In this document we talk about how assign the right type of network and security access to a Virtual Machine.
Software defined Networking and Security makes it very simply to assign the right networking and security to a VM. As a user or administrator you need to know what use the VM is being put to and based on that choose the appropriate networking and security.
You can control access to the VM in several ways:
a) Keep it completely private to your project
b) Allow the VM to reach the outside world (your intranet or internet)
c) Allow other applications or users access the VM from outside of the project
d) Allow access on specific ports and using specific protocols only
This document explains things in increasing order of accessibility to a VM.In summary, if a VM is to be accessible via SSH from your intranet you have to add it to the SSH security group and also give it a floating IP. Just doing one and not doing the other will result in the user not having SSH access to the VM.
Option 1: Default (VM Completely private):
- Each Project gets assigned a private network where the IP range can be any valid IP range.
- This IP range is completely private and internal to the ZeroStack cloud.
- When you create a VM you have to associate it with at least one network.
- By default the VM would be associated with this default private network that is setup during project creation.
- VMs created like this are only reachable via the console (you can launch the console of the VM from UI).
- Each VM get IPs from the subnet you had assigned to the private network.
- These VMs can talk to other VMs in the same private network.
- These VMs have no ping, ssh, or HTTP access to any other VMs in the intranet or internet.
Option 2: VMs that can reach the intranet/internet but NOT the other way round:
- In the same project you can create an external network.
- External network are created by assigning an IP addresses range that is internal to Collabnet or a range that is accessible outside Collabnet (by Colalbnet's customers).
- A valid gateway IP to get outside the private cloud must also be supplied.
- Create a router between the private network (that was created in option 1) and this external network.
- Once you do that the VMs created earlier can now reach out to the intranet and internet.
- You should now be able to ping google.com from the VM.
- You still cannot reach the VM from your intranet or outside the company.
Option 3: Making your VM reachable from intranet/internet.
- Once you have created an external network and tied it to your private network via a router you can assign a "floating IP" to the VMs.
- A floating IP would be from the external network that was created in Option 2.
- The IP address is automatically assigned. We are adding a fix to allow manual assignment of floating IP to a VM.
- The VM now has 2 IP addresses - the private IP and the floating IP.
- You can now reach the VM from your intranet using the floating IP.
- Depending on what security groups have been associated with the VM you can ping or ssh to it.
Impact of Security Groups:
- A security group determines what ports and protocols are allowed access to/from a given VM.
- When a project is created you also get to choose from existing security groups or create new ones.
- For example, you could select the SSH security group (it has rules that allow outside access on port 22 and ICMP for ping).
- You could enable other ports and protocols as well.
- When you create a VM these security groups show up in a drop down list
- You have to assign the right security group depending on the access you want.
Given below are some videos that shows how you would go about creating the right networking environment from the UI:
Video of how to create a private network during project creation. Also shows security group creation.