Which VM Network Should I Choose?
When provisioning VMs in the UT-VMG environment, one of the drop-downs allows you to choose the "VM Network". Which one should you choose?
AUSTIN vs UTNIC
- If during your request you specified the fully qualified domain name 'austin.utexas.edu' in the "Domain Name" field you will be presented with a list of VLANs that begin with AUSTIN-xxx. This will ensure the forward record (DNS 'A' record) matches the reverse record (DNS 'PTR' record).
- If you chose "other" in the "Domain Name" field and entered a value in the "Custom Domain Name", you will choose from the UTNIC-xxx VLANs list (or custom VLANs, specific to your department/group).
Public vs NAT vs Private
- Public = internet reachable (both incoming - the internet can directly reach your VM, and outgoing - your VM can reach anywhere on the Internet). If you choose public, make sure you've got good firewall rules and other appropriate security precautions in place to reduce your chances of being compromised.
- NAT = Network Address Translation (NAT) allows your VM to connect outbound to the internet globally, but does not generally allow inbound connections from outside the campus network. This is much like a home router works and exactly like the campus WiFi works. See also https://wikis.utexas.edu/x/ggcMBQ.
- Private = campus-routed - Your VM can talk to other computers on campus, and other on-campus computers (and remote computers IF they come in via the UT-VPN) can reach your VM.
- The VLAN number doesn't really play into the decision, it's just a way we can keep track of which VLANs are being provisioned to currently.
Current VM default VLANs
By default, your provisioning group can provision to the following shared VLANs.
- I'm provisioning a public web server for a UT entity that needs to serve constituents outside of the UT-campus as well as inside it. The server is not Windows, not going to be joined to the AUSTIN domain. Choose: UTNIC-Public-vlan-xxx
- I'm provisioning a Linux file server. The client machines that will use the file server are all on-campus. Updates will come from Satellite or another on-campus repository. Choose: UTNIC-Private-vlan-xxx
- I'm provisioning a Windows IIS server that will serve departmental faculty, some of which are located at other institutions outside of UT-Austin.This server will be joined to the AUSTIN AD domain.
- Choose: AUSTIN-Public-vlan-xxx
- Option: IF the people outside UT-Austin know how to use the UT-VPN service and they all will have the appropriate credientials to permit them to use it, you could choose: AUSTIN-Private-vlan-xxx
- I'm provisioning a server that needs to connect to a software vendor to download updates but only campus and VPN users should access the server. Choose UTNIC-NAT-vlan-xxx or Austin-NAT-vlan-xxx depending on whether the primary host name should be in austin.utexas.edu or another DNS zone (see above examples).
What about departmental networks?
Many departments have networks (VLANs) that are allocated for their use in the datacenter. They may have standard firewall configurations that permit access based on being on that particular network segment.
IF the network is in the UDC-C datacenter, arrangements can be made to have that VLAN "trunked-in" to the UT-VMG service. (If the network segment is in a building network outside the datacenter, we cannot make that VLAN available in UT-VMG as network segments can't be spanned across buildings).
For departmental VLANs, the UT-VMG service VM Network will be named:
- Dept4lettercode-[public|NAT|private]-vlan-xxx (for networks where you will handle DNS requests manually)
- Dept4lettercode-Austin-[public|NAT|private]-vlan-xxx (for networks where DNS requests should be automatically sent to Austin DNS administrators)
- Dept4lettercode-UTNIC-[public|NAT|private]-vlan-xxx (for networks where DNS requests should be automatically sent to UTNIC)