narbulut

Narbulut ECS Network Management Guide

Narbulut ECS Network Management Guide

Table of Contents
1. Prerequisites
2. Overview and Network Architecture
3. VPC and Subnet Management
4. Elastic IP Management
5. Port Open / Close (ACL Rules)
6. Port Forwarding (Destination NAT)
7. VPC Firewall and Distributed Firewall
8. Static Routes and DNS Settings
9. Network Topology
10. NGAF — Web Console, SOC and Policies
11. NGAF — NAT, UTM and Monitoring
12. Best Practices

1. Prerequisites

Before starting network management operations, make sure the following requirements are met:

  • A Tenant or Co-Administrator account with access to the ECS platform
  • At least one VPC and Subnet configured
  • Elastic IP (EIP) assigned
  • NGAF device active and running
  • Sufficient resource quota
Figure 1 — Resource Quota page

Figure 1 — Resource Quota page

ResourceDescriptionCheck
EIP (IPv4)Elastic IP for external accessPublic Resource
BandwidthBandwidth limitPublic Resource
CPU / MemoryFor VMs and NGAFResource Pool
NGAFFirewall device quotaResource Pool
SSL VPN UsersVPN user limitResource Pool

Tip: If resource quota is insufficient, check the current status from System > Resource Quota and request an increase from the support team if needed.

2. Overview and Network Architecture

The network infrastructure on the ECS platform consists of multiple integrated components. This guide covers the configuration and management of all network components.

Figure 2 — Network Architecture Overview

Figure 2 — Network Architecture Overview

ComponentDescriptionAccess
VPCIsolated virtual network environmentNetwork Deployment > VPC
SubnetSub-networks within a VPCVPC > Subnet
Elastic IPStatic IP for external accessIP and Bandwidth
ACLPort open/close rulesVPC > ACL
Destination NATPort forwardingVPC > Destination NAT
VPC FirewallVPC-level firewallSecurity > VPC Firewall
Distributed FirewallInter-VM traffic controlSecurity > Distributed Firewall
NGAFAdvanced firewall (UTM)Security > NGAF
Static RouteCustom route definitionsVPC > Static Route
Internal DNSInternal DNS recordsVPC > Internal DNS

Layered Security Model

LayerDescription
VPC Firewall / ACLControls traffic between the external network and the VPC
Distributed FirewallControls inter-VM traffic within the VPC
NGAFAdvanced packet inspection, IPS/IDS, NAT, UTM, and VPN
Destination NATForwards incoming external traffic to internal resources

3. VPC and Subnet Management

A VPC (Virtual Private Cloud) provides an isolated network environment. Each VPC has its own subnets, routes, and security rules.

Access: Network Deployment > VPC

Figure 3 — VPC List

Figure 3 — VPC List

When you select a VPC, you can view and manage its subnets on the VPC detail page.

Figure 4 — Subnet List

Figure 4 — Subnet List

FieldDescription
VPC NameVirtual network environment identifier
CIDRVPC address range (e.g., 10.0.0.0/16)
Subnet NameSub-network identifier
Subnet CIDRSub-network address range (e.g., 10.0.1.0/24)
GatewaySubnet default gateway
VLAN IDVLAN identifier

Note: The CIDR range cannot be changed after VPC creation. Carefully plan your network address structure during the planning phase.

4. Elastic IP Management

Elastic IPs (EIPs) are static IP addresses required for VMs and services to access the external network.

Access: IP and Bandwidth

Figure 5 — Elastic IP List

Figure 5 — Elastic IP List

FieldDescription
EIP AddressAssigned public IPv4 address
BandwidthBandwidth limit assigned to the EIP
Bound ResourceVM or service the EIP is bound to
StatusBound or Unbound

Tip: Unused EIPs consume your resource quota. Release unnecessary EIPs to use your quota efficiently.

5. Port Open / Close (ACL Rules)

ACL (Access Control List) rules provide port-level access control at the VPC level. By default, all ports are closed; only explicitly allowed ports are opened for access.

Access: VPC > ACL

Security Baseline — Ports Recommended to Keep Closed by Default

PortProtocolDescription
22TCP (SSH)Brute force attack risk
445TCP (SMB)Ransomware risk
1433TCP (SQL)Database attack risk
Figure 6 — ACL Rule List

Figure 6 — ACL Rule List

Figure 7 — ACL Rule Creation

Figure 7 — ACL Rule Creation

FieldDescription
Rule NameIdentifier name
DirectionInbound or Outbound
ProtocolTCP, UDP, ICMP, or all
Source / Destination IPIP address or CIDR block
Port RangeSingle port or range (e.g., 80-443)
ActionAllow or Deny

Warning: ACL rules are ordered. More specific rules should be placed first, general rules at the end.

