Connect S3 to other products

For your information

You can connect S3 to other products over a private network only in specific pools: in the ru-3 and ru-7 pools, you can connect to servers in Russia; in the uz-2 pool, you can connect to servers in Uzbekistan.

To connect S3 to other products over a private network, use the Global Router.

1. If you do not have a Global Router yet, create one.
2. Connect the other product's subnet to the Global Router.
3. Create a connection subnet to link S3 to the Global Router.
4. Add a static route to S3 on the servers in the other product.
5. Configure access to the private S3 endpoint on the servers in the other product.

1. Create a Global Router

1. In the Control panel, in the top menu, click Products and select Global Router.
2. Click Create router. A limit of five global routers is set for each account.
3. Enter the router name.
4. Click Create.
5. If the router was created with the status ERROR or is stuck in one of the statuses, create a ticket.

2. Connect the other product's subnet to the Global Router

Dedicated server

You can connect a new or existing network to the router if it is not already connected to any of the account's global routers.

1. In the control panel, on the top menu, click Products and select Global Router.

2. Go to the router page → Networks tab.

3. Click Create network.

4. Enter a network name. It will only be used in the control panel.

5. Select the Servers and Equipment service.

6. Select a location for the network.

7. Select or enter a VLAN.

8. If you want to create a network up to an internal segment (Q-in-Q), specify its tag—a number from 2 to 4094. If a network already exists for the VLAN, you must specify the Q-in-Q segment of this VLAN.

9. Enter a subnet name. It will only be used in the control panel.

10. Enter the CIDR—the IP address and mask of the private subnet. You can enter a new subnet or an existing private server subnet if it has not yet been added to any of the global routers in the account. The subnet must meet the following conditions:

    • belong to the RFC 1918 private address range: 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16;
    • have a size of at least /29, as three addresses will be occupied by Servercore network equipment;
    • do not overlap with other subnets added to this router—IP addresses must not repeat across subnets on the same router;
    • if a Managed Kubernetes cluster on cloud servers is included in the global router network, the subnet must not overlap with the ranges 10.10.0.0/16, 10.96.0.0/12, 10.250.0.0/16 and 10.251.0.0/24. If a cluster on dedicated servers is included in the network — with ranges 10.10.0.0/16, 10.222.0.0/16, 10.250.0.0/16, 10.251.0.0/24 and 172.250.0.0/14. These subnets are used for Managed Kubernetes internal addressing, and their use may lead to conflicts in the global router network.

11. Enter the gateway IP or leave the first address from the subnet that is assigned by default. Do not assign this address to your devices to avoid network disruption.

12. Enter the service IPs or leave the last addresses from the subnet that are assigned by default. Do not assign these addresses to your devices to avoid network disruption.

13. Click Create network.

14. Optional: check the network topology on the global router. In the Control panel, in the top menu, click Products → Global Router → router page → Network map.

15. If you specified a Q-in-Q tag in step 8, you need to enable Q-in-Q technology on the switch port and configure the private network interface that you specified in step 10. Learn more in the Configure Q-in-Q section of the Q-in-Q guide.

Cloud server or Managed Kubernetes cluster

You can connect a new or existing network to the router if it is not already connected to any of the account's global routers.

Connect a new network

1. In the Control panel, on the top menu, click Products and select Global Router.

2. Open the router page → Networks tab.

3. Click Create network.

4. Enter a network name. It will only be used in the control panel.

5. Select the Cloud Platform service.

6. Select a location for the network.

7. Select a project.

8. Enter a subnet name. It will only be used in the control panel.

9. Enter the CIDR — IP address and subnet mask. The subnet must meet the following conditions:

   • belong to the RFC 1918 private address range: 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16;
   • have a size of at least /29, as three addresses will be occupied by Servercore network equipment;
   • it does not overlap with other subnets added to this router — there must be no identical IP addresses within the subnets of one router;
   • if a Managed Kubernetes cluster on cloud servers is to be connected to the global router network, the subnet must not overlap with the 10.10.0.0/16, 10.96.0.0/12, 10.250.0.0/16 and 10.251.0.0/24. If a cluster on dedicated servers is connected to the network, it must not overlap with the 10.10.0.0/16, 10.222.0.0/16, 10.250.0.0/16, 10.251.0.0/24 and 172.250.0.0/14. These subnets are used for Managed Kubernetes internal addressing, and their use may cause conflicts in the global router network.

10. Enter the gateway IP or leave the first address from the subnet, which is assigned by default. Do not assign this address to your devices to avoid disrupting network operation.

