Skip to content Skip to site navigation

Cloud Network Use Cases

Stanford.EDU domain name, service provider manages DNS

For a  cloud provisioned service when <host>.Stanford.EDU domain name is desired but service provider manages DNS for their applications:

  • Open a Network Device Database (NetDB) request to register <host>.stanford.edu name.
  • Services may be registered using either IP addresses or domain names.
  • For web based services, service provider must configure systems to accept <host>.Stanford.EDU urls.

Stanford.EDU domain name, third party manages DNS

For cloud provisioned services when <subdomain>.Stanford.EDU domain name is desired and a third party will manage DNS registration for the entire <subdomain>.Stanford.EDU domain:

Non-Stanford domain name purchased from a third party Internet registry

For a non-Stanford domain name that is purchased from a third party Internet registry:

  • Use the registration service provided by the third party Internet registry where the domain was purchased to register hosts and delegate subdomains.
  • See Internet Domain Name Registration Guidelines for additional information.

Cloud service where site-to-site encryption or VPN is required

For a cloud service when ISO or cloud service provider requires site-to-site encryption or virtual private network (VPN) between Stanford University and service:

  • Open a Network Firewall General Request to request site-to-site VPN services.
  • Through a VPN tunnel, systems at Stanford University can only communicate with systems using globally unique public Internet addresses or Stanford University allocated private Internet addresses. Stanford University will not allocate public Internet addresses for use by cloud services.

Cloud service using private Internet addresses

For cloud services using private Internet addresses:

  • Systems at Stanford University can communicate with Stanford University allocated private Internet addresses through the VPN service.
  • Open a Network Firewall General Request to request site-to-site VPN services.
  • Systems at Stanford University cannot communicate with third party allocated private Internet addresses (even through a VPN tunnel). Third party provisioned services must be configured to use globally unique public Internet addresses; or Stanford University allocated private Internet addresses through the VPN service.

Cloud services using public internet addresses

For Cloud services using public Internet addresses with connections initiated by Stanford University systems:

  • For systems located at Stanford University using private Internet addresses:
    • Validate that the network is configured to translate the private addresses by entering the private address in the Network Address Translation (NAT) tool.
    • If the network is not configured to translate the private address:
      • Open a Firewall Service Request to request that NAT be enabled.
      • Note in the request if the cloud service requires address ranges specific to the service (Firewall NAT) or address ranges that can include anyone at Stanford University (CGNAT).
    • Validate the existence of firewall policies to allow connections by using the Host to Host firewall policy tool.
      • If the cloud service uses non-static Internet addresses, look for the FQDN or “any” in the destination address fields in the outbound policies displayed.
    • If there is no firewall policy allowing the connections:
      • If the cloud service uses non-static public Internet addresses:
        • Validate the existence of the fully qualified domain name (FQDN) object on the firewalls by searching for it using the FQDN object search tool.
        • If the FQDN object is not found, open a Firewall Service Request to create the FQDN object.
      • Open a Firewall Service Request to request the creation of the policy:
        • If the cloud service uses static public Internet addresses: Use the service’s Internet addresses in the destination address fields.
        • If the cloud service uses non-static public Internet addresses: Select the service’s FQDN from the destination address predefined address pull-down in the create policy dialog.
      • Some Stanford University departments with restrictive outbound firewall policies use departmentally administered proxy servers to provide connectivity to external services. Check with departmental resources if this is the case.

Cloud services using public Internet addresses to reach private Stanford Internet addresses

For Cloud services using public Internet addresses with connections initiated by the service to systems at Stanford University using private Internet addresses:

  • Systems at Stanford University using private Internet addresses must be reconfigured to use Stanford University public Internet addresses (even when connections are through a VPN tunnel).
  • If the cloud service can be configured using IPv6 addresses, it may be advantageous to configure the systems at Stanford University to use IPv6 addresses in addition to the existing IPv4 private addresses rather than reconfiguring the systems’ IPv4 addresses. 
  • IPv4/IPv6 Internet address provisioning for Stanford University networks is requested by opening a Firewall Service Request.

Cloud services using public Internet addresses to reach public Internet addresses behind a Stanford firewall

For cloud services using public Internet addresses with connections initiated by the service to systems at Stanford University using public Internet addresses behind a Stanford University network firewall:

  • If the cloud service is configured to use non-static public Internet addresses:
    • Validate the existence of the fully qualified domain name (FQDN) object on the firewalls by searching for it using the FQDN object search tool
    • If the FQDN object is not found, open a Firewall Service Request to create the FQDN object.
  • Validate the existence of firewall policies to allow connections by using the Host to Host firewall policy tool. If the cloud service uses non-static Internet addresses, look for the FQDN in the source address fields.
  • If there is no firewall policy to allow the connections, open a Firewall Service Request to create a policy:
    • If the cloud service uses static public Internet addresses:
      • Use the service’s Internet addresses in the source address fields.
    • If the cloud service uses non-static public Internet addresses:
      • Select the service’s FQDN from the source address predefined address pull-down in the create policy dialog.
Last modified September 6, 2018