6. Port Forwarding (Destination NAT)

Destination NAT is used to forward incoming external traffic to a specific internal IP and port. For example, you can forward external port 8080 to port 80 on an internal web server.

Access: VPC > Destination NAT

Figure 8 — Destination NAT Rules

Figure 8 — Destination NAT Rules

FieldDescription
Rule NameDNAT rule identifier
EIPExternal IP address (Elastic IP)
External PortPort to be accessed externally
Internal IPInternal VM IP address to forward to
Internal PortTarget port on the internal VM
ProtocolTCP or UDP

Note: When creating a DNAT rule, make sure the corresponding ACL rule is also defined. DNAT will not work without an ACL rule.

7. VPC Firewall and Distributed Firewall

VPC Firewall

The VPC Firewall is a security layer that controls traffic between the external network and the VPC.

Access: Security > VPC Firewall

Figure 9 — VPC Firewall Rules

Figure 9 — VPC Firewall Rules

FieldDescription
Rule NameFirewall rule identifier
SourceSource IP or network group
DestinationDestination IP or network group
Service / PortAllowed or blocked service/port
ActionAllow / Deny / Reject
LoggingWhether the rule is logged

Distributed Firewall

The Distributed Firewall controls inter-VM (east-west) traffic within a VPC. It is ideal for micro-segmentation.

Access: Security > Distributed Firewall

Figure 10 — Distributed Firewall Rules

Figure 10 — Distributed Firewall Rules

FieldDescription
Rule NameMicro-segmentation rule identifier
Source VM/GroupSource virtual machine or VM group
Destination VM/GroupDestination virtual machine or VM group
Service / PortAllowed or blocked service/port
ActionAllow / Deny / Reject

Tip: Distributed Firewall rules are applied at the VM level and are independent of the VPC Firewall. Configure both layers together for comprehensive security.

8. Static Routes and DNS Settings

Static Route Management

Static routes are used to direct specific network traffic to a custom next-hop address.

Access: VPC > Static Route

Figure 11 — Static Route List

Figure 11 — Static Route List

FieldDescription
Destination NetworkTarget CIDR block to route
Next HopIP address to forward traffic to
DescriptionRoute description text

DNS Settings

Internal DNS allows you to create internal DNS records for VMs within a VPC.

Access: VPC > Internal DNS

Figure 12 — DNS Settings

Figure 12 — DNS Settings

FieldDescription
Domain NameInternal DNS record domain name
IP AddressIP address the DNS record points to
TTLDNS record cache duration

Tip: Internal DNS enables VMs within the VPC to resolve each other by name. When IP addresses change, you only need to update the DNS record.

9. Network Topology

The Network Topology view provides a visual map of VPCs, subnets, VMs, and network components. Use this view to quickly review your network structure and verify connection statuses.

Figure 13 — Network Topology View

Figure 13 — Network Topology View

Tip: The topology view is useful for visually verifying connections between components when diagnosing network issues.

10. NGAF — Web Console, SOC and Policies

NGAF (Next-Generation Application Firewall) is an integrated security appliance that provides advanced firewall features.

Access: Security > NGAF

10.1 Web Console Access

Provides direct access to the NGAF device management interface. All NGAF configurations are performed through this console.

Figure 14 — NGAF Web Console

Figure 14 — NGAF Web Console

10.2 SOC Dashboard

The Security Operations Center (SOC) dashboard allows you to monitor the network security status in real time. Threat statistics, traffic analysis, and security events are summarized on this dashboard.

Figure 15 — NGAF SOC Dashboard

Figure 15 — NGAF SOC Dashboard

10.3 Policy and Access Control

You can define application-based access policies on the NGAF. Policies support filtering based on source, destination, application, and time.

Figure 16 — NGAF Policy and Access Control

Figure 16 — NGAF Policy and Access Control

11. NGAF — NAT, UTM and Monitoring

11.1 NAT / Port Forwarding

You can define advanced NAT rules through the NGAF. NGAF NAT rules operate independently from VPC-level Destination NAT and provide more granular control.

Figure 17 — NGAF NAT Rules

Figure 17 — NGAF NAT Rules

11.2 UTM Features

The Unified Threat Management (UTM) module enables you to manage advanced security features such as IPS/IDS, anti-virus, web filtering, application control, and anti-spam from a single point.

