Network Settings
Deprecated Networks and Concepts
For legacy reasons, the uni
network still exists in every project and will be removed in the future along with support for floating IPs.
New VMs should neither use this network nor floating IPs, and older VMs should already consider migrating to the new network structure.
Network layout
We have three types of networks in OpenStack:
- Internal networks
- Internal networks with internet connectivity
- Public networks
Internal networks
Virtual machines in internal networks have IP addresses that are not routed outside of the university network. Thus, incoming and outgoing connections can only be made from/to IP addresses within the university network. For connections to hosts on the internet, for example for software updates, a proxy server must to be configured.
Internal networks with internet connectivity
Virtual machines in this category network have public IPv6 addresses and private IPv4 addresses. SNAT on outgoing connections is performed at the outer limit of the university network. Without any additional firewall configuration, incoming connections are only possible from within the university network. However, outgoing connections to the internet are possible without further configuration.
Public networks
Virtual machines in public networks hav public IP addresses. Incoming and outgoing connections are possible without further configuration. However, incoming connections from the internet need an exception in the university firewall, which can be requested via e-mail to noc@uni-muenster.de, once there is a NIC entry for the virtual machine.
NIC Database Entry
Registering in the database of the NIC is currently needed for requesting certificates and having a DNS entry. We are currently automating this process, but for the time being you have to contact your IVV to create such a NIC database entry. The IVV is responsible for the network, you are creating virtual machines in. You may need to give the IVV access to the OpenStack project, so they can verify, that you are indeed the owner of the respective IP addresses.
Security Groups
Security groups are firewall settings on port level. This means that OpenStack is acting as an external firewall to your virtual machines, but not on the virtual routers, but directly on the network port, which is attached to the virtual machine. This allows for fine-grained firewall settings even in networks/subnets used by many projects. Security groups allow L4 rules on protocol, IP address and port combinations for incoming and outgoing connections. Instead of selecting IP addresses, you can also select foreign security groups, which refer to all virtual machines, which have this foreign security group applied. For example you can have “frontend” and “backend” security groups and only allow VMs with the “frontend” security group to access VMs in the “backend” security group.
Virtual Networks
In some use-cases, it is necessary to create a private network with an SNAT router in front.
Tenants are not able to create their own networks, subnets or routers and if such a setup is desired, get in contact via the regular support channels.
Such layout requires to have a virtual machine, called bastion host, in the network with an additional floating IP, so the other virtual machines in the network may be connected to. In such cases, connect the primary interface of the virtual machine to one of the normal networks and a secondary interface to the private network.