Skip to content Skip to site navigation

Networking in the Cloud

Policies and Best Practices

Policies:

We will not extend Stanford’s public IP space into the cloud. The historic and Redwood City campus spaces will stay as they are.

VPCs/VNets that require on-premises connectivity via Cloud Gateway or Site-to-Site (S2S) VPN will be required to use an assigned private IP space dedicated for that Cloud Service Provider (CSP) environment. If it’s an existing VPC/VNet, then all nodes that require connectivity to the campus must have their private IP address renumbered.

Any servers on campus that need to receive connections from off-campus will require public IPs.

Best Practices:

  • Don’t use VPN when you can use native encryption and strong authentication. VPN should be used only when the native application transport is not secure OR when there isn’t any other way to connect.
  • Register NetDB nodes for the hosts residing in the cloud.
  • Do not use VPN when you can use native encryption and strong authentication. VPN should be used only when the native application transport is not secure OR when there isn’t any other way to connect.
  • Do use VPN when you need connectivity between cloud and on-premises resources residing in the private IP space.
  • Do not set up an application in such a way that it must be single-path. Network connectivity should not be designed to be a single path. Design an application to have as much resiliency as possible.
  • Do not build any dependencies to an on-campus service for any cloud apps.
  • Applications should use DNS resolution names when possible.

Diverse High Bandwidth Connectivity to the Cloud

Stanford University maintains a high bandwidth, direct connection with a commercial Internet provider and multiple high bandwidth, direct connections with the California Research and Education Network (CalREN) to provide diverse routing for cloud service providers. Our providers have established high bandwidth connectivity to cloud service providers as well as to other Internet Service Providers that generally have established high bandwidth connectivity to cloud service providers within their Internet region.

See Network Information for IT Providers for additional information.

Cloud Gateway

The Cloud Gateway service provides a private Stanford IP address to UIT-supported cloud providers, thereby extending the Stanford network to the cloud. Currently, the service is available for clients of Cloud Account Management Services Amazon Web Services, with plans to extend the service to both Google Cloud Platform and Azure.

See Cloud Gateway service page for additional information.

Site-to-Site VPN

Bidirectional connectivity is provided through encrypted tunnels between Stanford University’s Enterprise Public VPN service and Cloud Service Provider (CSPs) VPN gateways or Cloud Gateway. Traffic through the tunnel is allowed between hosts at Stanford University and hosts at remote locations that are configured with globally unique, non-Stanford University public Internet addresses or Stanford University assigned RFC 1918 addresses not already in use on campus.

Site to site VPN connectivity is provisioned on a per request basis.

See EVPN (Enterprise VPN) for additional information.

Domain Name Services (DNS)

DNS is the network service that maps Internet domain names to numerical Internet addresses. For example, a machine looking for name.stanford.edu would request name.stanford.edu’s Internet address from a DNS server. The DNS server would return the Internet address associated with the domain name.

DNS queries will return Internet addresses in random order when a DNS registration has multiple addresses assigned.

DNS registrations can have associated alias names. For example, name.stanford.edu can have an alias of myname.stanford.edu where DNS queries for myname.stanford.edu will return name.stanford.edu’s Internet address. As another example, Stanford University’s domain registry can contain a record for service.cloudprovider.com that has an alias of myname.stanford.edu. DNS queries for myname.stanford.edu would return service.cloudprovider.com’s Internet address. Simple reverse DNS queries for addresses associated with an alias will return the registered DNS name, not the alias name.

DNS registrations can have associated alias names. For example, name.stanford.edu can have an alias of myname.stanford.edu where DNS queries for myname.stanford.edu will return name.stanford.edu’s Internet address. As another example, Stanford University’s domain registry can contain a record for service.cloudprovider.com that has an alias of myname.stanford.edu. DNS queries for myname.stanford.edu would return service.cloudprovider.com’s Internet address. Simple reverse DNS queries for addresses associated with an alias will return the registered DNS name, not the alias name.

Stanford University DNS registration is managed with the NetDB application and is generated every 30 minutes, including the delegations.

See NetDB for additional information.

Internet Subdomain Delegation

By default, all requests for domain names ending with .stanford.edu and .stanford.org will be resolved by Stanford University’s domain name servers.

Domain names can be registered in DNS to be resolved by third party domain name servers. For example school.stanford.edu can be set to be resolved by nameserver.thirdpartydns.com. Once set, the domain name school.stanford.edu and all domain names ending with .school.stanford.edu will be resolved by nameserver.thirdpartydns.com and registration of domain names for that subdomain would be managed by the registration service provided by the third party.

Last modified January 19, 2022