Network
Concepts
Virtual Router
A router is a logical component that forwards data packets between networks. It also provides Layer 3 and NAT forwarding to provide external network access for servers on project networks.
Internal Network
Internal networks are a type of network in which all the instances connected to that network can talk to each other and reach the rest of the Internet through a router, but the rest of the Internet cannot initialize a connection to those instances without a floating IP. Internal networks are ideal for running services you wish to make secure, as, by default, these services are unreachable from the Internet and thus are much harder to compromise.
Floating IP Overview
OpenStack floating IP addresses are publicly routable IPs that users can allocate to their instances, making them accessible from the outside world.
Floating IP and Network Policy
Each project is assigned a quota of floating IPs, along with a single SNAT router and an internal network connected to it. By default, each project will be set up with one router, which provides internet connectivity to the internal network using Source NAT (SNAT).
If needed, you can create additional internal networks and connect them to the router. For instructions on creating internal networks and adding them to the project router, refer to Subsection 7.3.
Default Port Access Policy
The following ports are open by default for outgoing and incoming internet access:
Outgoing (Source NAT Policy):
- 80 (HTTP)
- 443 (HTTPS)
- 53 (DNS) to BSC DNS servers: 84.88.52.35, 84.88.52.36
- 123 (NTP) to BSC NTP server: 84.88.52.36
- 22 (SSH) to dtransfer, interactive nodes, and HPC logins
Incoming (Floating IP Policy):
- 80 (HTTP)
- 443 (HTTPS)
- 22 (SSH)
- 8000-8100
Requesting Additional Port Access
If you need to open additional ports for outgoing or incoming connections, please contact datamanagement@bsc.es with the following information:
Source:
- Specify one of the following:
- IP / IP Range
- BSC Network
- VPN
Destination:
- IP / IP Range (e.g., 10.10.10.100)
Protocol:
- Specify the protocol (e.g., TCP)
Port(s):
- Indicate the port(s) to be opened (e.g., 27107)
These policies ensure secure and managed access to your instances, while also providing flexibility for additional configurations as needed.
Internal Network creation
$ openstack network create --internal --project <project> --project-domain <project-domain> <name>
Subnetwork creation
The subnetwork should be a private network range, and aim to 84.88.52.35, 84.88.52.36 as DNS servers.
The subnet range should be in CIDR format, for example, 192.168.0.0/24
$ openstack network list
$ openstack subnet create --project <project> --project-domain <project-domain> --subnet-range
<subnet-range> --network <network> --dns-nameserver 84.88.52.35 --dns-nameserver 84.88.52.36 <name>
Add a Subnetwork to a Router
$ openstack router list
$ openstack subnet list
$ openstack router add subnet <router> <subnet>
Security Group Creation
By default, any egress traffic is allowed in default security group, but no ingress traffic. Hence, editing the default security group or creating new security groups with ingress traffic rules is important to allow access to the VM from the Internet or other private networks, ingress rules such as SSH, HTTPS, etc.
$ openstack security group create <security-group>
By default, any egress traffic is allowed in new security groups. Therefore, only ingress rules should be applied to allow inbound traffic.
$ openstack security group rule create --ingress --proto tcp --remote-ip 0.0.0.0/0 --dst-port <port> <security-group>
Example:
$ openstack security group create ingress_tcp_22-egress_any
$ openstack security group rule create --ingress --proto tcp --remote-ip 0.0.0.0/0 --dst-port 22 ingress_tcp_22-egress_any