Network access
Four instances are possible:
Type 1 the provided network is private and non-routed, external access uses floating IPs
Type 2 the network provided is private, routed to CC-IN2P3, provided with SNAT access to the internet
Type 3 the network is public
Upon creation, each project is assigned to a network of one of these types, according to the needs of the use case (oriented HA service, R&D …).
Determine configured network mode
Your Openstack project, upon creation, has been assigned to a dedicated network. If you do not know in which network mode is set, start a VM and determine the IP address that was automatically assigned to it (command openstack server show).
the IP belongs to a private subnet (172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16), the network may be type 1 or 2
the IP may be pinged by another CC-IN2P3 server (the interactive pool for example), the network is type 2
the IP cannot be pinged, the network is type 1 (not routed + floating IPs)
the IP is public, the network is type 4 (public)
Important
Private network, not routed with floating IPs
Once an instance is started, it is assigned a non-routable private IPv4. It may communicate with the other instantiated VMs but not with the exterior. To obtain a routable public IP, you need to associate a floating ip implementing NAT rule.
Public IPs are not filtered on the output, which means that it is possible to connect from an instance to any service hosted outside CC-IN2P3. However these IPs are filtered on the input, the 22 is only open port from the interactive servers.
Important
Private network, locally routed
Each VM boots with a private IP chosen by Openstack in the network defined by CC-IN2P3 for the involved project. All project VMs may communicate together without any restriction. VMs use by default a CC-IN2P3 gateway and may also communicate with all CC-IN2P3 subnets provided it is allowed by the network ACLs (defined by our Telecom team, please submit your request to user support). VMs access internet through a SNAT gateway by default.
Important
Public network
Each VM boots with a public IP chosen by Openstack in the network defined by CC-IN2P3 for the involved project. VMs may communicate with all CC-IN2P3 subnets and the internet provided it is allowed by the network ACLs (defined by our Telecom team, please submit your request to user support). Known limitations:
only IN2P3 subnets are operative on the cloud infrastructure
les reverse DNS records point inevitably to a
in2p3.frsubdomain
IPV6
It is possible to obtain IPV6 addresses on the cloud. But for now this requires manual configuration.
Network ACLs
There are two firewall levels:
the first level is managed on CC-IN2P3 core network. The addition of ACLs is done on demand (to user support) and to the extent that the request is compatible with the computing center security policy. ACL setting is also dependent on what was agreed with CC-IN2P3 at the time of project creation.
the second level is implemented in the cloud via the secgroups mechanism. Cloud users have the rights to define the rules in place at this level.