VPCs

VPCs provide private networks for instances using a VLAN. Using a VLAN provides minimal overhead and can often avoid impacting instance MTU. This does limit the number of possible VPCs to about 4000 although the default configuration randomly selects VLAN IDs in the range 1001-3999. If the VXLAN network mode is configured in the datacenter settings there will be an additionaly VXLAN overlay network to provide layer 2 connectivity on a layer 3 network.

Subnets

Subnets provide a way to group instances of similar types. Such as all database servers or all web servers. When creating subnets in a VPC they should be as small as possible to allow using subnets as groups for similar servers. Below is an example VPC with 9 /24 subnets. This will allow an organized network with room for future expansion.

Network Maps

Network maps are primarily intended for testing software against unusual network MITM attacks. This will remap a subnet or single IP to a new target IP. The target IP must be an IP in the VPC network. For example the network map below will simulate a DNS outage by remapping 8.8.8.8/32 to 10.134.100.1 . A web server could also be remapped to a different web server to validate SSL verification.

ICMP Redirects

When configuring custom routes ICMP redirects can be enabled. Although due to the design in Pritunl Cloud this provides almost no performance increase. Most Linux distributions will cache these ICMP redirects for several minutes making dynamic changes to the routing table very slow. If a site-to-site VPN such as Pritunl Link is configured with automatic failover and automatic routing table updates this option must be disabled.

Custom ARP

Due to the VLAN design of VPCs it is possible to add physical hosts onto the VPC network if that host is on the same network switch and has a VLAN interface configured. This won't work if the datacenter has the VXLAN network mode configured. Pritunl Cloud primarily functions with static ARP tables and in future updates ARP entries will be more restricted. For an external host to access the VPC the ARP entry should be added to the VPC with the MAC address of that host and the IP address from the VPC network. Any IP address from the VPC can be selected but it should be one that isn't in an existing subnet that would potentially get used by an instance.