Concepts

STACKIT Core Networking provides you with the fundamental building blocks to create secure, isolated, and flexible network infrastructures in the cloud. Understanding these core concepts helps you design networks that meet your security, performance, and connectivity requirements.

Core Concepts

Virtual Networks and Network Isolation

At the heart of Core Networking is the concept of Virtual Networks—software-defined networks that provide complete isolation between different projects and customers. Each Virtual Network operates independently with its own IP address space, routing tables, and security policies.

When you create a Virtual Network, you define an IP address range (CIDR block) that determines the available addresses for your resources. All resources within the same Virtual Network can communicate with each other by default, while traffic between different Virtual Networks is blocked unless explicitly configured.

This isolation ensures that:

Your network traffic remains private and secure
You have complete control over which resources can communicate
Compliance and security requirements are easier to meet

Security Groups: Network-Level Access Control

Security Groups act as virtual firewalls that control traffic at the network interface level. They define rules for both inbound (ingress) and outbound (egress) traffic based on IP addresses, ports, and protocols.

Key characteristics of Security Groups:

Stateful operation – When you allow incoming traffic, the response is automatically allowed, regardless of outbound rules
Default deny for ingress – All incoming traffic is blocked unless explicitly permitted
Default allow for egress – All outgoing traffic is permitted unless explicitly blocked
Rule-based filtering – Define precise rules based on source/destination IP, port ranges, and protocols
Reusable across resources – Apply the same Security Group to multiple network interfaces

Security Groups provide defense-in-depth by operating independently of any application-level security measures. They ensure that even if a resource is compromised, lateral movement and unauthorized access remain restricted.

Public Internet Connectivity

Core Networking offers flexible options for internet connectivity through Public IP Addresses:

Floating IP Addresses

Floating IPs are publicly routed IPv4 addresses that you can attach to specific virtual machines. They enable:

Inbound connections from the internet to your resources
Outbound connections with a consistent public IP address
Network Address Translation (NAT) that maps the public IP to your VM’s private IP
Flexibility to move the IP between different VMs as needed

Important: The Floating IP is not visible within the VM’s operating system—it exists at the network layer through NAT.

Router IP Addresses

Router IPs provide a shared outbound internet connection for all resources in a network. When you assign a Floating IP to any VM in a project, all other VMs automatically gain outbound internet access through the router’s IP using Source NAT (SNAT).

Router IPs are ideal for:

Resources that need outbound internet access but don’t require inbound connections
Cost optimization—one Floating IP enables internet access for multiple resources
Internal services that consume external APIs or updates

Network Interfaces (NICs)

Network Interfaces represent the virtual network cards that connect your compute resources to Virtual Networks. Each NIC has:

A dedicated IPv4 address from the parent network’s address range
Security settings including NIC Security and Security Groups
Allowed address lists for flexible traffic patterns
MAC address filtering to prevent IP spoofing

You can attach up to 5 NICs to a single server, enabling:

Multi-homed configurations with connections to multiple networks
Network segmentation for different traffic types (management, data, backup)
High availability setups with redundant network paths
Performance optimization by separating workload traffic

STACKIT Network Area (SNA): Inter-Project Connectivity

STACKIT Network Area extends networking beyond a single project by connecting multiple projects within your organization at the network level. Instead of isolated projects that can only communicate via the public internet, SNA creates a private transfer network that links project routers together.

Benefits of SNA:

Simplified microservices architectures across projects
Hybrid cloud enablement by providing a central connection point for on-premises networks
Enhanced security by avoiding public internet transit for inter-project communication
Automatic routing with no manual route table management required
Network-level isolation still maintained through Security Groups

SNA is particularly valuable for:

Organizations with multiple teams managing separate projects
Distributed applications that span project boundaries
Hybrid cloud scenarios requiring consistent connectivity

DNS Resolution

The DNS Resolver service provides fast and reliable domain name resolution for your cloud workloads. As a recursive resolver, it handles the entire DNS lookup process on your behalf:

Cache checking for previously resolved names (fast path)
Recursive queries through root servers, TLD servers, and authoritative name servers
Result caching to accelerate future lookups
Time-to-Live (TTL) management to ensure data freshness

The DNS Resolver operates exclusively within the STACKIT Cloud and provides consistent, low-latency resolution for both internal and external domain names.

