Networking and Security

Networking

When you create a new instance, you can specify the instance to be connected to one of the 2 types of networks:

1. Public Network (public): Red Cloud has a public network that connects instances to the Internet.
2. Private Network: Connects one or multiple instances. A floating IP address can be dynamically assigned to an instance connected to a private network so the instance can accept incoming connections from the Internet at the floating IP address.

Public Network

The public network is a pre-configured network in Red Cloud that offers direct connectivity to the Internet. The public network has the IP range of 128.84.40.0/22.

When you create an instance, specify the public network under the "Network" tab (Horizon) or the --network option (CLI client). An IP address from 128.84.40.0/22 range will be automatically assigned to the instance during the instance's entire lifecycle. The new instance will be created on the public network at the assigned IP address. You can restrict access to the instance using security groups.

Private Network and Floating IP

A private network connects one or multiple instances inside a vxlan tunnel. The network traffic is accessible to only instances on the same private network. To connect an instance to a private network:

1. If the private network does not already exist, create a new private network.
2. When creating a new instance, specify the private network under the "Network" tab (Horizon) or the --network option (CLI client).

By default a private network does not have connectivity to the public Internet.

• To provide outbound Internet access for instances on a private network, create a router connecting the private network and the public network.
• In addition, to enable inbound access for an instance on a priviate network from the Internet:
  1. Create a floating IP address,
  2. Assign it to the instance,
  3. Move the floating IP address to another instance by first removing the floating IP from the original instance and assignging it to the new instance, and
  4. Remember to delete the floating IP address after you are done.

Networking Operations

Create a Private Network

Horizon | CLI

Delete a Network

Horizon | CLI

Create a Router

Horizon | CLI

Connect a Router to a Subnet

Horizon | CLI

Delete a Router

Horizon | CLI

Create a Floating IP Address

Horizon | CLI

Delete a Floating IP Address

Horizon | CLI

Assign a Floating IP Address to an Instance

Horizon | CLI

Remove a Floating IP Address from an Instance

Horizon | CLI

Security

Security Group

Security groups are firewalls that control inbound and outbound network traffic to your instances. A security group is a collection of rules, each of which specifies that internet traffic will be allowed to come from (ingress) or go to (egress) a set of Internet Protocol (IP) addresses through a given set of ports. The permissions given by these rules accumulate to form the net effect of the security group. Multiple security groups can be assigned to an instance, and the permissions from multiple groups also accumulate.

Each Red Cloud project has a default security group that cannot be deleted. The default rules for the default security group allow outbound traffic is allowed but block all inbound traffic. Users will want to either modify the project's default security group or create additional security groups to provide access to types of internet communication that are not enabled by the default group.

When launching a new instance, the new instance is assigned to at least 1 security group (the default security group if not specified). Unless you modify the rules for your project's default security group or assign the instance to a new security group, access to the new instance from outside the cloud is disabled by default!

Security Group Operations

Create a Security Group

Horizon | CLI

Delete a Security Group

Horizon | CLI

Before a security group can be deleted, it must not be in use by any instances.

List Security Groups

Horizon | CLI

Add a Security Group Rule

Horizon | CLI

Add a security group rule to explicitly allow access. Each rule can contain the following filters:

• Direction: ingress or egress
• Protocol: icmp, tcp, or udp
• Port: destination port number or port range
• Remote IP: specify remote IP address or CIDR. Enter 0.0.0.0/0 for the entire internet.
• Remote Security Group: allow access

When creating rules for the security group, limit access as much as possible for better security. For example, use the following IP ranges to limit access to Cornell campus network or CU VPN.

Cornell Campus Network IP Ranges

Cornell campus network uses the following IP ranges:

• 128.84.0.0/16
• 128.253.0.0/16
• 132.236.0.0/16
• 192.35.82.0/24
• 192.122.235.0/24
• 192.122.236.0/24
• 10.0.0.0/0

CU VPN IP Ranges

CU VPN uses the following IP ranges:

• 10.41.224.0/19 (General Pool)
• 10.17.0.0/16 (Department VPN)
• 10.18.0.0/16 (Department VPN)

Common Security Group Rule Sets

Set up security group rules to allow access to your instance only from the expected sources (IP addresses) and methods (port numbers) of access. Doing so will minimize the attack surface and keep your instance as secure from remote attacks as possible. For example, the following script sets up a security group to accept ssh connections only from Cornell campus network, including CU VPN:

sec_group_name=your_security_group_name
tcp_port=22

openstack security group rule create --protocol tcp --dst-port ${tcp_port} --remote-ip 128.84.0.0/16 ${sec_group_name}
openstack security group rule create --protocol tcp --dst-port ${tcp_port} --remote-ip 128.253.0.0/16 ${sec_group_name}
openstack security group rule create --protocol tcp --dst-port ${tcp_port} --remote-ip 132.236.0.0/16 ${sec_group_name}
openstack security group rule create --protocol tcp --dst-port ${tcp_port} --remote-ip 192.35.82.0/24 ${sec_group_name}
openstack security group rule create --protocol tcp --dst-port ${tcp_port} --remote-ip 192.122.235.0/24 ${sec_group_name}
openstack security group rule create --protocol tcp --dst-port ${tcp_port} --remote-ip 192.122.236.0/24 ${sec_group_name}
openstack security group rule create --protocol tcp --dst-port ${tcp_port} --remote-ip 10.0.0.0/0 ${sec_group_name}

So only users on Cornell campus or off-campus users connected to CUVPN will be able to ssh to your instance, and not some hacker from half way around the world. You can adapt the script for other services by changing the value of tcp_port to the correct port number for the allowed service:

Service	Port Number
ssh	22
http	80
https	443
RDP (for accessing Windows instnaces)	3389
Globus transfer data channels	50000:51000

The following script sets up a security group to accept ssh connections only from CU VPN:

#!/bin/bash
sec_group_name=your_security_group_name
tcp_port=22

openstack security group rule create --protocol tcp --dst-port ${tcp_port} --remote-ip 10.41.224.0/19 ${sec_group_name}
openstack security group rule create --protocol tcp --dst-port ${tcp_port} --remote-ip 10.17.0.0/16 ${sec_group_name}
openstack security group rule create --protocol tcp --dst-port ${tcp_port} --remote-ip 10.18.0.0/16 ${sec_group_name}

Delete a Security Group Rule

Horizon | CLI