FAQ

Last change on 2024-12-11 • Created on 2020-07-02 • ID: CL-238AF

What are Hetzner Cloud Networks?

Networks provide private layer 3 links between Hetzner cloud servers using dedicated network interfaces. You can use them to conveniently construct multi-tier architectures spanning multiple locations.

Can Networks span multiple locations?

Yes, you can connect instances from our locations in Falkenstein, Nuremberg and Helsinki to the same Network. Please note, however, that all locations within a Network have to be from the same network zone as the subnet. All subnets within a Network also have to be from the same network zone. VSwitch coupling is only possible with subnets in the eu-central network zone.

Network zone Locations
ap-southeast Singapore (sin)
eu-central Falkenstein (fsn1), Helsinki (hel1), Nuremberg (nbg1)
us-east Ashburn, VA (ash)
us-west Hillsboro, OR (hil)

Will you charge for this feature? How about traffic?

The Networks feature is free. The traffic on the private network interfaces is free; we will not charge you for it.

How are IP addresses managed in Networks?

You can use the Cloud Console to manage the IP addresses in Networks. Whenever you attach a server to a Network, our system will automatically assign an IPv4 address within your private Networks to it. Or you can choose a specific IP address within your private Network if you prefer.

Since Networks are a layer 3 feature, you can only use the IP addresses allocated by the backend. Networks only support IPv4.

Is it possible to manually set IPs in Networks for certain servers?

Yes, that is possible. First select your Project then Networks in the left hand menu. Now select your Network and click on Subnets in the upper menu.

In case you already added the servers, you need to remove them first and add them again in order to manually set a IP.

Now select "Attach Ressource" in the right grid which will show you a pop-up on the right hand side. In this pop-up on the bottom you can find a small checkbox to configure IPs for the selected servers manually.

Which IP addresses can I use?

You can create Networks for all RFC 1918 private IP ranges which are:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

How are IP addresses configured on my servers?

If you recently created your server using one of our standard images, then we will automatically configure the main IP for your private network interface using DHCP.

You can disable the auto-configuration by uninstalling our auto-configuration package. In this case, you will need to manually configure the network interfaces to use them.

We have prepared an article with all the information you need about the configuration and the auto-configuration package.

Can one server have multiple IP addresses in a Network?

Yes. In addition to the main IP in the Network, you can also configure up to five alias IP addresses for every server. You will have to configure these IP addresses manually; the DHCP cannot provide them.

Can I attach a server to multiple Networks?

You can attach your server to up to three Networks at the same time.

For technical reasons, it is not possible to increase this limit.

Is traffic inside Hetzner Cloud Networks encrypted?

Traffic between cloud servers inside a Network is private and isolated, but not automatically encrypted. We recommend you use TLS or similar protocols to encrypt sensitive traffic.

What are Subnets?

Subnets are a part of the Networks feature. When you create a Network, you need to define its IP range. Within this IP range, you can create one or more subnets that each have its own IP space within the Network IP range. IPs for your servers will always be allocated from your subnet IP space.

Example: You create a Network 10.0.0.0/8. Within the Network you create a subnet 10.0.0.0/24. When you attach a server to your Network, it will get an IP from the 10.0.0.0/24 subnet.

Right now, the subnets feature is not very useful. However, this will change in the future when we add more features.

When you create a Network via Cloud Console, we will pick sane defaults and automatically create a suitable subnet for it. So when in doubt, please use the defaults.

What are Routes?

Routes is an advanced feature within Networks. With it, you can create a route that is automatically applied to private traffic. You can use routes to make sure that all packets for a given destination IP prefix will be sent to the address specified in its gateway.

What is special about route destinations that are not part of my network IP range?

If you choose a destination for your routes that is within the IP range of your Network, they will automatically work as expected.

If, however, you set your destination to be outside of the network IP range, you will have to ensure that traffic for the destination gets sent to your private network interface. To do that, you need to manually add the route in the operating system of each of your servers.

Why do packets with source IPs outside of my Network prefix get dropped?

The gateways behind a Network implement a concept called "strict unicast reverse path forwarding" (strict uRPF). This means that the gateway will check the source IP of every packet against the routing table of the Network. If the best route for this source IP does not point back to the server that sent the packet, the gateway will not forward it.

If one of your servers acts as a router between a Cloud Network and other networks (like a VPN), it may forward packets into the Network that have a source IP that is not within the IP prefix of the Network. In this case you'll need to add a route for the prefix containing these other source IPs, that points back to the server where these packets are coming from. Alternatively, you could use NAT to masquerade the source IP of the forwarded packets.