Network Address Management

Proper IP address planning is critical for scalable and maintainable networks. Core Networking provides:

Flexible CIDR block sizing to match your requirements
Reserved addresses for system purposes (typically 2-3 per network)
Static IP assignment within network ranges
IP address portability within the same network
Overlapping address support through network isolation

Best practices for address management:

Plan for growth by choosing appropriately sized CIDR blocks
Use consistent addressing schemes across projects
Document network allocations to prevent conflicts
Consider future SNA requirements when selecting address ranges

Use Cases

Core Networking’s flexible architecture supports a wide range of deployment scenarios:

Multi-Tier Application Architectures

Build secure, scalable applications by separating components into different network tiers:

Public tier – Web servers with Floating IPs for internet access
Application tier – Business logic servers in a private network
Database tier – Data stores with the most restrictive access controls

Security Groups ensure that each tier only accepts connections from authorized sources, while Virtual Networks provide the underlying isolation.

Hybrid Cloud Connectivity

Connect your STACKIT projects to on-premises data centers using SNA as a central hub:

Establish VPN or MPLS connections to the SNA
Configure routing to make on-premises networks accessible
Apply consistent security policies across cloud and on-premises resources
Enable seamless workload migration between environments

Development, Testing, and Production Environments

Create isolated networks for different environments within your organization:

Separate projects for dev, test, staging, and production
Consistent networking with reproducible configurations
Controlled promotion of changes between environments
Cost optimization by sizing networks appropriately for each environment

Microservices and Container Platforms

Support modern, distributed architectures:

Service isolation with Virtual Networks and Security Groups
Container networking integration with Kubernetes Engine (SKE)
Service mesh compatibility for advanced traffic management
Multi-project deployments connected via SNA

Secure Bastion Host Patterns

Implement secure administrative access to your resources:

Deploy bastion hosts in a dedicated management network
Configure Security Groups to restrict SSH/RDP access
Use Floating IPs only on bastion hosts, keeping workload VMs private
Audit and log all administrative connections

High-Availability and Disaster Recovery

Design resilient architectures that withstand failures:

Distribute resources across availability zones
Configure multiple NICs for redundant network paths
Use SNA to connect primary and disaster recovery sites
Implement health checks and automatic failover mechanisms

Multi-Region Deployments

While SNA currently operates within regions, you can architect multi-region solutions:

Deploy applications in multiple STACKIT regions
Use public IPs for cross-region communication (private connectivity planned)
Implement global load balancing for optimal user experience
Design for region-level failures with independent network infrastructure

Security and Compliance Considerations

Core Networking provides multiple layers of security:

Network isolation prevents unauthorized access by default
Security Groups implement least-privilege access controls
NIC Security prevents IP and MAC spoofing attacks
Private addressing keeps internal resources off the public internet
Audit logging tracks network changes and access patterns

These features help meet compliance requirements for:

Data protection regulations (GDPR, etc.)
Industry standards (PCI-DSS, HIPAA, etc.)
Internal security policies and best practices

Performance Optimization

Maximize network performance with:

Low-latency connections within the same region
DNS caching for faster name resolution
Multiple NICs for traffic separation and bandwidth optimization
Security Group rule optimization to minimize processing overhead
Appropriate network sizing to avoid address exhaustion

Next Steps

Now that you understand Core Networking concepts, explore:

Core Networking Architecture to see how components work together
Virtual Network basics for detailed network configuration
Public IP Address concepts to enable internet connectivity
STACKIT Network Area basics for multi-project networking