Previous page

Next page

Locate page in Contents

Print this page

Setting Up Private Networks

By default, all hosts in a host network can communicate with each other as well as external hosts.

To isolate some of the hosts so they can only access each other, you can create a private network with the prlsrvctl privnet add command. For example, to create a private network privnet1, including IP addresses from 10.10.0.1 through 10.10.0.255, run:

# prlsrvctl privnet add privnet1 --ipadd 10.10.0.0/24

Or, to create a private network privnet2, including just two IP addresses 10.10.10.3 and 10.10.10.4, run:

# prlsrvctl privnet add privnet2 --ipadd 10.10.10.3 --ipadd 10.10.10.4

Now the virtual environments with the IP addresses from the range 10.10.0.1 through 10.10.0.255 are included in privnet1, and the virtual environments with the IP addresses 10.10.10.3 and 10.10.10.4 are included in privnet2.

Creating Weak Private Networks

Unlike a virtual environment in a regular private network, a virtual environment in a weak private network can communicate with:

  • other virtual environments in this private network,
  • virtual environments outside the private network,
  • computers in external networks.

You can make a private network weak by adding an asterisk to the list of its IP ranges with the prlsrvctl privnet set command and the --ipadd '*' option. For example:

# prlsrvctl privnet set privnet1 --ipadd '*'

To check the result, list private networks with the prlsrvctl privnet list command. A weak private network will have an asterisk in the list of its IP ranges. For example:

# prlsrvctl privnet list

Name G Netmasks

privnet1 10.10.0.0/24 *

privnet2 10.10.10.3 10.10.10.4

To make a weak private network regular again, remove the asterisk from the list of its IP ranges with the prlsrvctl privnet set command and the --ipdel '*' option. For example:

# prlsrvctl privnet set privnet1 --ipdel '*'

Creating Global Private Networks

To isolate each virtual environment in the host network from every other virtual environment in the host network, you can either create a new global private network or make an existing private network global.

You can create a global private network with the prlsrvctl privnet add command and the --global yes option. For example:

# prlsrvctl privnet add privnet3 --ipadd 10.10.10.0/24 --global yes

You can make an existing private network global with the prlsrvctl privnet set command and the --global yes option. For example:

# prlsrvctl privnet set privnet3 --global yes

Note: A global private network can only contain IP ranges, not specific IP addresses.

To check the result, list private networks with the prlsrvctl privnet list command. A global private network will have a check mark in the G column. For example:

# prlsrvctl privnet list

Name G Netmasks

privnet1 10.10.0.0/24 *

privnet2 10.10.10.3 10.10.10.4

privnet3 x 10.10.10.0/24

A global private network can contain other types of private networks, e.g., weak and regular. Hosts in such private networks are allowed access as per those networks' limitations. For example, on the figure below:

  • The Container CT101 and virtual machine VM1, placed in the weak private network PrivNet1 inside the global private network PrivNet3, have access to virtual environments in their private network and computers in external networks.
  • The Container CT103 and virtual machine VM3, placed in the regular private network PrivNet2 inside the global private network PrivNet3, have access to virtual environments in their private network.

Enabling Private Networks for Containers and Virtual Machines Operating in Bridged Mode

By default, you can include in private networks only virtual environments operating in the host-routed mode. To connect to a private network a virtual environment operating in the bridged mode, enable the private network support on the physical server. To do this, set the value of /proc/sys/net/vzpriv_handle_bridge to 1:

# echo 1 > /proc/sys/net/vzpriv_handle_bridge

Note: Enabling private network support may affect the network performance of virtual environments operating in the bridged mode and having IPv4 addresses.

Removing Private Networks

You can remove a private network with the prlsrvctl privnet del command. For example:

# prlsrvctl privnet del privnet1