4 Configuring Access to the Instances #
Access to an instance is mainly influenced by the following parameters:
- Security Groups and Rules
In SUSE OpenStack Cloud, security groups are used to define which incoming network traffic should be forwarded to instances. Security groups hold a set of firewall policies (security group rules).
For instructions on how to configure security groups and security group rules, see Configure access and security for instances.
- Key Pairs
Key Pairs are SSH credentials that are injected into images when they are launched. For this to work, the image must contain the
cloud-init
package.It is recommended to create at least one key pair per project. If you already have generated a key pair with an external tool, you can import it into OpenStack. The key pair can be used for multiple instances belonging to that project.
For details on how to create or import keypairs, see Configure access and security for instances.
- IP Addresses
Each instance can have two types of IP addresses: private (fixed) IP addresses and public (floating) ones. Private IP addresses are used for communication between instances, and public ones are used for communication with the outside world. When an instance is launched, it is automatically assigned private IP addresses in the networks to which it is assigned. The private IP stays the same until the instance is explicitly terminated. (Rebooting the instance does not have an effect on the private IP addresses.)
A floating IP is an IP address that can be dynamically added to a virtual instance. In OpenStack Networking, cloud administrators can configure pools of floating IP addresses. These pools are represented as external networks. Floating IPs are allocated from a subnet that is associated with the external network. You can allocate a certain number of floating IPs to a project—the maximum number of floating IP addresses per project is defined by the quota. From this set, you can then add a floating IP address to an instance of the project.
For information on how to assign floating IP addresses to instances, see Configure access and security for instances.
4.1 Security Group Rules #
You can adjust rules of the default security group and rules of any other security group that has been created. When the rules for a group are modified, the new rules are automatically applied to all running instances belonging to that security group.
Adjust the rules in a security group to allow access to instances via different ports and protocols. This is necessary to be able to access instances via SSH, to ping them, or to allow UDP traffic (for example, for a DNS server running on an instance).
Rules in security groups are specified by the following parameters:
- IP Protocol
Protocol to which the rule will apply. Choose between TCP (for SSH), ICMP (for pings), and UDP.
- Port/Port Range
For TCP or UDP, define a single port or a port range to open on the virtual machine. ICMP does not support ports. In that case, enter values that define the codes and types of ICMP traffic to be allowed.
- Source of traffic (OpenStack Cloud Dashboard) in the SUSE
Decide whether to allow traffic to instances only from IP addresses inside the cloud (from other group members) or from all IP addresses. Specify either an IP address block (in CIDR notation) or a security group as source. Using a security group as source will allow any instance in that security group to access any other instance.
If no further security groups have been created, any instances are automatically assigned to the default security group (if not specified otherwise). Unless you change the rules for the default group, those instances cannot be accessed from any IP addresses outside the cloud.
For quicker configuration, the Dashboard provides templates for often-used rules that, including rules for well-known protocols on top of TCP (such as HTTP or SSH), or rules to allow all ICMP traffic (for pings).
Log in to SUSE OpenStack Cloud Dashboard and select a project from the drop-down box at the top-level row.
Click
› › . The view shows the following tabs: , , , and .On the
tab, click for the security group you want to modify. This opens the screen that shows the existing rules for the group and lets you add or delete rules.Click
to open a new dialog.From the
drop-down box, you can select templates for often-used rules, including rules for well-known protocols on top of TCP (such as HTTP or SSH), or rules to allow all ICMP traffic (for pings). In the following steps, we will focus on the most commonly-used rules only:To enable SSH access to the instances:
Set
toSSH
.Decide whether to allow traffic to instances only from IP addresses inside the cloud (from other group members) or from all IP addresses.
To enable access from all IP addresses (specified as IP subnet in CIDR notation as
0.0.0.0/0
), leave the and fields unchanged.Alternatively, allow only IP addresses from other security groups to access the specified port. In that case, set
toSecurity Group
. Select the desired and (IPv4
orIPv6
).
To enable pinging the instances:
Set
toALL ICMP
.Decide whether to allow traffic to instances only from IP addresses inside the cloud (from other group members) or from all IP addresses.
To enable access from all IP addresses (specified as IP subnet in CIDR notation as
0.0.0.0/0
), leave the and fields unchanged.Alternatively, allow only IP addresses from other security groups to access the specified port. In that case, set
toSecurity Group
. Select the desired and (IPv4
orIPv6
).
To enable access via a UDP port (for example, for syslog):
Set
toCustom UDP
.Leave the
and values untouched.In the
text box, enter the value .Decide whether to allow traffic to instances only from IP addresses inside the cloud (from other group members) or from all IP addresses.
To enable access from all IP addresses (specified as IP subnet in CIDR notation as
0.0.0.0/0
), leave the and fields unchanged.Alternatively, allow only IP addresses from other security groups to access the specified port. In that case, set
toSecurity Group
. Select the desired and (IPv4
orIPv6
).