Every Snap Labs environment will have at least one Subnet (apart form the AdminBox subnet) which lab Systems can be launched into. You can also add new subnets, modify the security rules for existing subnets, and delete existing subnets.
This provides a ton of flexibility when it comes to the networking setup of your lab environments.
Existing Template Networking
Be careful when modifying the networking rules for existing lab templates! Systems and software may be configured which rely on the current networking rules. These may break if changes are applied.
Subnet information can be found for each lab under the Settings page within the Subnets tab. At a glance you can see your lab subnets, their network ranges, and how many network interfaces reside in each.
To add a Subnet to your lab, select the + Subnets button. Provide a Name, Description, and Network Range for the subnet. The Network Range provided must be valid CIDR format, reside within your lab's overall network range, and not conflict with any existing subnets.
You can modify the security rules of the subnet before or after it's created.
Security Rules control what network traffic can flow into, and out of, the subnet. These security rules are specific to Snap Labs/AWS and don't necessarily align with standard firewall or Network ACL behavior. For more details on Security rule specifics, red the AWS User Guide on the topic.
VPN Client IP vs AdminBox IP
- AdminBox Interfaces vs. VPN Client IPs: There are two IP addresses associated with VPN connections. VPN Client IPs (e.g. 10.9.253.0/24 and 10.9.254.0/24) and AdminBox Interfaces (e.g. 10.10.255.244 and 10.10.0.4). These IPs may vary depending on the lab network range.
- Security Group Evaluation: For security group evaluation, AWS uses the AdminBox Interface for traffic within the same subnet (e.g. 10.10.0.X -> 10.10.0.X). For traffic between subnets, AWS uses the VPN Client IPs (e.g. 10.10.0.X -> 10.10.255.X).
These are important distinctions for creating inbound and outbound security rules that behave as you expect, so please bear them in mind while you design your lab!
To create or modify a rule, you'll need to select the following:
- Port Range
- Source/Destination CIDR
- Description (Optional)
Below is a sample set of inbound and outbound security rules.
To delete a subnet, it must not contain any Network Interfaces. Before deleting a subnet, first delete any secondary network interfaces associated with it, or delete the system itself for primary interfaces.
Once you've removed any associated interfaces you can delete the subnet by selecting the delete icon.
Updated about 1 year ago