This guide is designed to assist you in creating and managing your private
subnets within Ubicloud. Private subnets offer a secure environment for your
virtual machines (VMs), ensuring private and secure internal communication
without the need for public IP addresses.Ubicloud imagines private subnets as security perimeters, where every resource
within the subnet can communicate with each other using their private IPv4 or
IPv6 addresses. Firewalls are attached to the whole private subnet and they are
applied to the private networking as well to further enhance security.
Fully Encrypted Communication: Every resource within a subnet is connected
through IPSec tunnels, ensuring secure communication.
Supports both IPv4 and IPv6: IPv4 and IPv6 support ensures scalable
security solutions for Ubicloud’s private subnets. We use /26 subnet size for
IPv4 and /80 for IPv6, allowing up to 63 resources in a single subnet.
Automatic Key Rotation: IPSec tunnels are automatically rekeyed every 24
hours, ensuring continuous secure communication without traffic disruption.
Firewall Integration: Attach and detach multiple firewalls to control
access to resources within your private subnet.
Ubicloud leverages IPSec tunnels to ensure secure and private communication
between virtual machines (VMs) within its private subnets. This section provides
a detailed overview of how Ubicloud uses IPSec tunnels, focusing on their
creation, management, and encryption processes.
IPSec (Internet Protocol Security) is a suite of protocols designed to secure
Internet Protocol (IP) communications by authenticating and encrypting each IP
packet of a session. Ubicloud employs IPSec tunnels in tunnel mode, which
encapsulates the entire IP packet within an Encapsulation Security Payload (ESP)
packet. This encapsulation is crucial for maintaining the confidentiality and
integrity of data as it moves between VMs within a private subnet. Essentially,
all traffic is public traffic, if you are not operating in the same LAN. Any
cloud VM lives in a public data center. Therefore, we need to find a way to
address these VMs in a secure, encrypted way to call it private. Ubicloud has to
do that because we do not have our own data centers, we do not have absolute
control over the network.
In Ubicloud’s environment, ESP packets are generated using the ip xfrm command,
which establishes specific rules and policies for packet handling. These ESP
packets encapsulate the original IP packet in its entirety. The encapsulation
process involves encrypting the data, thereby ensuring that the packet’s
contents are secure from unauthorized access or eavesdropping. The whole
encapsulation happens in the dedicated network namespace of the VM and it gets
decrypted only when it arrives at the destination network namespace. So, the
whole traffic is private, end to end.
Security keys for the IPSec tunnels are automatically generated and refreshed
daily. This practice of frequent key rotation significantly enhances the
security posture by minimizing the risk of key compromise. We only generate the
keys and we keep them in Ubicloud Control Plane until the rekeying process is
completed. We clean up the old tunnels and any key material that is no longer
in use.
Ubicloud uniquely uses internally allocated public IPv6 addresses to manage and
route IPSec tunnels. This approach not only leverages the extensive address
space provided by IPv6 but also enhances the security and efficiency of data
transmission within the private subnet. Our VMs get a public IPv6 prefix, and
we allocate the same size sister subnet for our own internal use. This way, we
can address our VMs using the public IPv6 addresses.