Four instances are possible:
- Type 1 the provided network is private and non-routed, external access uses floating IPs
- Type 2 the network provided is private, routed to CC-IN2P3, provided with SNAT access to the internet
- Type 3 the network is public
Upon creation, each project is assigned to a network of one of these types, according to the needs of the use case (oriented HA service, computing, R&D …).
Determine configured network mode¶
Your Openstack project, upon creation, has been assigned to a dedicated network. If you do not know in which network mode is set, start a VM and determine the IP address that was automatically assigned to it (command
openstack server show).
- the IP belongs to a private subnet (172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16), the network may be type 1 or 2
- the IP may be pinged by another CC-IN2P3 server (the interactive pool for example), the network is type 2
- the IP cannot be pinged, the network is type 1 (not routed + floating IPs)
- the IP is public, the network is type 4 (public)
Type 1 : private network, not routed with floating IPs (R&D or HA)¶
Once an instance is started, it is assigned a non-routable private IPv4. It may communicate with the other instantiated VMs but not with the exterior. To obtain a routable public IP, you need to associate a floating ip implementing NAT rule.
Public IPs are not filtered on the output, which means that it is possible to connect from an instance to any service hosted outside CC-IN2P3. However these IPs are filtered on the input, the 22 is only open port from the interactive servers.
Type 2 : private network, locally routed (R&D, computing)¶
Each VM boots with a private IP chosen by Openstack in the network defined by CC-IN2P3 for the involved project. All project VMs may communicate together without any restriction. VMs use by default a CC-IN2P3 gateway and may also communicate with all CC-IN2P3 subnets provided it is allowed by the network ACLs (defined by our Telecom team, please submit your request to user support). VMs access internet through a SNAT gateway by default.
Type 4 : public network (service HA)¶
Each VM boots with a public IP chosen by Openstack in the network defined by CC-IN2P3 for the involved project. VMs may communicate with all CC-IN2P3 subnets and the internet provided it is allowed by the network ACLs (defined by our Telecom team, please submit your request to user support). Known limitations:
- only IN2P3 subnets are operative on the cloud infrastructure
- les reverse DNS records point inevitably to a in2p3.fr subdomain
There are two firewall levels:
- the first level is managed on CC-IN2P3 core network. The addition of ACLs is done on demand (to user support) and to the extent that the request is compatible with the computing center security policy. ACL setting is also dependent on what was agreed with CC-IN2P3 at the time of project creation.
- the second level is implemented in the cloud via the secgroups mechanism. Cloud users have the rights to define the rules in place at this level.