Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Documentation / Supplement to Administrator Guide and User Guide / Configuring Access to the Instances
Applies to SUSE OpenStack Cloud 9

4 Configuring Access to the Instances

Access to an instance is mainly influenced by the following parameters:

Security Groups and Rules

In SUSE OpenStack Cloud, security groups are used to define which incoming network traffic should be forwarded to instances. Security groups hold a set of firewall policies (security group rules).

For instructions on how to configure security groups and security group rules, see Configure access and security for instances.

Key Pairs

Key Pairs are SSH credentials that are injected into images when they are launched. For this to work, the image must contain the cloud-init package.

It is recommended to create at least one key pair per project. If you already have generated a key pair with an external tool, you can import it into OpenStack. The key pair can be used for multiple instances belonging to that project.

For details on how to create or import keypairs, see Configure access and security for instances.

IP Addresses

Each instance can have two types of IP addresses: private (fixed) IP addresses and public (floating) ones. Private IP addresses are used for communication between instances, and public ones are used for communication with the outside world. When an instance is launched, it is automatically assigned private IP addresses in the networks to which it is assigned. The private IP stays the same until the instance is explicitly terminated. (Rebooting the instance does not have an effect on the private IP addresses.)

A floating IP is an IP address that can be dynamically added to a virtual instance. In OpenStack Networking, cloud administrators can configure pools of floating IP addresses. These pools are represented as external networks. Floating IPs are allocated from a subnet that is associated with the external network. You can allocate a certain number of floating IPs to a project—the maximum number of floating IP addresses per project is defined by the quota. From this set, you can then add a floating IP address to an instance of the project.

For information on how to assign floating IP addresses to instances, see Configure access and security for instances.

4.1 Security Group Rules

You can adjust rules of the default security group and rules of any other security group that has been created. When the rules for a group are modified, the new rules are automatically applied to all running instances belonging to that security group.

Adjust the rules in a security group to allow access to instances via different ports and protocols. This is necessary to be able to access instances via SSH, to ping them, or to allow UDP traffic (for example, for a DNS server running on an instance).

Rules in security groups are specified by the following parameters:

IP Protocol

Protocol to which the rule will apply. Choose between TCP (for SSH), ICMP (for pings), and UDP.

Port/Port Range

For TCP or UDP, define a single port or a port range to open on the virtual machine. ICMP does not support ports. In that case, enter values that define the codes and types of ICMP traffic to be allowed.

Source of traffic (Remote in the SUSE OpenStack Cloud Dashboard)

Decide whether to allow traffic to instances only from IP addresses inside the cloud (from other group members) or from all IP addresses. Specify either an IP address block (in CIDR notation) or a security group as source. Using a security group as source will allow any instance in that security group to access any other instance.

If no further security groups have been created, any instances are automatically assigned to the default security group (if not specified otherwise). Unless you change the rules for the default group, those instances cannot be accessed from any IP addresses outside the cloud.

Procedure 4.1: Configuring Security Group Rules

For quicker configuration, the Dashboard provides templates for often-used rules that, including rules for well-known protocols on top of TCP (such as HTTP or SSH), or rules to allow all ICMP traffic (for pings).

  1. Log in to SUSE OpenStack Cloud Dashboard and select a project from the drop-down box at the top-level row.

  2. Click Project › Compute › Access & Security. The view shows the following tabs: Security Groups, Key Pairs, Floating IPs, and API Access.

  3. On the Security Group tab, click Manage Rules for the security group you want to modify. This opens the Security Group Rules screen that shows the existing rules for the group and lets you add or delete rules.

  4. Click Add Rule to open a new dialog.

    From the Rule drop-down box, you can select templates for often-used rules, including rules for well-known protocols on top of TCP (such as HTTP or SSH), or rules to allow all ICMP traffic (for pings). In the following steps, we will focus on the most commonly-used rules only:

  5. To enable SSH access to the instances:

    1. Set Rule to SSH.

    2. Decide whether to allow traffic to instances only from IP addresses inside the cloud (from other group members) or from all IP addresses.

      • To enable access from all IP addresses (specified as IP subnet in CIDR notation as 0.0.0.0/0), leave the Remote and CIDR fields unchanged.

      • Alternatively, allow only IP addresses from other security groups to access the specified port. In that case, set Remote to Security Group. Select the desired Security Group and Ether Type (IPv4 or IPv6).

  6. To enable pinging the instances:

    1. Set Rule to ALL ICMP.

    2. Decide whether to allow traffic to instances only from IP addresses inside the cloud (from other group members) or from all IP addresses.

      • To enable access from all IP addresses (specified as IP subnet in CIDR notation as 0.0.0.0/0), leave the Remote and CIDR fields unchanged.

      • Alternatively, allow only IP addresses from other security groups to access the specified port. In that case, set Remote to Security Group. Select the desired Security Group and Ether Type (IPv4 or IPv6).

  7. To enable access via a UDP port (for example, for syslog):

    1. Set Rule to Custom UDP.

    2. Leave the Direction and Open Port values untouched.

    3. In the Port text box, enter the value 514.

    4. Decide whether to allow traffic to instances only from IP addresses inside the cloud (from other group members) or from all IP addresses.

      • To enable access from all IP addresses (specified as IP subnet in CIDR notation as 0.0.0.0/0), leave the Remote and CIDR fields unchanged.

      • Alternatively, allow only IP addresses from other security groups to access the specified port. In that case, set Remote to Security Group. Select the desired Security Group and Ether Type (IPv4 or IPv6).