Click here to view an example

Example:

Gateway 10.0.0.1
Cloud Server A
172.16.0.1
Cloud Server B
10.0.0.2
Cloud Server C
10.0.0.3

The example above assumes that cloud server A and cloud server B are connected via a VPN. If cloud server A sends a packet to cloud server C, the packet would be routed like this:

Server AServer B (router) → GatewayServer C

If cloud server B, which acts as router, does not adapt the source IP, the source IP will remain the IP address of cloud server A.

In this example, the gateway would see that the packet was sent by the router cloud server B. However, the source IP does not belong to cloud server B. If a packet had the target IP 172.16.0.1, the gateway would not forward it to cloud server B. For this reason, server B cannot send packets from this IP and if it did, the gateway would drop the packet.

To prevent this from happening, cloud server B could masquerade the source IP before it forwards the packet to the gateway, for example. Another option would be to add a route for 172.16.0.0/16 that points to cloud server B. This route will allow cloud server B to send packets with that source IP.

How do I setup my own router?

As mentioned in the question at the top "What are Hetzner Cloud Networks?", our Networks provide layer 3 links (OSI model) between servers. The servers are not directly connected with each other. Instead, they are connected via a gateway. The connection between the gateway and the servers is established via software. Therefore, none of the machines are physically connected with each other.

Example subnet 10.0.0.0/24:

Subnet Gateway 10.0.0.1
Cloud Server A
10.0.0.2
Cloud Server B
10.0.0.3

More information about the subnet gateway IP
IP address of the subnet gateway
The gateway's IP address is always the first IP address of the subnet's IP range. This is why it is not possible to assign the first IP address of a subnet's IP range to a server, and why the first IP address is always marked as IP address is reserved.

The entire traffic always has to be routed via the subnet gateway. This also remains valid, if you set up one of your own servers to route traffic.

For more instructions on how to set up a server as a router, you can check out one of these tutorials:
How to set up NAT gateway for private Cloud Networks
How to route cloud server over private network using pfSense and Hetzner Cloud Networks

Setting up a router OS on one of the servers:

If you want to install a Router OS on one of your own cloud servers, please note:

  • The entire traffic has to be routed via the subnet gateway.
  • You should use DHCP so that the IPs are assigned automatically.
    The routes should then automatically be correct.

Additionally to the server with the router OS, you also have to set up your private Network and the client. There are two ways to add the necessary route to the client:

  • Execute the ip route add command temporary
    With this option, the new route will no longer be availabe after the next reboot.
  • Edit the network configuration file persistent
    Hetzner Networks use the Hetzner package hc-utils for auto-configuration. This package modifies the network configuration file after every reboot and routes that you've added yourself will no longer be available. To set up customized network configurations that survive a reboot, you will have to uninstall the hc-utils package (see Hetzner Cloud Networks Configuration).

Are any IP addresses reserved?

The following IP addresses cannot be assigned to your server:

  • The first IP address of your network IP range. For example, in 10.0.0.0/8, you cannot use 10.0.0.1.
  • The network and broadcast IP addresses of any subnet. For example, in 10.0.0.0/24, you cannot use 10.0.0.0 as well as 10.0.0.255.
  • The special private IP address 172.31.1.1. This IP address is being used as a default gateway of your server's public network interface.

Are there any limits on how Networks can be used?

  • You can attach up to 100 servers to a Network.
  • Every server can have up to 5 alias IPs in addition to its private main IP.
  • You can create up to 50 subnets.
  • You can create up to 100 routes.

Can I include my Hetzner dedicated servers in my Hetzner Cloud Networks?

Yes, you can connect your Robot vSwitch (dedicated root servers) with your Hetzner Cloud Network. Create a new subnet in your Cloud Network and select the "Enable dedicated server vSwitch connection" checkbox.

You can find a more detailed tutorial here.

How many vSwitches (Robot) can I connect to my Cloud Network?

You can connect each vSwitch to only one Cloud Network and you can connect each Cloud Network to only one vSwitch.

Is it possible to connect a dedicated root server vSwitch that has assigned public IP addresses?

Unfortunately, we currently don't support connecting a vSwitch with public IP addresses assigned on Robot. We will try to support this in the future but can't promise a date yet.

How do I use Networks? Do you have any guides/tutorials?

Yes, we do! These are very helpful for getting started.

If you would like to write a tutorial about our Networks feature, please reach out to our Community Manager by writing an issue.

Which information do I have to include when I report issues with my private Network?

When reporting an issue with your private Network, please attach the following troubleshooting information to help us diagnose the problem more effectively.

  • The output of ip addr show and ip route show on the involved servers
  • An mtr between the affected servers that shows the issue you want to report (see these instructions)

If a vSwitch is coupled to your private Network and the issue involves a dedicated server, please also add this information:

  • The output of ip neigh show on the dedicated server
Table of Contents