Skip to main content

Network

Concepts

Virtual Router

A router is a logical component that forwards data packets between networks. It also provides Layer 3 and NAT forwarding to provide external network access for servers on project networks.

Internal Network

Internal networks are a type of network in which all the instances connected to that network can talk to each other and reach the rest of the Internet through a router, but the rest of the Internet cannot initialize a connection to those instances without a floating IP. Internal networks are ideal for running services you wish to make secure, as, by default, these services are unreachable from the Internet and thus are much harder to compromise.

Floating IP

OpenStack floating IP addresses are just publicly routable IPs. Users can allocate them to their instances, thus making them reachable from the outside world.

Policy

Each project will be delivered with a quota of floating IPs, a one SNAT router and an internal network connected to it. Each project will be deployed with only one router. The router will provide an internet connection for the internal network by SNAT.

However, you can create more internal networks and add them to the router if required. Subsection 7.3 presents how to create internal networks and add them to the project router.

Source NAT policy

The default open outgoing ports to internet are the following:

  • 80
  • 443
  • 53 to BSC DNS: 84.88.52.35, 84.88.52.36
  • 123 to BSC NTP: 84.88.52.36
  • 22 to dtransfer, interactive nodes, logins HPC by SSH

Floating IP policy

The default open outgoing ports to internet are the same as defined at SNAT policy.

The default open incoming ports from internet are the following:

  • 80
  • 443
  • 22
  • 8000 to 8100

Internal Network creation

$ openstack network create --internal --project <project> --project-domain <project-domain> <name>

Subnetwork creation

The subnetwork should be a private network range, and aim to 84.88.52.35, 84.88.52.36 as DNS servers.

The subnet range should be in CIDR format, for example, 192.168.0.0/24

$ openstack network list
$ openstack subnet create --project <project> --project-domain <project-domain> --subnet-range 
<subnet-range> --network <network> --dns-nameserver 84.88.52.35 --dns-nameserver 84.88.52.36 <name>

Add a Subnetwork to a Router

$ openstack router list
$ openstack subnet list
$ openstack router add subnet <router> <subnet>

Security Group Creation

By default, any egress traffic is allowed in default security group, but no ingress traffic. Hence, editing the default security group or creating new security groups with ingress traffic rules is important to allow access to the VM from the Internet or other private networks, ingress rules such as SSH, HTTPS, etc.

$ openstack security group create <security-group>

By default, any egress traffic is allowed in new security groups. Therefore, only ingress rules should be applied to allow inbound traffic.

$ openstack security group rule create --ingress --proto tcp --remote-ip 0.0.0.0/0 --dst-port <port> <security-group>

Example:

$ openstack security group create ingress_tcp_22-egress_any
$ openstack security group rule create --ingress --proto tcp --remote-ip 0.0.0.0/0 --dst-port 22 ingress_tcp_22-egress_any