Skip to main content
> Equinix Deploy

Intro to Metal Gateway

Introduction to Equinix Metal Gateway

Intro to Metal Gateway

On this page

Equinix Metal Gateway provides a Layer 3 router to connect your Equinix Metal Layer 2 VLAN to other networks, whether the Equinix Metal network, the Internet, or other remote locations.

In this guide, you will learn about the differences between Layer 2 and Layer 3 connectivity, the advantages and disadvantages of each, and see how to set up a Metal Gateway to bridge the gap between the two types of networks.

Networking Modes

Let's start by reviewing the networking options for your Equinix Metal servers.

You have two primary options:

  • Layer 3, the Equinix Metal default, which allows connectivity with other networks and the Internet
  • Layer 2, or VLAN, which provides security, but is completely isolated

Layer 3

With layer 3, each server you deploy receives a private IPv4 address from Equinix, as well as an optional public IPv4 address. All connectivity is over Layer 3. The only Layer 2 connectivity is between your server and the upstream router. They share a very small subnet with only two hosts.

Layer 3 Networking

For example, let's deploy a host with default networking. This is a single host running Ubuntu on a t3.small.x86 machine, as shown here:

Single Server Default Networking

If you log in to the host, you can see that the primary network interface, called bond0, has the following addresses, and the following routing table:

root@t3-small-x86-01:~# ip address show bond0
5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether b4:96:91:88:f6:b0 brd ff:ff:ff:ff:ff:ff
    inet 147.75.55.65/31 brd 255.255.255.255 scope global bond0
       valid_lft forever preferred_lft forever
    inet 10.1.108.129/31 brd 255.255.255.255 scope global bond0:0
       valid_lft forever preferred_lft forever
    inet6 2604:1380:a0:9600::1/127 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::b696:91ff:fe88:f6b0/64 scope link
       valid_lft forever preferred_lft forever

root@t3-small-x86-01:~# ip r
default via 147.75.55.64 dev bond0 onlink
10.0.0.0/8 via 10.1.108.128 dev bond0
10.1.108.128/31 dev bond0 proto kernel scope link src 10.1.108.129
147.75.55.64/31 dev bond0 proto kernel scope link src 147.75.55.65

The private IP address is 10.1.108.129/31, which means that it's on a /31 network with just 2 addresses. Similarly, the public IP address is 147.75.55.65/31, also on a /31 network with just 2 addresses.

The routing table shows that the default route is 147.75.55.64, and the last entry, the route to that IP, is given as as 147.75.55.64/31.

In default Layer 3 networking, each server shares a subnet with just itself and its upstream router. With its private addressing, it can connect to any other Equinix Metal servers in the same project, over Layer 3, via the Equinix Metal network. Each server, if provided a public IP address, also can connect to the broader Internet using its public address.

Layer 2

In Layer 2 mode, your server receives no IP addresses, public or private, from Equinix Metal. It is placed on a VLAN shared with any other servers attached to that VLAN, if they're from the same project in the same metro.

Layer 2 Networking

Instead of creating a single host, this time we will create a VLAN first, deploy a single server, and then switch that server to layer 2.

VLAN

Server Layer 2

VLANs give you complete control over IP addressing, and you can place all of the servers you want on a single layer 2 VLAN. However, VLANs are fully and completely isolated. You are unable to connect it to the outside world, whether that is other VLANs at Equinix Metal, servers on default networking, outside services, VPCs at cloud providers, Equinix colocation ports, or even the broader Internet.

Most of the time, a completely isolated network isn't useful. There are several methods to connect your VLAN to the outside world, which we'll discuss next.

Connecting VLANs to the world

One option for connecting VLANs to the world is to create "router servers." Set up one or more of the servers on your VLAN in "hybrid mode," connected both to the VLAN and to Equinix Metal networking, and route your traffic via those devices. This works, but requires you to dedicate devices to routing, deploy the correct software on them, manage them, and possibly set up secure communications channels over the Internet.

A second option is to connect your VLAN directly to an Equinix Fabric Virtual Connection (VC).

VLAN to VC

Fabric VCs are direct, point-to-point, Layer 2 connections. Since your VLAN is Layer 2, and the VC is Layer 2, they can be connected directly. However, this method has limitations. First, you need to ensure that IP addresses and Ethernet addresses within the VLAN and the VC do not conflict. Second, you have no ability to work with servers on other networks or the Internet, which depend on routing at Layer 3.

Enter Metal Gateway.

