Network

First, we should explpain some important concepts:

  • Virtual Router: A router is a logical component that forwards data packets between networks. It also provides Layer 3 and NAT forwarding to provide external network access for servers on project networks.

  • Internal Network: Internal networks are a type of network in which all the instances connected to that network can talk to each other and reach the rest of the Internet through a router, but the rest of the Internet cannot initialize a connection to those instances without a floating IP. Internal networks are ideal for running services you wish to make secure, as, by default, these services are unreachable from the Internet and thus are much harder to compromise.

  • Floating IP: OpenStack floating IP addresses are publicly routable IPs that users can allocate to their instances, making them accessible from the outside world.

  • Floating IP and Network Policy: Each project is assigned a quota of floating IPs, along with a single SNAT router and an internal network connected to it. By default, each project will be set up with one router, which provides internet connectivity to the internal network using Source NAT (SNAT).

Outgoing/Incoming Connections

The following ports are open by default in the BiFi Network for outgoing and incoming connections:

- 7 (ICMP) - For ping request to the remote machine Colossus
- 22 (SSH) - For data transfer, interactive nodes, and HPC logins

Remember: Even if these ports are open in the BiFi Network, you must verify they are also open in your instance’s security group for successful traffic.

Internal network creation

openstack network create --internal --project <project> --project-domain <project-domain> <name>

Subnetwork creation

The subnetwork should be a private network range, and aim to 155.210.12.9, 155.210.3.12 as DNS servers.

The subnet range should be in CIDR format, for example, 192.168.0.0/24

openstack network list
openstack subnet create --project <project> --project-domain <project-domain> --subnet-range <subnet-range> --network <network> --dns-nameserver 155.210.12.9 --dns-nameserver 155.210.3.12 <name>

Add subnet to router

In order to enroute the traffic we must bind the router to the subnet we have created:

openstack router list
openstack subnet list
openstack router add subnet <router> <subnet>

Security Group Creation

By default, any egress traffic is allowed in default security group, but no ingress traffic. Hence, editing the default security group or creating new security groups with ingress traffic rules is important to allow access to the VM from the Internet or other private networks, ingress rules such as SSH, HTTPS, etc.

openstack security group create <security-group>

Example:

openstack security group rule create --protocol tcp --remote-ip 0.0.0.0/0 --dst-port 22 --ingress my-security-group
openstack security group rule create --protocol tcp --remote-ip 0.0.0.0/0 --dst-port 22 --egress my-security-group