---
title: "Securing your OVHcloud infrastructure with Stormshield Network Security"
description: "Find out how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud"
url: https://docs.ovhcloud.com/en/guides/public-cloud/network-services/stormshield-vrack
lang: en
lastUpdated: 2025-05-29
---
# Securing your OVHcloud infrastructure with Stormshield Network Security
## Objective
In today's rapidly evolving digital landscape, securing cloud infrastructures has become a top priority for organizations of all sizes. As businesses increasingly rely on cloud solutions for their operations, ensuring the protection of sensitive data and maintaining network integrity are critical tasks. Stormshield SNS EVA (Stormshield Elastic Virtual Appliance) is a comprehensive security solution designed to protect cloud environments from a wide range of threats.
This guide provides step-by-step instructions for deploying and configuring SNS EVA on the OVHcloud Public Cloud with vRack and public IP routing, covering key features such as network firewalls, IPSec VPNs, and SSL/TLS VPNs. By following this guide, you will enhance the security of your OVHcloud Public Cloud infrastructure and ensure safe and secure operations.
**This guide explains how to secure your OVHcloud infrastructure with Stormshield Network Security deployed on Public Cloud.**
:::warning
This guide will show you how to use one or more OVHcloud solutions with external tools, and will describe the actions to be carried out in a specific context. You may need to adapt the instructions according to your situation.
If you encounter any difficulties performing these actions, please contact a [specialist service provider](https://partner.ovhcloud.com/en-gb/directory/) and/or discuss the issue with our community. You can find more information in the [Go further](#gofurther) section of this guide.
:::
## Requirements
- A [Public Cloud project](/en/guides/public-cloud/cross-functional/create-a-public-cloud-project.md) in your OVHcloud account
- An [OpenStack user](/en/guides/public-cloud/cross-functional/create-and-delete-a-user.md) (optional)
- Basic networking knowledge
- A Stormshield account on the [Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm)
- Ensure that the vRack is enabled and configured to allow secure communication between the components of the infrastructure.
- An [Additional IP block](https://www.ovhcloud.com/en-gb/network/additional-ip/) (/29) for ensuring network failover and high availability setup.
- Stormshield Elastic Virtual Appliance licence BYOL (**B**ring **Y**our **O**wn **L**icence), obtained through [third-party partners or resellers](https://www.stormshield.com/partner/partner-finder/), as you will need to provide it during the installation and configuration process.
***
### OVHcloud Control Panel Access
- **Direct link:** Public Cloud Projects
- **Navigation path:** Public Cloud > Select your project
***
## Instructions
In addition to the installation and configuration of Stormshield Network Security, this tutorial offers different use cases based on your needs:
- [Install and configure Stormshield Network Security on your Public Cloud environment](#step1)
- [Use case 1: configure Stormshield Network Security to be used as a gateway](#step2)
- [Use case 2: configure a NAT to access a private HTTP service from outside](#step3)
- [Use case 3: IPsec tunnel (site-to-site)](#step4)
- [Use case 4: SSL/TLS VPN (client-to-site)](#step5)
### Install and configure Stormshield Network Security on your Public Cloud environment [](#)
:::info
In this tutorial, the installation and configuration of Stormshield SNS EVA is done primarily via the command line. Open a terminal to execute the instructions.
Please note that all sections related to « High Availability » or « stormshield-2 » are optional as well as using vRack network with Additional IP. They are included to demonstrate how to set up the system with two instances in an active/passive mode for high availability. In a minimal version, it can also work with just one instance if that is sufficient for your needs.
:::
:::info
In this scenario, we will use a two virtual machines setup for the security appliance to achieve High Availability (HA), and an additional VM for management. This setup ensures failover protection and continuous service availability. For more examples and detailed guidance on scalability options, please refer to the [Stormshield documentation](https://documentation.stormshield.eu/HOME/Content/Website_Topics/Root-HomePage-EN.htm).
:::
#### Configure your vRack
In this step, we are configuring the vRack, a private virtual network provided by OVHcloud. The vRack allows you to interconnect multiple instances or servers within a Public Cloud environment, ensuring network isolation while maintaining secure communication. By adding your Public Cloud project and your Additional IP block to the same vRack, you can enable your SNS EVA instances to communicate securely, while keeping full control over IP address management. Private vRack network also allows you to secure Baremetal Cloud servers or Private Cloud VMs with security appliances deployed on top of Public Cloud.
