Skip to main content

VPC Networking

Overview

A VPC (Virtual Private Cloud) is a private virtual network you define on the platform. It is logically isolated from every other tenant's network. VMs you place in a VPC can talk to each other over private IPs, even when they live on different physical servers (hypervisors).

If you are new to the terms:

  • VM (virtual machine). A guest computer running on a hypervisor.
  • Hypervisor. A physical server that runs VMs.
  • Hypervisor group. A logical location made up of one or more hypervisors. Each VPC lives in one location.
  • Subnet. A block of IP addresses, like 10.0.1.0/24.
  • CIDR. Notation for a subnet, e.g. /24 means the first 24 bits are the network and the rest are host addresses.
  • VXLAN. A protocol that wraps VM ethernet frames in UDP packets so the same private network can span many physical hosts. The platform uses UDP port 4789.
  • NAT Gateway. A device that lets VMs in a private subnet reach the internet outbound. See NAT Gateway.
  • VPN Gateway. A WireGuard endpoint that lets remote users or other sites connect into the VPC. See VPN Gateway.

What you can do with a VPC:

  • Create one or more private subnets inside it.
  • Place VMs in those subnets. They get private IPs and can talk to each other directly.
  • Add a NAT gateway for outbound internet access.
  • Add a VPN gateway for remote access and site-to-site links.
  • Add private DNS zones for internal service discovery. See Private DNS.
  • Peer two VPCs so VMs in either can talk to each other. See VPC Peering.

Concepts

TermPlain English
Overlay networkA virtual network built on top of the physical network. The platform uses VXLAN.
VPC CIDRThe overall address range of the VPC, e.g. 10.0.0.0/16. Subnets are carved from this.
Subnet CIDRA smaller range inside the VPC CIDR, e.g. 10.0.1.0/24.
Tenant isolationVPCs of different users never see each other's traffic.
L2 interfaceThe secondary physical NIC on each hypervisor that carries VXLAN traffic.

Admin: how to configure

Prerequisites

VPC needs a dedicated secondary NIC on every hypervisor in the group:

  • A second NIC on each hypervisor connected to a shared VLAN or switch.
  • All hypervisors in the group must sit on the same L2 (layer 2) segment.
  • This NIC carries VXLAN encapsulated traffic on UDP port 4789.

Enable VPC on a hypervisor group

  1. Go to Compute > Hypervisor Groups and edit the group.
  2. Turn on Enable VPC.
  3. Set the VXLAN Range (default 10000 to 16777214). Each VPC consumes one VXLAN ID from this range.
  4. Set the L2 Interface name (the secondary NIC, e.g. eth1, ens192).
  5. Save.

After saving, the platform assigns each hypervisor a link-local IP (169.254.x.x) for VXLAN control-plane communication. These show up in the hypervisor table when VPC is on.

View VPCs

Go to Networking > VPCs in the admin panel to see every VPC across all users, their location, CIDR, subnets, NAT gateway state, and VPN gateway state.

Admin VPCs list

Click Add VPC to open the create form.

Create VPC form

Configure NAT Gateway pricing (optional)

To let users create a NAT gateway in their VPC for outbound internet access:

  1. In the Hypervisor Group settings, turn on NAT Gateway.
  2. Set pricing:
    • Monthly Credit Value. Base monthly cost for the NAT gateway.
    • Bandwidth Rate. Per-GB cost in credits.
    • IPv4 Credit Value. Monthly cost for the dedicated public IPv4 the gateway uses.
  3. Set Bandwidth Accounting: uploads, downloads, or both.
  4. Set Bandwidth Overage:
    • none: no cap.
    • charge_overage: bill per GB above the allowance.
    • revoke_access: suspend the gateway when the cap is hit.
  5. Save.

See NAT Gateway for full details.

What end users see

Create a VPC

  1. Go to Networking > VPC in the user sidebar.
  2. Click Create VPC.
  3. Enter a Name and optional Description.
  4. Pick a CIDR block. Common choices:
    • 10.0.0.0/16
    • 172.16.0.0/16
    • 192.168.0.0/16
  5. Pick a Location (must have VPC enabled).
  6. Click Create.

Create subnets

  1. Open the VPC detail page and click Create Subnet.
  2. Enter a CIDR inside the VPC range, e.g. 10.0.1.0/24.
  3. The gateway IP is auto-assigned (the first usable IP in the subnet).
  4. IP addresses for the whole range are auto-generated.

Deploy a VM into a VPC

  1. When creating a VM, pick the VPC and Subnet.
  2. The VM gets a VPC NIC with a private IP from the chosen subnet.
  3. Cloud-init configures the VM's network automatically.
  4. VMs in the same subnet can reach each other directly.

Enable a NAT gateway

  1. On the VPC detail page, click Enable NAT Gateway.
  2. The platform allocates a dedicated public IPv4 for the gateway.
  3. All VMs in attached subnets get outbound internet via source NAT (SNAT) through that IP.
  4. Bandwidth is metered per the location's billing settings.
note

NAT gateways are outbound only. For inbound, give the VM its own public NIC or put a Load Balancer in front.

Troubleshooting

VMs in the same VPC cannot reach each other

  1. Confirm both VMs are in the same VPC and their subnets are inside the VPC CIDR.
  2. Confirm no Security Group is blocking traffic.
  3. Confirm both VMs are in a running state.

VMs in the VPC cannot reach the internet

  1. Confirm a NAT gateway exists on the VPC.
  2. Confirm its status is Active and NAT state is Enabled.
  3. Confirm the VM's subnet is attached to the NAT gateway.
  4. If security groups are attached, confirm egress rules allow outbound traffic.

VPC does not appear during VM creation

VPC must be enabled on the hypervisor group for the chosen location. Enable it in Compute > Hypervisor Groups.

What end users see

Customers manage their own VPCs from Networking > VPC in the user panel. The list page shows each VPC the customer owns, its CIDR (the IP range the VPC carries), and the resources attached to it.

User VPC list

Clicking Create VPC opens the create form. The customer picks a name, location, and CIDR range, then saves.

User create VPC form

NAT gateway and VPC peering are managed from inside the VPC detail page rather than as standalone screens. Open a VPC to find both options. See NAT Gateway and VPC Peering for details.