Networking and Cloud Servers – Introduction and First Line of Defense

Being able to create a Cloud Server on the fly is a great proposition. A Cloud Server is defined by its memory, storage and burstable CPU. It is also defined by its network properties, which can allow it to become part of the Internet, or not.

To start with the basics, each Cloud Server comes bundled with two Ethernet interfaces:

•    A Public one (eth0 on a linux server) that is reachable from the Internet and is allocated a unique public IP address, allowing to easily name the server using DNS – This can easily be done using our DNS tool (See our other post on why DNS matters – )
•    A Private one (eth1 on a linux server) that is not reachable from the Internet and is allocated a unique private IP address (part of RFC 1918)

Before reviewing the uses and best practices surrounding these two interfaces, let’s look at the basic security that we have created for these interfaces. From a networking point of view, the first security line of defense is identity protection, which is based on two tenets:

•    Nobody should see traffic addressed to me.  This is Anti-Snooping – What does that mean in practice? If one configures one of their Cloud server interfaces in promiscuous mode, hoping to sniff someone else’s traffic, they will be unable to do so as the only traffic allowed to reach their interface is traffic specifically sent to it (at both the MAC and IP layers)
•    Nobody should be able to impersonate me. This is Anti-Spoofing – What does that mean in practice? If one steals someone else’s address (or makes a configuration mistake), then all outgoing traffic will be dropped.

Of course, the above is only a first line of defense; one should always use layer 3 inspection to further protect any server. We have good info and tips in our knowledge base at

Rack Blogger is our catchall blog byline, subbed in when a Racker author moves on, or used when we publish a guest post. You can email Rack Blogger at


  1. One thing I really wish RackSpace Cloud would do more of in these posts is talk about the other camp (Windows), especially with RackSpace Cloud Servers for Windows being officially launched to beta yesterday and since approximately 50% of RackSpace’s clients run on Windows and .NET.

    • David,

      the same concepts also apply to the Windows world – The interface names are then private and public

      Hope this helps


  2. It is required for Rackspace to provide more information on the security of the private interface. Is it private to all customers within Rackspace Cloud or is it truly private within the account?

    I wish it were the latter. Because otherwise it is difficult at best to build up a secure multi-server environment on the Rack cloud, as far as for example securing database access is concerned.

    • Claus,

      At this point in time, the private interface is “private to all customers within Rackspace Cloud” – Therefore, adding a layer 3 firewall is highly recommended so as to only allow traffic to and from the other Cloud servers in your account – I will be posting more information within the next week or so


    • Hi Terri – Thank you for submitting your concern. Being open and transparent with our customers is part of our philosophy so I apologize if you feel we’ve fallen short of that. I do see you have a ticket open with us and we will address your concerns directly with you.
      Thank you,

  3. @Angry – That is quite a misinformed and disingenuous statement. CloudSites, one of their three cloud offerings, has had a few recent setbacks, though they seem to be making progress. I haven’t heard of any issues with CloudServers and CloudFiles as of late. I have been a very happy camper with Rackspace.


Please enter your comment!
Please enter your name here