**Add your Public Cloud project and your Additional IP block to the same vRack.**
For example purposes in this guide, the IP block is `147.135.161.152/29`
.
We use the first usable IP `147.135.161.153`
for the first SNS EVA instance and temporarily use the second usable IP `147.135.161.154`
for the second SNS EVA instance.
The gateway address is `147.135.161.158`
.
Please refer to the guide [Configuring an IP block in a vRack](/en/guides/bare-metal-cloud/dedicated-servers/configuring-an-ip-block-in-a-vrack.md) for more information.
Below is the architecture that we are going to set up.
#### Configure OpenStack networking
Create the private network for the SNS EVA external interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 0 --disable-port-security stormshield-ext
```
```bash
openstack subnet create --network stormshield-ext --subnet-range 192.168.1.0/29 --dhcp stormshield-ext
```
Create the private network for the SNS EVA internal interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 200 --disable-port-security stormshield-vlan200
```
```bash
openstack subnet create --network stormshield-vlan200 --subnet-range 10.200.0.0/16 --dhcp --dns-nameserver stormshield-vlan200
```
Create the private network for the SNS EVA HA (**H**igh **A**vailability) interfaces:
```bash
openstack network create --provider-network-type vrack --provider-segment 199 --disable-port-security stormshield-ha
```
```bash
openstack subnet create --network stormshield-ha --subnet-range 192.168.2.0/29 --dhcp --gateway none stormshield-ha
```
#### Deploy the SNS EVA instances
Go to the `download` section of the [official Stormshield website](https://documentation.stormshield.eu/SNS/v4/en/Content/PAYG_Deployment_Guide/Downloading_installation_file.htm). Log in to your Stormshield account and follow the instructions to download the Stormshield OpenStack image.
Go to the folder where you have downloaded your SNS EVA Openstack image and upload the image (in this tutorial, we use the image `utm-SNS-EVA-4.8.3-openstack.qcow2`):
```bash
openstack image create --disk-format raw --container-format bare --file ./utm-SNS-EVA-4.8.3-openstack.qcow2 stormshield-SNS-EVA-4.8.3
```
Create the SNS EVA instances (in this example, we called them `stormshield-1` and `stormshield-2`):
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.8.3 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-1
```
```bash
openstack server create --flavor b3-32 --image stormshield-SNS-EVA-4.8.3 --network stormshield-ext --network stormshield-vlan200 --network stormshield-ha stormshield-2
```
:::info
For performance reasons we suggest using listed VM flavors for given SNS EVA licence types:
- EVA1: B3-8 / B3-16
- EVA2: B3-16 / B3-32
- EVA3: B3-32 / B3-64
- EVA4: B3-64 / B3-128
- EVAU: B3-128 / B3-256
:::
#### Configure the SNS EVA instances
In the `Public Cloud
` section, select your project. In the left menu, click on `Instances
` under the **Compute**
tab, then find your two SNS EVA instances.
Access the VNC console for both SNS EVA instances and configure the keyboard layout and the password.
Configure the default gateway on the first SNS EVA with our IP block gateway:
```console
vi /usr/Firewall/ConfigFiles/object
[Host]
Firewall_out_router=147.135.161.158,resolve=static
...
```
Configure the external network interface on the first SNS EVA instance with the first usable IP address of our IP block and the internal network interface with the `10.200.0.1` IP address:
```console
vi /usr/Firewall/ConfigFiles/network
...
[ethernet0]
...
Address=147.135.161.153
Mask=255.255.255.248
[ethernet1]
...
Address=10.200.0.1
Mask=255.255.0.0
...
```
Apply the new network configuration:
```bash
ennetwork
```
Do the same configuration for the second SNS EVA instance but with the second IP address `147.135.161.154` of our IP block for the external interface instead of `147.135.161.153`.
Add a different licence on both SNS EVA instances by following the [official documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Installation_and_first_time_configuration/Firewall_license_installation.htm).
Create a firewall rule similar to this on both SNS EVA intances in the web GUI:
On the first SNS EVA instance, create a group of firewalls (`Configuration` > `System` > `High Availability`). For the IP address, check which IP was assigned to the HA interface by the OpenStack DHCP.
