Using Layer 4 Network on VergeCloud

Introduction

The VergeCloud Layer 4 Proxy enhances security and performance for applications using TCP or UDP protocols. It is ideal for non-HTTP traffic such as email, FTP, SSH, VoIP, or gaming. By proxying connections through VergeCloud’s edge, your origin server IP is hidden—protecting it from DDoS attacks and unauthorized access.

VergeCloud provides either a dedicated IP from its own range or allows you to bring your own IP for use within VergeCloud's Anycast network. This ensures consistent global performance and robust protection for your applications.

Before You Begin

• VergeCloud must be your active DNS provider. If an NS Change warning appears, update your domain’s name servers.
• Incomplete configurations will be flagged and must be resolved before activation.
• Each application must:
  • Use a unique subdomain (not used by any DNS record or load balancer, since an A record will be created).
  • Use a unique combination of port and IP.

Step 1: Application Settings

Subdomain
Enter a unique subdomain where the proxy will be active. This subdomain must not be used elsewhere in DNS or in load balancers.

Protocol
Select TCP or UDP. This choice cannot be changed later.

IP Selection
Choose from the list of available IPs assigned to your account. If you want to use the same port for multiple applications, you must assign different IPs to each application. To do this, purchase additional IPs. Otherwise, you can reuse the same IP with different ports.

Port
Choose a port number. Must be unique per IP address.

Proxy Protocol Support
Enable this if you want to forward the client's original IP to your backend server.

Proxy Protocol v1 (Plain Text)

PROXY TCP4 203.0.113.45 192.0.2.10 56324 22\r\n

• PROXY: Identifier
• TCP4/TCP6: Protocol version
• 203.0.113.45: Client IP
• 192.0.2.10: Server IP
• 56324: Client Port
• 22: Server Port

Proxy Protocol v2 (Binary Format)

+----------------+----------------+---------------------+
| Magic (12B)    | Version & Cmd  | Protocol & Family   |
+----------------+----------------+---------------------+
| Length (2B)    | Address Info...                      |
+-------------------------------------------------------+
| TLVs (optional)                                      |
+-------------------------------------------------------+

• Magic: 12-byte fixed prefix
• Version & Cmd: e.g., 0x21 for PROXY command
• Protocol: e.g., 0x11 for TCP over IPv4
• Address Info: Binary source/destination IPs and ports

Supported Webservers:

• Nginx: v1
• HAProxy: v1 & v2
• Envoy: v1 & v2
• Traefik: v1 & v2
• Apache (with mod_proxy_protocol): v1

Step 2: Load Balancing Settings

Add your origin IP addresses and choose how to distribute traffic.

Methods:

• Round Robin: Equal distribution.
• Weighted Round Robin: Adjust traffic share based on weight.
• Source: Uses client IP hashing to route to the same server.
• Least Connection: Chooses server with the fewest connections.

Weight Field Behavior:

• Weighted Round Robin: Direct ratio of traffic.
• Source / Least Connection: Weight influences routing/stickiness.

Example:

192.0.2.10 (weight: 5)
192.0.2.11 (weight: 1)

Server at 192.0.2.10 receives 5x more traffic.

Step 3: Monitoring Settings

Configure VergeCloud to automatically check server health.

• Repetition Interval: Time between checks (e.g., 15s).
• Number of Tolerable Errors: Failures allowed before disabling a server.

Step 4: Firewall Settings

Define which IPs or countries are allowed or blocked.

• Block bad traffic at the edge.
• Prevent port scans and DDoS attacks (e.g., SYN flood).
• Allow only VergeCloud IP ranges for backend protection.

Step 5: Finalize and Submit

Once all settings are complete, contact VergeCloud Support or open a ticket to activate your Layer 4 proxy.

API Example

curl -X POST https://api.vergecloud.com/v1/layer4proxy \
 -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
 -d '{
       "name": "MyApplication",
       "subdomain": "example.myapp.com",
       "protocol": "TCP",
       "port": 12345,
       "proxy_protocol": "v1"
     }'

Testing and Validation

• curl: Test TCP response
• dig: Confirm DNS resolution to VergeCloud IP
• Browser: For TCP-based services, verify access via subdomain

Real Usage Scenarios

Gaming Platforms

• Online game servers suffer from high latency, packet loss, and lag due to geographically distant users.
• Frequent DDoS attacks target backend IPs, causing downtime and degraded user experience.
• Traditional routing lacks session stickiness, breaking player continuity.

• Proxies all traffic through Anycast nodes, reducing round-trip time and improving real-time responsiveness.
• Conceals origin IP and absorbs attack traffic at the edge, preventing backend disruption.
• Source IP-based load balancing keeps players consistently routed to the same game node.

VoIP Services

• Voice call quality deteriorates due to jitter, packet loss, or routing changes.
• Sudden connection drops when a backend node becomes unstable or fails.
• Limited ability to enforce traffic rules or mitigate regional abuse.

• Distributes UDP traffic intelligently across stable, low-latency nodes near the caller.
• Monitors server health and dynamically removes failing endpoints to preserve call stability.
• Applies country-based firewall rules and IP filters to restrict abusive traffic sources.

Email Servers (SMTP/IMAP)

• Mail servers exposed to public internet are frequent targets for spam relays and brute-force logins.
• Inbound connections from untrusted networks increase the risk of getting blacklisted.
• Performance bottlenecks occur when traffic spikes during mailing campaigns.

• Relays incoming traffic through secure edge IPs, hiding the actual mail server address.
• Filters known bad IPs or regions and applies rate controls to reduce abuse.
• Distributes incoming load with health-aware balancing to prevent overload.

SSH / SFTP Access

• Public ports for remote access (22) attract constant brute-force and scan traffic.
• Access logs lack real IPs when traffic is routed through other proxies or networks.
• Restricting access to trusted regions/IPs is complex in unmanaged environments.

• Applies firewall rules to only allow access from specific IPs or countries.
• Supports Proxy Protocol (v1/v2), passing the original client IP to SSH logs and services.
• Edge-based SYN protection blocks invalid or abusive TCP attempts before reaching the origin.