11. Enter the service IPs or leave the last addresses from the subnet, which are assigned by default. Do not assign these addresses to your devices to avoid disrupting network operation.

12. Click Create network.

13. Optional: check the network topology on the global router. In the Control panel, on the top menu, click Products → Global Router → router page → Network Map.

Connect an existing network

1. Ensure the network is not already added to any global router in your account. In the Control panel, on the top menu, click Products → Cloud Servers → Network → tab Private networks → check that the network card does not have the tag Global Router.

2. Verify that the subnet meets the following conditions:

   • belongs to the RFC 1918 private address range: 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16;
   • is at least /29, as three addresses will be occupied by Servercore network equipment;
   • it does not overlap with other subnets added to this router: the IP addresses of each subnet on the router must not match the IP addresses of other subnets on it;
   • if a Managed Kubernetes cluster on cloud servers is to be connected to the global router network, the subnet must not overlap with the 10.10.0.0/16, 10.96.0.0/12, 10.250.0.0/16 and 10.251.0.0/24. If a cluster on dedicated servers is connected to the network, it must not overlap with the 10.10.0.0/16, 10.222.0.0/16, 10.250.0.0/16, 10.251.0.0/24 and 172.250.0.0/14. These subnets are used for Managed Kubernetes internal addressing, and their use may cause conflicts in the global router network.

3. In the Control panel, on the top menu, click Products and select Cloud Servers.

4. Go to Network → tab Private networks.

5. From the network menu, select Connect to Global Router.

6. Select a global router.

7. For each subnet in the network, enter the IP address to be assigned to the router or leave the first available address from the subnet, which is assigned by default. Do not assign this address to your devices to avoid disrupting network operation. The last two available subnet addresses will be reserved as service addresses.

8. Click Connect. Do not close the window until a message appears confirming the network has been connected. After that, in the control panel:

   • the network will appear in the section Servercore Global Router on the router page to which you connected it;
   • in the section Cloud Servers → Network → on the tab Private networks, the network will have the tag Global Router.

3. Create a connection subnet to link S3 to the Global Router

1. Create a ticket. In the ticket, specify:

   • Global Router ID; you can find it in the Control Panel: in the top menu, click Products → Servercore Global Router → router page → copy the ID under the router name;
   • the desired CIDR for a subnet of at least /28, which will be used as the connection subnet from the Global Router to S3. The subnet must belong to the private address range per RFC 1918: 10.0.0.0/8, 172.16.0.0/12`` or 192.168.0.0/16. The subnet must not overlap with other subnets added to this router—subnets on the same router must not contain duplicate IP addresses;
   • endpoint — a private IP address with a /32 mask to which traffic will be sent to S3. This IP address must not be part of the selected connection subnet.

2. Wait for a response from Servercore support confirming that connectivity from S3 to the Global Router has been set up. The created connection network will not be displayed in the Global Router in the Control Panel. If you need to change connectivity settings on the S3 side, create a ticket.

4. Add static routes to S3

On each server that you connect to S3, you need to configure a static route to the peering subnet via the global router.

If you are using the Global Router as the default gateway on your servers, you do not need to add routes.

If not, add the static route on the servers you need to connect to S3:

• for the destination subnet, specify the CIDR of the connection subnet you provided in the ticket in step 3;
• for the gateway, specify the address from the subnet that the corresponding server is added to and that is used as a Global Router gateway.

Dedicated server, VMware-based cloud

Ubuntu

1. Connect to the server.

2. Open the network configuration file:

   vi /etc/netplan/01-netcfg.yaml

3. At the end of the data block for the required network interface, add the route:

   routes:
     - to: <ip_address>/<mask>
       via: <gateway>

   Specify:

   • <ip_address>/<mask> — the subnet to which you need to add a route, specifying the mask, for example 192.168.0.0/28;
   • <gateway> — the gateway for the current server's subnet, which is specified on the global router.

4. If you need to define multiple routes, add them sequentially in the same block, for example:

   routes:
   - to: 192.168.0.0/28
       via: 172.16.0.1
   - to: 192.168.1.0/28
       via: 172.16.0.1

5. Save the file.

6. Check the settings:

   sudo netplan try

7. Apply the changes:

   netplan apply

Debian

1. Connect to the server.

2. Open the network configuration file:

   vi  /etc/network/interfaces

3. At the end of the data block for the corresponding network interface, add the required route:

   up route add -net <ip_address> netmask <mask> gw <gateway>
   down route del -net <ip_address> netmask <mask> gw <gateway>

   Specify:

   • <ip_address> — the subnet to which you need to add a route, for example 192.168.0.0;
   • <mask> — the subnet mask to which you need to add a route, for example 255.255.255.0;
   • <gateway> — the gateway for the current server's subnet, which is specified on the global router.

