Skip to content

Helmholtz Backbone Network

The networks of the individual Helmholtz centers are being interconnected on the basis of a high bandwidth network with mutual trust and increased overall security.

The backbone is an overlay of the DFN X-WiN, using the existing connections Helmholtz centres have via DFN. It is a virtual local area network, or VLAN, that is orchestrated by DFN in its so-called “Helmoltz VRF”, specific to HIFIS, with no link to the internet.

The following map shows the DFN glass fiber network and the current centres connected to the Helmholtz Backbone. Map of the Helmholtz centres connected to X-Win and the additional backbone network
Background map of Helmholtz centres taken from

Why do we need the backbone?

  1. Availability of resources: lower latency between centres.
  2. Protection of existing resources, for example shielding a sensitive resource in a Helmholtz centre from public HTTP requests.
  3. Simplified access, for example by-passing firewalls for connections between Helmholtz centres.

What are the use cases?

Two use cases are being developed in the frame of the Helmholtz Backbone:

  • Use case 1: Direct connection between private IP addresses of two different Helmholtz centres.

    This is typically a use case when a scientist is working in a satellite station of his institution in another centre and wants to access his home institution’s servers. This use case is currently being implemented to connect HZDR equipment at XFEL (via DESY) to the HZDR networks which are not normally accessible outside of HZDR’s local network.

  • Use case 2: Data transfers using WebFTS over the backbone.

    This use case is currently being investigated for sharing data between centres when the data itself should not be transferred through the internet. Like this, the transfers are conducted over a route that provides even higher security in addition to using a standard HTTPS connection. For more details on the transfer service provided by HIFIS, please visit this page.

Technical preparations

Centres with pre-existing BGP peering with DFN

Each centre has to configure its routing to the Backbone, and may decide to use dedicated hardware or not. Especially, if a trust relationship between the HIFIS partners can be established, the firewall/IPS system between LAN and router via the “DFN Helmholtz VRF” could be omitted to allow faster data transfers, because the traffic has not to be deeply inspected. This is illustrated in the picture below for Helmholtz centre A.


Centres without existing BGP peering with DFN

Some centres don’t have an existing BGP peering with DFN. In this case, it is also possible to set a routing encapsulation or “GRE tunnel” from the Helmholtz institute to (e.g.) DESY and within this GRE tunnel configure a BGP peering. This is for example the case for UFZ which is currently connected to the Backbone via DESY.

Drafts of policies (restricted to HIFIS)



Upcoming: Proof of concept and testing for possible hardware and software issues.

Connected Helmholtz Centres (restricted to HIFIS)

Back to top