Being able to create a Cloud Server on the fly is a great proposition. A Cloud Server is defined by its memory, storage and burstable CPU. It is also defined by its network properties, which can allow it to become part of the Internet, or not.
To start with the basics, each Cloud Server comes bundled with two Ethernet interfaces:
• A Public one (eth0 on a linux server) that is reachable from the Internet and is allocated a unique public IP address, allowing to easily name the server using DNS – This can easily be done using our DNS tool (See our other post on why DNS matters – http://www.rackspacecloud.com/blog/2009/06/04/dns-the-overlooked-cloud-service/ )
• A Private one (eth1 on a linux server) that is not reachable from the Internet and is allocated a unique private IP address (part of RFC 1918)
Before reviewing the uses and best practices surrounding these two interfaces, let’s look at the basic security that we have created for these interfaces. From a networking point of view, the first security line of defense is identity protection, which is based on two tenets:
• Nobody should see traffic addressed to me. This is Anti-Snooping – What does that mean in practice? If one configures one of their Cloud server interfaces in promiscuous mode, hoping to sniff someone else’s traffic, they will be unable to do so as the only traffic allowed to reach their interface is traffic specifically sent to it (at both the MAC and IP layers)
• Nobody should be able to impersonate me. This is Anti-Spoofing – What does that mean in practice? If one steals someone else’s address (or makes a configuration mistake), then all outgoing traffic will be dropped.
Of course, the above is only a first line of defense; one should always use layer 3 inspection to further protect any server. We have good info and tips in our knowledge base at http://cloudservers.rackspacecloud.com/index.php/Firewalls