Which VM Network Should I Choose?
When provisioning VMs in the UT-VMG environment, one of the dropdown menus lets you choose the VM network. This article provides information and guidance on which network best matches your needs.
AUSTIN vs UTNIC
- If, during your request, you specified the fully qualified domain name "austin.utexas.edu" in the Domain Name field, you will be presented with a list of VLANs that begin with AUSTIN-xxx. This structure will ensure the forward record (DNS 'A' record) matches the reverse record (DNS 'PTR' record).
- If you chose "other" in the Domain Name field and entered a value in the "Custom Domain Name", you will choose from the UTNIC-xxx VLANs list (or custom VLANs, specific to your department/group).
Public, NAT, or Private
You will choose from among the following categories for your VM network.
- Public: These networks are internet reachable (both incoming — the internet can directly reach your VM, and outgoing — your VM can reach anywhere on the Internet). If you choose public, make sure you've got good firewall rules and other appropriate security precautions in place to reduce your chances of being compromised.
- NAT: The choice of NAT (Network Address Translation) allows your VM to connect outbound to the internet globally, but does not generally allow inbound connections from outside the campus network. This functionality is much like that of a home router works and exactly like that of the campus WiFi. To learn more, check this wiki article on NAT for unit wired networks.
- Private: These networks are campus-routed; your VM can talk to other computers on campus, and other on-campus computers (and remote computers IF they come in via the UT-VPN) can reach your VM.
- The VLAN number doesn't really play into the decision; it's just a way the support team can keep track of which VLANs are being provisioned to currently.
Current VM Default VLANs
By default, your provisioning group can provision to the following shared VLANs:
- You are provisioning a public web server for a UT entity that needs to serve constituents outside of the UT Campus as well as inside it. The server is not Windows and is not going to be joined to the AUSTIN domain. Choose: UTNIC-Public-vlan-xxx
- You are provisioning a Linux file server. The client machines that will use the file server are all on campus. Updates will come from Satellite or another on-campus repository. Choose: UTNIC-Private-vlan-xxx
- You are provisioning a Windows IIS server that will serve departmental faculty, some of whom are located at other institutions outside of UT Austin. This server will be joined to the AUSTIN AD domain.
- Choose: AUSTIN-Public-vlan-xxx
- Option: IF the people outside UT-Austin know how to use the UT-VPN service and they all will have the appropriate credientials to permit them to use it, you could choose: AUSTIN-Private-vlan-xxx
- You are provisioning a server that needs to connect to a software vendor to download updates but only campus and VPN users should access the server. Choose UTNIC-NAT-vlan-xxx or Austin-NAT-vlan-xxx depending on whether the primary host name should be in austin.utexas.edu or another DNS zone (see above examples).
What About Departmental Networks?
Many departments have networks (VLANs) allocated for their use in the datacenter. These networks may have standard firewall configurations that permit access based on being on that particular network segment.
IF the network is in the UDC-C datacenter, arrangements can be made to have that VLAN "trunked-in" to the UT-VMG service. (If the network segment is in a building network outside the datacenter, we cannot make that VLAN available in UT-VMG as network segments can't be spanned across buildings.)
For departmental VLANs, the UT-VMG service VM Network will be named:
- Dept4lettercode-[public|NAT|private]-vlan-xxx (for networks where you will handle DNS requests manually)
- Dept4lettercode-Austin-[public|NAT|private]-vlan-xxx (for networks where DNS requests should be automatically sent to Austin DNS administrators)
- Dept4lettercode-UTNIC-[public|NAT|private]-vlan-xxx (for networks where DNS requests should be automatically sent to UTNIC)