When the configuration of the HA is finished on the first SNS EVA, join the group of firewalls on the second one:
The second SNS EVA external interface will now use the same IP address as the first SNS EVA. Therefore the `147.135.161.154` IP address can be used for something else now.
If everything is configured properly, after the reboot of the second SNS EVA, you should see something similar to this in the Health Indicators of the HA Link:
#### Configure and secure the SNS EVA management
**Step 1**
Get your public IP:
```console
curl ipinfo.io/ip
```
**Step 2**
Create a host object for your public IP:
**Step 3**
Restrict access to the GUI to your public IP and enable SSH:
**Step 4**
Restrict SSH access to your public IP:
#### Re-synchronize the HA configuration
The synchronization between the two SNS EVA instances is crucial to ensure that both firewalls are always up to date with the same configuration. This can be done through the SSH command line or directly via the graphical user interface (GUI).
:::info
For this example, we use the SSH command line solution. If you prefer to use the GUI for synchronization, refer to the « High Availability screen » section in the [Stormshield SNS EVA documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/High_Availability/High_availability_screen.htm) for detailed steps.
:::
At this point, the two SNS EVA instances should not be in sync anymore as we configured a large number of parameters on the first instance that the second is not aware of.
Log in to the active SNS EVA instance using SSH:
```bash
ssh admin@
```
Synchronize the two SNS EVA:
```bash
hasync
```
You need to do this each time you update the configuration.
### Use cases configuration
After deploying SNS Elastic Virtual Appliance firewall, it can be used in multiple advanced security scenarios such as IPsec VPN, SSL/TLS VPN, network gateways (IN or OUT) as described below.
Thanks to the vRack private network, listed VLANs can also be used outside the Public Cloud environment: across Bare Metal or Private Cloud products.
#### Use case 1: Configure Stormshield Network Security to be used as a gateway [](#)
In this example, the virtual firewall will act as a secure gateway for private instances (or any other server) within the VLAN200 of the given vRack network. Such traffic can be a subject for URL filtering on the firewall.
- Create a network object for the VLAN200 by following this [part of the official Stormshield documentation](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm).
- [Create a new filter rule](https://documentation.stormshield.com/SNS/v4/en/Content/HowTo_-_IPSec_VPN_-_Authentication_by_certificate/Setup-Main-Site-30-Creating-Filtering-policy.htm) similar to this one to allow the traffic coming from VLAN200 to go out:
- [Create a NAT rule](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/Filtering_and_NAT/NAT_tab.htm) similar to this one:
Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
hasync
```
##### Verify if an instance can reach the Internet from VLAN200
[Import your SSH public key](https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/keypair.html):
```bash
openstack keypair create --public-key ~/.ssh/id_rsa.pub
```
Create an instance on VLAN200:
```bash
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network stormshield-vlan200 --key-name ubuntu-webserver
```
Log-in via SSH to the SNS EVA instance:
```bash
ssh -A admin@
```
From the SNS EVA instance, log-in via SSH to the Ubuntu webserver. Check which IP was assigned to your Ubuntu webserver instance by the OpenStack DHCP:
```bash
ssh ubuntu@
```
Test if you can reach a public website:
```bash
curl -I https://www.ovh.com/manager/
HTTP/2 200
```
#### Use case 2: Configure a NAT to access a private HTTP service from the outside [](#)
In this example, the Internet should be able to reach the private web server installed in VLAN200. The aim of this configuration is to protect the web server with a network firewall.
**Step 1**
Install Nginx on the ubuntu-webserver instance:
```bash
sudo apt-get update
sudo apt-get install -y nginx
```
**Step 2**
Create a host object for the ubuntu-webserver:
**Step 3**
Create a NAT rule like this one:
**Step 4**
Create a filter rule like this one:
Test to access the website from outside:
```bash
curl -I http://
HTTP/1.1 200 OK
```
Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
hasync
```
#### Use case 3: IPsec tunnel (site-to-site) [](#)
In this example, IPsec tunnel is configured to interconnect two different PCI regions: SBG7 (network VLAN200) and GRA11 (network VLAN201), but any of these sites could be a remote site such as an office or datacentre.
Re-do all the steps in another region using the VLAN 201 instead of the VLAN 200 and different IP ranges for the stormshield-ext and stormshield-ha subnet.