4. If you need to define multiple routes, add them sequentially in the same block.

5. Save the file.

6. Restart the network:

   sudo /etc/init.d/networking restart

CentOS

1. Connect to the server.

2. Create and fill out the file for configuring static routes:

   echo "<ip_address>/<mask> via <gateway>" >> /etc/sysconfig/network-scripts/route-<eth_name>

   Specify:

   • <ip_address>/<mask> — the subnet to which you need to add a route, specifying the mask, for example 192.168.1.0/28;
   • <gateway> — the gateway for the current server's subnet, which is specified on the global router;
   • <eth_name> — the name of the corresponding local network interface.

   If you need to add multiple routes, specify them in one command. List each route on a new line, for example:

   echo "192.168.0.0/28 via 172.16.0.1
   192.168.1.0/28 via 172.16.0.1" >> /etc/sysconfig/network-scripts/route-eno2

3. Restart the network:

   systemctl restart network

Windows

1. Connect to the server via RDP or via KVM console.

2. Add the required routes one by one:

   route -p ADD <ip_address> MASK <mask> <gateway> METRIC <x>

   Specify:

   • <ip_address> — the subnet to which you need to add a route, for example 192.168.0.0;
   • <mask> — the subnet mask to which you need to add a route, for example 255.255.255.0;
   • <gateway> — the gateway for the current server's subnet, which is specified on the global router;
   • <x> — a parameter determining the priority of the specified gateway, 1 being the highest priority.

Cloud platform

To add static routes for a cloud server, Managed Database cluster, or Managed Kubernetes cluster, you must configure static routes on the private subnet where the server or cluster resides.

5. Configure access to the private S3 endpoint on servers in the other product

By default, S3 is accessed via a public domain. If a request is sent to a private IP address, the response will include a certificate mismatch error.

To avoid this error, you must map the private IP address you specified as the endpoint in step 3 to the S3 API domain in the required pool (ru-3, ru-7, or uz-2).

The configuration depends on whether your infrastructure has its own DNS recursor.

You have your own DNS recursor

Add A records on the recursor:

storage.selcloud.ru. IN A <endpoint_ip_address>
<s3_domain>. IN A <endpoint_ip_address>

Specify:

• <endpoint_ip_address> — the private IP address of the endpoint you specified when creating the connection subnet in step 3;
• <s3_domain> — the S3 API domain in the required pool (ru-3, ru-7, or uz-2). If you are configuring connectivity for S3 in multiple pools, specify each in a separate record.

You do not have a DNS recursor

Perform the settings on each server or in each Managed Kubernetes cluster that you need to connect to S3.

Dedicated or cloud server

On the server, add a record to the /etc/hosts/ file:

<endpoint_ip_address> storage.selcloud.ru. <s3_domain>

Specify:

• <endpoint_ip_address> — the private IP address of the endpoint you specified when creating the connection subnet in step 3;
• <s3_domain> — S3 API domain in the required pool (ru-3, ru-7, or uz-2). If you are configuring connectivity for S3 in multiple pools, specify their domains separated by a space.

Managed Kubernetes cluster

Add a zone in the cluster's CoreDNS configuration using a ConfigMap:

1. Create a manifest for the ConfigMap. Specify the name coredns-custom and the namespace kube-system. The file name created through the ConfigMap must end with the .custom suffix. Example manifest:

   apiVersion: v1
   kind: ConfigMap
   metadata:
       name: coredns-custom
       namespace: kube-system
   data:
       s3-private-proxy.custom: |
           storage.selcloud.ru {
               hosts {
                   <endpoint_ip_address> storage.selcloud.ru
                   <endpoint_ip_address> <s3_domain>
                   fallthrough
               }
               cache 60
               forward . 188.93.17.19 188.93.16.19
               log
           }

   Specify:

   • <endpoint_ip_address> — the private IP address of the endpoint you specified when creating the connection subnet in step 3;
   • <s3_domain> — the S3 API domain in the required pool (ru-3, ru-7, or uz-2). If you are configuring connectivity for S3 in multiple pools, add a separate line for each.

2. Apply the configuration to the cluster:

   kubectl apply -f coredns-s3-pp.yaml

3. Restart the CoreDNS pods:

   kubectl -n kube-system delete pods -l k8s-app=kube-dns