Metal Gateway is a fully managed router connecting your VLAN and the external world.

When you have a VLAN, you create a Metal Gateway, and attach it to the VLAN. Equinix Metal then gives you an IP address range, public or private. You assign IP addresses in that range to servers connected to the VLAN. They can then route traffic via the Metal Gateway's assigned IP, the first one in the range, to connect to "elsewhere."

Gateway Basic

The category of "elsewhere" includes a variety of destinations, depending on your needs.

Internet

When you create a Metal Gateway, if you request a public IP range, and assign addresses from that range to servers on the VLAN, those servers will be able to communicate with the Internet via the Gateway.

Gateway to Internet

Metal Servers

When you create a Metal Gateway, if you request a private IP range, and assign addresses from that range to servers on the VLAN, those servers will be able to communicate with other servers in the same project via their private IPs.

Gateway to Servers

Other VLANs

When you create a Metal Gateway, if you request a private IP range, and assign addresses from that range to servers on the VLAN, those servers will be able to communicate with other servers in the same project in other VLANs that also have a Metal Gateway with a private IP range, and have assigned addresses from their Gateway's range to servers in the remote VLAN.

Gateway to VLANs

Fabric

With a Metal Gateway, the Equinix Fabric is open to you. Unlike with directly connecting a VC to your VLAN, with Metal Gateway, you connect via routing at Layer 3, and can route to anywhere your connections lead.

You can connect an Equinix Fabric Virtual Connection to your Metal Gateway, enabling it to connect to everywhere that Fabric connects, including cloud providers like AWS or Azure, Equinix colocation ports, SaaS providers or other Equinix metros around the world.

However, while Metal Gateway provides the connection point between your VLAN and a Fabric VC, it lacks two necessary paired capabilities.

First, it does not publish routes. Your VLAN may have, for example, the IP range 10.10.0.0/16, but nothing will send traffic to that range over Fabric VCs if nothing announces over the connection, "Hey, I have 10.10.0.0/16 and am ready to serve it; send all that traffic to me."

Second, it does not listen to published routes. If your Fabric VC connects to a VLAN in Equinix colocation or a VPC in cloud provider with the IP range 192.168.0.0/24, and even announces that range, but nothing listens for those announcements, your Gateway will have no way to know to send traffic for that range to the particular remote VPC or port.

These capabilities are provided by Virtual Routing and Forwarding (VRF). When combined with VRF, your Metal Gateway is able to provide a full Layer 3 connection to the rest of the world, while also handling routes.

In our next guide, Intro to VRF, we will introduce you to VRF, that component which handles routing and forwarding.

Summary

With default Layer 3 networking, you have full access to other servers on private IP ranges in your project, as well as optionally the entire Internet.

With VLANs, that is, Layer 2 networking, servers on your VLAN are isolated from the rest of Equinix Metal and the external world.

Metal Gateway provides a managed router, enabling you to connect VLANs to the rest of the world via Layer 3: the Internet, other Equinix Metal devices, other Equinix Metal VLANs and all theconnections available from Equinix Fabric.

See the next article, Intro to VRF, to see how VRF completes Gateway routing.

Last updated

13 September, 2024

Category

Tagged

Article
You may also like
Dig deeper into similar topics in our archives
Image of Configuring BGP with BIRD 2 on Equinix Metal
Networking Technical
Configuring BGP with BIRD 2 on Equinix Metal

Set up BGP on your Equinix Metal server using BIRD 2, including IP configuration, installation, and neighbor setup to ensure robust routing capabilities between your server and the Equinix M...
Image of Configuring BGP with FRR on an Equinix Metal Server
Networking Technical
Configuring BGP with FRR on an Equinix Metal Server

Establish a robust BGP configuration on your Equinix Metal server using FRR, including setting up network interfaces, installing and configuring FRR software, and ensuring secure and efficie...
Image of Crosscloud VPN with WireGuard
Networking Technical
Crosscloud VPN with WireGuard

Learn to establish secure VPN connections across cloud environments using WireGuard, including detailed setups for site-to-site tunnels and VPN gateways with NAT on Equinix Metal, enhancing...
Image of Deploy Your First Server
Platform Quickstart
Deploy Your First Server

Learn the essentials of deploying your first server with Equinix Metal. Set up your project & SSH keys, provision a server and connect it to the internet.

Ready to kick the tires?

Use code DEPLOYNOW for $300 credit

Sign up
Subscribe to our newsletter

A monthly digest of the latest news, articles, and resources.