##### **Configure the first site**
- [Add a host object](https://documentation.stormshield.eu/SNS/v4/en/Content/Stormshield_Network_SSO_Agent_Linux/Configure_Firewall_Objects.htm) for the remote SNS EVA and add a network object for the VLAN201 remote private network.
- [Create a standard site-to-site tunnel](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/IPSec_VPN/Encryption_policy-Tunnels_tab-Site_to_Site-Creating.htm).
**Step 1**
Add the local and the remote private network:
**Step 2**
Create the remote gateway:
**Step 3**
Choose a pre-shared key:
**Step 4**
Create and activate the tunnel:
**Step 5**
Add a filter rule like this one to allow traffic through the tunnel:
Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
hasync
```
##### **Configure the second site**
Do exactly the same as for the first site, but use VLAN200 for the remote private network and the appropriate IP address for the OVH\_REMOTE\_FW.
##### **Test the IPsec VPN tunnel**
From the first site private webserver instance:
```console
ssh -A admin@
ssh ubuntu@
ping
PING () 56(84) bytes of data.
64 bytes from : icmp_seq=1 ttl=64 time=15.2 ms
64 bytes from : icmp_seq=2 ttl=64 time=14.0 ms
```
From the second site private webserver instance:
```console
ssh -A admin@
ssh ubuntu@
ping
PING () 56(84) bytes of data.
64 bytes from : icmp_seq=2 ttl=64 time=16.9 ms
64 bytes from : icmp_seq=3 ttl=64 time=16.4 ms
```
#### Use case 4: SSL/TLS VPN (client-to-site) [](#)
In this example, a remote OpenVPN client will connect to the private network inside VLAN200.
##### **Configuring the LDAP directory**
- [Create an internal LDAP directory](https://documentation.stormshield.eu/SNS/v4/en/Content/User_Configuration_Manual_SNS_v4/Directory_configuration/Creating_an_internal_LDAP.htm) to manage the VPN users.
In a production scenario, this LDAP/AD should be remote and not local.
- Create the user directory:
- Add a user to our local directory:
- Choose a password for the new user:
##### **Configuring VPN network objects**
Create two network objects for the SSL VPN client.
UDP client network:
TCP client network:
##### **SSL VPN server configuration**
Configure the SSL VPN server:
##### **Managing user permissions**
Add permission to your user to use the SSL VPN server (`Configuration` > `Users` > `Access privileges` > `Detailed Access` > `Add`)
Search your user:
Allow SSL VPN:
##### **Configuring filter rules**
Add a filter rule like this one to let VPN client access the VLAN200:
##### **Synchronization of SNS EVA instances**
Synchronize the two HA SNS EVA instances:
```bash
ssh admin@
hasync
```
##### **Test the SSL/TLS VPN**
:::info
To test SSL/TLS connectivity, you can use any device with OpenVPN installed. This example includes testing an OpenVPN client on top of an OpenStack instance in another region.
In this example, we use the OpenVPN client, but you can also use the [Stormshield packaged version](https://vpn.stormshield.eu/).
:::
Download the VPN configuration file (`Configuration` > `VPN` > `SSL VPN` > `Advanced configuration` > `Export the configuration file`).
Create a public OpenVPN client instance in the region of your choice:
```bash
openstack server create --flavor b2-7 --image "Ubuntu 22.04" --network Ext-Net --key-name sguyenne ubuntu-vpn-client
```
Check the IP assigned to the instance and copy the configuration file to it:
```bash
scp ~/Download/openvpn_mobile_client.ovpn ubuntu@:~
```
Connect to the instance:
```bash
ssh ubuntu@
```
Install the OpenVPN client:
```bash
sudo apt-get update
sudo apt-get install -y openvpn
```
Connect to the VPN:
```bash
sudo openvpn --config openvpn_mobile_client.ovpn
Enter Auth Username: address@stormshield.ovh
🔐 Enter Auth Password: ******************
```
Test to ping the webserver private instance:
```console
ssh ubuntu@
ping
PING () 56(84) bytes of data.
64 bytes from : icmp_seq=1 ttl=64 time=14.1 ms
64 bytes from : icmp_seq=2 ttl=64 time=13.1 ms
```
## Go further [](#)
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](https://www.ovhcloud.com/en-gb/professional-services/) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
Join our [community of users](https://community.ovhcloud.com/).