Yandex Cloud network overview

A Yandex Cloud network is formed of two large parts:

• Physical network: Hardware network within data centers, transport network between data centers and at the external network and internet connection points. A physical network is often referred to as underlay.

• Virtual network: Network that works on top of the physical network infrastructure. Virtual Private Cloud (VPC) services provide users with:

  • IP connectivity between cloud resources.
  • Access to the internet for cloud resources.

  A virtual network is often referred to as overlay. One or more virtual networks can be created in a single resource folder. Virtual networks are isolated from each other even if hosted in the same resource folder.

Below is an overview of the physical network and virtual network in Yandex Cloud. For more information about network components, see Extra materials.

Physical network in Yandex CloudPhysical network in Yandex Cloud

The Yandex Cloud physical network can be presented as follows:

One of the main physical network components is the Yandex Cloud transport network.

The following objects connect to the transport network:

• Yandex Cloud data centers (availability zones).
• Points of presence (PoP). PoPs host the network equipment of the transport network. Connections to external networks and the internet (Internet Peering) are set up on individual PoPs. On individual PoPs, Yandex Cloud customers can set up IP connectivity between their own infrastructure's resources and cloud resources and public services in Yandex Cloud using Yandex Cloud Interconnect.

The Yandex Cloud transport network consists of two layers:

• Optical DWDM network layer. Dense wavelength-division multiplexing (DWDM) equipment provides a connection to IP/MPLS packet network equipment. With the DWDM equipment, the transport network can easily increase its capacity (bandwidth) to dozens of terabits.
• IP/MPLS packet network layer. It provides IPv4 connectivity between the availability zones and points of presence (underlay and overlay), as well as network transport required for all Yandex Cloud services to run.

The availability zones are linked through the Yandex Cloud transport network. PoPs enabling networking with other networks, including the internet, also connect to the transport network nodes. The transport network ensures fault-tolerant traffic exchange between the availability zones and PoPs.

Outbound traffic from the cloud resources in all the availability zones is distributed more or less evenly across all PoPs.

Likewise, inbound traffic to the cloud resources is distributed more or less evenly across all the Yandex Cloud availability zones.

All availability zones have the same weight: they provide identical network connectivity, i.e., the same data exchange rate and throughput. Traffic delays from an external resource to the cloud resources in different availability zones may differ slightly.

Virtual network in Yandex CloudVirtual network in Yandex Cloud

The Yandex Cloud virtual network includes a set of Virtual Private Cloud network functions and allows users:

• Setting up networking between the cloud resources.
• Setting up networking between the cloud resources and the internet.
• Using additional network features for traffic processing (CloudGate).

The virtual network in Yandex Cloud is built on selected components of the Tungsten Fabric project (formerly known as OpenContrail).

The Yandex Cloud virtual network can be presented as follows:

The Yandex Cloud virtual network architecture has the following key components:

VRouterVRouter

VRouter is a network traffic listener. Runs on each Yandex Cloud physical server. Acts as the default gateway for all the subnet objects (subnet's first IP address (x.x.x.1)). Handles the network traffic of all the VMs running on a server. Traffic is forwarded based on the flows table the records in which are programmed using another virtual network component called VRouter agent. To enable traffic forwarding through the underlay network, the MPLS over UDP tunneling technology is used.

VRouter enables One-to-One NAT for VM public IP addresses.

VRouter also enables security groups for all the VMs on the physical server it runs on.

VRouter-agentVRouter-agent

The VRouter-agent is an auxiliary component used for traffic processing. It works together with VRouter and programs the network flows table on the server. This table defines traffic forwarding rules for a specific IP prefix. The VRouter agent enables the following protocols and functions on the server for VMs:

• VM metadata service accessible only inside a VM via the 169.254.169.254 IP address.
• DNS service to processes DNS traffic on the cloud subnet's second IP address (x.x.x.2).
• ICMP.

CloudGateCloudGate

CloudGate is a component that includes groups of service VMs in each availability zone that ensure IP connectivity between the physical and virtual networks and provide a number of additional network functions:

• NAT gateway (NAT-GW)
• Network load balancer (NLB)
• Cloud Interconnect (CIC)

Each network function within CloudGate runs on a separate group of service VMs inside Yandex Cloud.

Types of networkingTypes of networking

Data centers are directly associated with the Yandex Cloud availability zones.

The above diagram shows the main types of networking between VMs in the Yandex Cloud virtual network:

Traffic between VMs in a single availability zoneTraffic between VMs in a single availability zone

Traffic from VM-A1 to VM-A2 in availability zone A will be routed as follows:

1. VM-A1 → VRouter on Server-A1.
2. Server-A1 → Server-A2 (within availability zone A).
3. VRouter on Server-A2 → VM-A2.

Traffic between VMs in different availability zonesTraffic between VMs in different availability zones

Traffic from VM-A2 in availability zone A to VM-B1 in availability zone B will be routed as follows:

1. VM-A2 → VRouter on Server-A2.
2. Server-A2 → Boundary network equipment of the transport network of availability zone A.
3. Boundary network equipment of the transport network of availability zone A → Boundary network equipment of the transport network of availability zone B.
4. Boundary network equipment of availability zone B → Server-B1.
5. VRouter on Server-B1 → VM-B1.

VM traffic to the internet via a NAT gatewayVM traffic to the internet via a NAT gateway

Traffic from VM-A1 to the internet via the NAT gateway will be routed as follows:

1. VM-A1 → VRouter on Server-A1.
2. Server-A1 → CloudGate NAT-GW function (via the availability zone A intranet).
3. NAT-GW → Boundary network equipment of availability zone A.
4. Availability zone A boundary network equipment → Network equipment at the point of presence where there is a connection to external networks and the internet.

LimitationsLimitations

1. Currently, network connectivity in the Yandex Cloud virtual network is only provided through IPv4. There is no support for IPv6.
2. The Yandex Cloud virtual network runs on OSI Layer 3 (L3), which makes the use of the OSI Layer2 (L2) network technology very limited:
   1. Responses to ARP requests from VRouter (default gateway) will always be received from the same fixed MAC address.
   2. The only transport used for networking is Unicast. There is no support for Multicast.
   3. Network protocols that require a single virtual IP address (VIP) across VMs, such as HSRP, VRRP, or GLBP, are not supported.

Extra materialsExtra materials

• Yandex Cloud network infrastructure overview (2019)
• Yandex Cloud's Virtual Private Cloud overview (2020)