The HPC Cloud supports virtual network resources such as routers, floating ips, and security groups, which, together with the physical and virtual networks themselves form the communication infrastructure needed by compute instances.
Networking topics can become quite complex, but many use cases are already covered by local networks combined with the appropriate security group rules. Thus, you may want to skip directly to those sections.
Private Networks and Routers
Private networking is available to meet more complex requirements, as well conserve IP addresses on the shared networks. The following steps correspond to a typical use case, but by no means cover all the possibilities.
Create a new network and associated subnet via on Project / Network / Networks, specifying 192.168.0.0/24 as the network address and 126.96.36.199, 188.8.131.52 (one per line) as the DNS name servers.
Create a new router via on Project / Network / Routers, choosing either cloud-local-float or cloud-public (if available) as the external network.
Select the router, switch to the “Interfaces” tab, and click to add a port in the newly-created subnet.
openstack network create NETWORK
openstack subnet create SUBNET --network NETWORK --subnet-range 192.168.0.0/24 --dns-nameserver 184.108.40.206 --dns-nameserver 220.127.116.11
openstack router create ROUTER
openstack router set ROUTER --external-gateway cloud-local-float
openstack router add subnet ROUTER SUBNET
You can now launch instances on the private network, but there is no way to reach the network from outside, and therefore no way to login! 3 To get around this limitation, attach a floating ip to at least one of the servers in the private network.
Floating ips give a server an alternate ip address without reconfiguring the server itself. This works because the software-defined networking layer implements a one-to-one translation between the fixed address that the operating system “sees” and the floating address. Note that the fixed address will continue to be usable inside the local (or private) subnet, while all other hosts must use the floating ip. 4
Reserve a floating ip via on Project / Network / Floating IPs, selecting either cloud-local-float or cloud-public (if available) as the pool.
Select the floating ip, click , and then choose the primary port of the target instance.
- The floating ip’s pool must match the router gateway to successfully associate with a server:
For servers on local networks, only floating ips from cloud-public can be used.
For servers on private networks, it depends on which external network was chosen for the private router – see step 2 above.
openstack floating ip create cloud-local-float
openstack server add floating ip SERVER 10.186.7.XX
The HPC Cloud provides a flexible per-instance, network-based access control mechanism in the form of security groups. The default security group allows connections between instances in the same project (and network), plus SSH from internal MPCDF networks and ping from anywhere. The recommended way to “open” additional ports is as follows:
Create a new group via on Project / Network / Security Groups.
Select the group, choose , followed by , and then add one or more rules, e.g.:
Rule: Custom TCP Rule
Select the desired instance on Project / Compute / Instances, choose , and then add the newly created security group. In most cases you should keep, rather than replace, the default security group, unless your new security group includes rules for all necessary ingress and egress traffic.
openstack security group create SECGROUP
openstack security group rule create SECGROUP --protocol tcp --dst-port 80
openstack server add security group SERVER SECGROUP
One thing to keep in mind is that what traffic unlimately reaches the server is determined by the properties of the network and the security group rules. For example, since cloud-local networks are not globally routed, opening a port to all sources only affects traffic from other MPCDF networks. Adding a public floating ip, however, changes the situation dramatically. Thus, it is good practice to choose the CIDR carefully, rather than relying exclusively on the network topology for security.
Certain applications do not support floating ips, since the operating system detects only the fixed address. On request, it is technically possible to place an instance directly on the public network.
Internet access is provided via a NAT gateway. The external address of the gateway (currently 18.104.22.168) may change and should not be used for access control.
Unlike many routers used for home internet service, the software-defined routers in the HPC Cloud do not support port forwarding, i.e. directing incoming traffic on a particular port to particular local “behind” the router.
One might wonder if local peers can communicate with the floating ip as well. For private networks the answer is yes; for local networks the answer is no.