Figure 18 — NGAF UTM Features

Figure 18 — NGAF UTM Features

UTM ModuleDescription
IPS/IDSIntrusion detection and prevention system
Anti-VirusMalware scanning in network traffic
Web FilteringURL and category-based web access control
Application ControlApplication-based traffic management
Anti-SpamSpam email filtering

11.3 Monitoring and Logs

NGAF records all network events and security logs. You can review past events, perform threat analysis, and generate reports from the log records.

Figure 19 — NGAF Monitoring and Log Records

Figure 19 — NGAF Monitoring and Log Records

Warning: Review NGAF logs regularly. Abnormal traffic patterns can be detected early to prevent security breaches.

12. Best Practices

  • Network Segmentation: Use separate VPCs and subnets for different workloads to ensure isolation.
  • Least Privilege Principle: Open only the required ports and IP ranges in ACL and firewall rules.
  • Layered Security: Use VPC Firewall, Distributed Firewall, and NGAF together for defense in depth.
  • Regular Monitoring: Check the NGAF SOC dashboard and logs regularly.
  • Redundant Configuration: Define multiple EIPs and DNAT rules for critical services.
  • Documentation: Document all network rules and changes. Always fill in rule description fields.
  • Periodic Review: Regularly clean up unused ACL rules, EIPs, and firewall policies.
  • DNS Usage: Prefer Internal DNS records over IP addresses for inter-VM communication.

Technical support: destek@narbulut.com  |  www.narbulut.com

Narbulut Product Analysis

Step 1/12
What area of technological improvement are you planning for your company?
Data Security & BackupRansomware, deleted files and disaster recovery.
Cloud Server (IaaS)Website, ERP, CRM or application hosting.
Team CollaborationSecure file sharing and remote work.
Object Storage (S3)Object Storage for developers.
What industry does your company operate in?
Healthcare / MedicalPatient data (GDPR critical).
Finance / AccountingSensitive financial data.
Manufacturing / EngineeringCAD drawings and production plans.
Other / General ServicesOffice documents and general data.
What type of devices need to be protected?
Employee ComputersLaptop and desktop end-user devices.
Physical / Virtual ServersDatabase, Active Directory or File Server.
What should your backup strategy be?
File & Folder BasedOnly important business files (XLS, PDF, SQL) should be backed up.
Full Disk ImageBack up "Everything" including the operating system.
What is your upload speed for cloud backup?
Fiber / High SpeedI can send large data quickly.
Standard / ADSLMy speed is limited, compression is important.
Is ransomware a threat?
Yes, Very CriticalWe have experienced it before or are at risk.
Standard Protection is SufficientBasic backup measures are enough.
How long would you like to keep versions?
90
30 - 90 DaysTo fix recent errors.
365+
1 Year and AboveLegal requirements or archiving.
What will be the primary purpose of the server?
E-Commerce / WebsiteHigh uptime and speed required.
ERP / Accounting SoftwareDatabase performance is important.
Software DevelopmentFlexible resource management.
What infrastructure do you need?
Windows ServerASP.NET, MSSQL, RDP.
Linux (Ubuntu/CentOS)PHP, Python, MySQL, Docker.
What is the estimated user traffic?
Low / MediumEntry level or new project.
High TrafficHeavy campaigns or many users.
Who will manage the server?
I Will Manage ItI have a technical team, root access is enough.
I Need SupportManaged Services required.
How many people will work in the shared workspace?
1 - 10 UsersSmall teams.
10 - 50+ UsersDepartment-based permissions required.
Is remote access required?
Yes, DefinitelyField team needs to upload files from mobile.
No, Office OnlyAccess only from company computers.
Analyzing Your Responses...
BEST SOLUTION FOR YOU

Product Title

Description

Explore Product Now

Product Information Request

Fill out the form so our solution experts can contact you.

Size uygun Narbulut Cloud Server planlarına göz atın

Narbulut Cloud Server ile ihtiyaçlarınıza en uygun sunucuları yapılandırın.

    SUNUCU TEKLİF & YAPILANDIRMA FORMU

    1. KURUMSAL KİMLİK & İLETİŞİM
    2. TEKNİK GEREKSİNİMLER
    3. LİSANS YÖNETİMİ

    Check out Narbulut Cloud Server plans that suit you

    Configure the servers that best fit your needs with Narbulut Cloud Server.

      SERVER QUOTE & CONFIGURATION FORM

      1. CORPORATE IDENTITY & CONTACT
      2. TECHNICAL REQUIREMENTS
      3. LICENSE MANAGEMENT

      Narbulut Mobile’ı İndirin

      Uygulamayı indirmek istediğiniz platformu seçin

      Google Play
      App Store
      AppGallery

      Download Narbulut Mobile

      Select the platform you want to download the app

      Google Play
      App Store
      AppGallery
      ×