Network requirements

Learn the address, domain name service, and network mechanism requirements for the hybrid cloud architecture.

Concepts

The following concepts need to be considered when reviewing the network requirements for hybrid cloud:

CIDR
Classless Inter-Domain Routing is a notation to represent an IPv4 address range, for example: 10.0.0.0/8. The bitmask, the number after the slash, represents the number of fixed bits in the IP address range. Higher bitmask values indicate a lower number of addresses in the range.
Private IP ranges
IP ranges used for cloud networks and on-premise networks.
- 10.0.0.0-10.255.255.255
- 172.16.0.0-172.31.255.255
- 192.168.0.0-192.168.255.255
Overlapping and non-overlapping networks
- Overlapping
  - 10.0.0.0/8 and 10.0.0.0/16
- Not overlapping
  - 10.0.0.0/16 and 10.1.0.0/16
  - 10.0.0.0/8 and 172.16.0.0/16
  - 10.0.0.0/16 and 192.168.0.0./16
  - 192.0.2.128/28 and 192.0.2.144/28
DNS (Domain Name System)
A hierarchical, distributed naming system used to translate human-readable domain names into IP addresses. DNS enables resources in cloud and on-premise networks to communicate using stable, memorable names instead of numerical IP addresses. DNS resolution can occur through public resolvers, private/internal DNS servers, or a hybrid approach where conditional forwarding rules direct specific domains to their correct authoritative resolver. Consistent DNS configuration across cloud and on-premise networks is essential to ensure service discovery, Kerberos authentication, and cross-environment workload communication.
Direct Connect / Dedicated Interconnect + Site-to-Site VPN
Mechanisms used to establish secure, private connectivity between on-premise data centers and cloud networks. A Direct Connect (or equivalent dedicated interconnect service) provides a high-bandwidth, low-latency physical link that bypasses the public internet. A Site-to-Site VPN creates an encrypted IPsec tunnel over the internet to connect the on-premise network to the cloud virtual network. These two connectivity options are often used together, with the VPN serving as a failover path when the dedicated link becomes unavailable. When configuring hybrid connectivity, all participating networks must use non-overlapping CIDR ranges, and routing must be set up so on-premise subnets and cloud subnets can reach each other consistently.

Requirements

The following requirements must be met when creating hybrid environments:

The on-premise network and the public cloud network must be peered.
No overlapping CIDRs between the on-premise network and the public cloud network.
Fully connected routing between the on-premise network and the public cloud network with a bidirectional line of sight based on the available ports.
High-bandwidth and lower-latency public cloud to private cloud network to transfer the data required for cloud bursting.
No network address translation between the on-premise network and the public cloud network.
Firewalls are permitted and supported, but they must allow the communication channels detailed in Security policies and firewall rules.
Egress connectivity must be enabled on both the on-premise data lake and on the public cloud FreeIPA instance.
- For outbound destinations regarding the on-premise network, please refer to our documentation:
  - If AWS is the provider, refer to AWS outbound network access destinations
  - If Google Cloud is the provider, refer to GCP outbound network access destinations
  - If Microsoft Azure is the provider, refer to Azure outbound network access destinations
- For outbound destinations regarding the public cloud network, please refer to Outbound network access destinations for Cluster Connectivity Manager v2 in our documentation.