0 through 10.10.255.255.
• The second network has the name privnet2 and includes the IP addresses from 10.11.0.0 through 10.11.255.255.

To create these two networks, you can run the following commands on the physical server:

# prlsrvctl privnet add privnet1 --ipadd 10.10.0.0/16

# prlsrvctl privnet add privnet2 --ipadd 10.11.0.0/16

Now if you assign to one virtual machine or Container an IP address from the range 10.10.0.0 through 10.10.255.255 and to another virtual machine or Container from the range 10.11.0.0 through 10.11.255.255, they will not be able to access each other because they will belong to different private networks.

If you want to create a private network for several virtual machines and Containers only, you can omit the network mask and specify only the required IP addresses:

# prlsrvctl privnet add privnet3 --ipadd 10.12.0.101

# prlsrvctl privnet add privnet3 --ipadd 10.12.0.102

The commands above create the private network privnet3 and include only two IP addresses in this network: 10.12.0.101 and 10.12.0.102. You can then assign these IP address to the two of your virtual machines and Containers, thus isolating their network traffic from that of other virtual machines and Containers and external computers.

Enabling Private Networks for virtual machines and Containers Operating in Virtual Network Mode

By default, you can include in private networks only virtual machines and Containers operating in the host-routed mode. If you want to connect to a private network some of virtual machines and Containers operating in the virtual network mode, you need first to enable the private network support on the physical server. To do this, change the value in the /proc/sys/net/vzpriv_handle_bridge file from 0 to 1:

# echo 1 > /proc/sys/net/vzpriv_handle_bridge

Note: Enabling the support for private networks may affect the network performance of virtual machines and Containers that operate in the virtual network mode and are assigned IPv4 addresses.

Creating Weak Private Networks

In a weak private network, any virtual machine or Container on the network can communicate with the other virtual machines and Containers in the same subnet, virtual machines and Containers outside the private network, and computers on external networks. To create a weak private network, you can run the following command:

# prlsrvctl privnet set privnet_name --ipadd '*'

where privnet_name is the name of the private network you want to configure as a weak one. For example, to configure the privnet1 private network as a weak one, execute the following command:

# prlsrvctl privnet set privnet1 --ipadd '*'

To make sure that privnet1 is now a weak network, check the contents of the /proc/vz/privnet/sparse file:

# cat /proc/vz/privnet/sparse

1: * 10.10.0.0/16

2: 10.11.0.0/16

The asterisk before 10.10.0.0/16 denotes that privnet1 is now acting as a weak network. To revert the changes made to the privnet1 file, run this command:

# prlsrvctl privnet set privnet1 --ipdel '*'

Connecting virtual machines and Containers to Private Subnets

Once you set up a private network, you can connect Containers to different subnets within this network. Assuming that you followed the instructions above, you now have two private networks. The privnet1 network includes the IP addresses from 10.10.0.0 through 10.10.255.255, and the privnet2 network contains the IP addresses from 10.11.0.0 through 10.11.255.255. Let us join Container 101 to privnet1 and the MyVM virtual machine to privnet2 . To do this:

1. Assign IP address 10.10.10.101 to Container 101:

   # pctl set 101 --ipadd 10.10.10.101 --save

2. Assign the IP address of 10.11.10.101 to the MyVM virtual machine:

   # pctl set MyVM --device-set net0 --ipadd 10.11.10.101

Now Container 101 and the MyVM virtual machine belong to different subnets and cannot access each other.

Removing Private Networks

At any time, you can remove privnet1 and privnet2 by running these commands:

# prlsrvctl privnet del privnet1

# prlsrvctl privnet del privnet2

Once you execute these commands, all virtual machines and Containers that were included in the privnet1 network should be able to connect to the virtual machines and Containers that were joined to the privnet1 network.