Manage and assign security groups

by | Nov 6, 2019

After clicking on the first new instance in our OpenStack web interface and assigning an SSH public key with which to connect to this VM, the newly minted administrator is faced with the small problem that he/she cannot access the instance from the outside; we have the “default” security group to thank for this.

It contains these rules:

– Allow incoming connections with any protocol, on any port, but only from hosts on the internal network that also use the “default” security group (IPv4 and IPv6)
– Allow outgoing connections with any protocol, on any port and to anywhere (IPv4 and IPv6)

In this way, the protection of the new VM is ensured. Any connecting person from the outside can only really get through the access opening that has been provided and created for this purpose. There are two ways to create such an opening: A new security group can be created and provided with a rule, or a rule can be added to the default security group. The second has the disadvantage that the rule to be entered will be applied to all new instances with the default security group in the future, which will not always make sense on all VMs.

Create a new OpenStack security group

Click on: Network > Security groups > “+ create security group”.

A dialogue box appears in which, at will but obligatory, a name must be entered (and optionally a description can be entered). Here I call the new group “Example”, but any other name that follows its own grouping strategies, for example, will do. Then still Create Security Group.

Then the following appears in the list:

Add SSH reachability from external as a rule of a security group

Click on: Network > Security Groups > Manage Rules (on the security group that is to be edited).

In a new, still unprocessed security group, you will only find one rule each for leaving (IPv4 and IPv6). Continue with: “+ Add rule”. In the drop-down menu Rule, select the sub-item SSH and “Add”.

– If a security group (e.g. default) already assigned to the VM has been provided with this rule, the rule is applied immediately and the VM can be contacted via the CLI.

– If a rule has been created in a new security group that has not yet been assigned to the VM:

Assign a new security group to a VM

Navigate: Compute > Instances > Drop-down arrow (far right of the instance to be modified) > Edit security groups. Under “All security groups” you will find the new one, with the white-on-blue plus add the new security group to the “Instance security groups” and “Save”.

Create ICMP reachability from external as a rule

Network > Security Groups > Manage Rules (at the security group to be edited) > “+ Add Rule” > Rule = “All ICMP” > Add.

A rule for HTTP / HTTPS, for example, or the following also works in the same way

Rule example with more chicanery
External accessibility with TCP in port range 65530-65535 only from IP

Network > Security Groups > Manage Rules (at the security group to be edited) > “+ Add Rule” > Rule = “Custom TCP Rule > Open Port = Port Range >
“From-Port” = 65530 > “To-Port” = 65535 > CIDR = > “Add”

For those who find setting up and configuring new VMs too extensive or difficult, MyEngineer will be happy to create any desired setup.

The first project can be started in our NWS Cloud.

More about Cloud
Creating and Using S3 Object Storage

Creating and Using S3 Object Storage

In times of high availability and multiple web servers, the balancing act between central data storage, data security and fast access times must somehow be achieved. This is precisely why more and more users are now using technologies that entice them with buzzwords...

Corosync Cluster with Failover IP

Corosync Cluster with Failover IP

One of the first customer requirements you usually read is High availability. For a long time now, it has been more the norm that the project is still accessible without problems even in the event of partial failures and that "single points of failure" are avoided. A...

Scaling on Demand

Scaling on Demand

Depending on the type of production, it may be worthwhile for some server operators to automatically create virtual machines for a certain period of time and - after the work is done - to delete them again just as automatically; for example, if a computing job with...