Chapter 9. Providing public access to an instance
New instances automatically receive a port with a fixed IP address on the network that the instance is assigned to. This IP address is private and is permanently associated with the instance until the instance is deleted. The fixed IP address is used for communication between instances.
You can connect a public instance directly to a shared external network where a public IP address is directly assigned to the instance. This is useful if you are working in a private cloud.
You can also provide public access to an instance through a project network that has a routed connection to an external provider network. This is the preferred method if you are working in a public cloud, or when public IP addresses are limited. To provide public access through the project network, the project network must be connected to a router with the gateway set to the external network. For external traffic to reach the instance, the cloud user must associate a floating IP address with the instance.
To provide access to and from an instance, whether it is connected to a shared external network or a routed provider network, you must use a security group with the required protocols, such as SSH, ICMP, or HTTP. You must also pass a key pair to the instance during creation, so that you can access the instance remotely.
9.1. Prerequisites
- The external network must have a subnet to provide the floating IP addresses.
- The project network must be connected to a router that has the external network configured as the gateway.
- A security group with the required protocols must be available for your project. For more information see Configuring security groups in Configuring Red Hat OpenStack Platform networking.
9.2. Securing instance access with security groups and key pairs
Security groups are sets of IP filter rules that control network and protocol access to and from instances, such as ICMP to allow you to ping an instance, and SSH to allow you to connect to an instance.
All projects have a default security group called default
, which is used when you do not specify a security group for your instances. By default, the default security group allows all outgoing traffic and denies all incoming traffic from any source other than instances in the same security group. You can apply one or more security groups to an instance during instance creation. To apply a security group to a running instance, apply the security group to a port attached to the instance.
For more information on security groups, see Configuring security groups in Configuring Red Hat OpenStack Platform networking.
You cannot apply a role-based access control (RBAC)-shared security group directly to an instance during instance creation. To apply an RBAC-shared security group to an instance you must first create the port, apply the shared security group to that port, and then assign that port to the instance. See Adding a security group to a port.
Key pairs are SSH or x509 credentials that are injected into an instance when it is launched to enable remote access to the instance. You can create new key pairs in RHOSP, or import existing key pairs. Each user should have at least one key pair. The key pair can be used for multiple instances.
You cannot share key pairs between users in a project because each key pair belongs to the individual user that created or imported the key pair, rather than to the project.
9.2.1. Adding a security group to a port
The default
security group is applied to instances that do not specify an alternative security group. You can apply an alternative security group to a port on a running instance.
Procedure
Determine the port on the instance that you want to apply the security group to:
$ openstack port list --server myInstancewithSSH
Apply the security group to the port:
$ openstack port set --security-group <sec_group> <port>
Replace
<sec_group>
with the name or ID of the security group you want to apply to the port on your running instance. You can use the--security-group
option more than once to apply multiple security groups, as required.
9.2.2. Removing a security group from a port
To remove a security group from a port you need to first remove all the security groups, then re-add the security groups that you want to remain assigned to the port.
Procedure
List all the security groups associated with the port and record the IDs of the security groups that you want to remain associated with the port:
$ openstack port show <port>
Remove all the security groups associated with the port:
$ openstack port set --no-security-group <port>
Re-apply the security groups to the port:
$ openstack port set --security-group <sec_group> <port>
Replace
<sec_group>
with the ID of the security group that you want to re-apply to the port on your running instance. You can use the--security-group
option more than once to apply multiple security groups, as required.
9.2.3. Generating a new SSH key pair
You can create a new SSH key pair for use within your project.
Use a x509 certificate to create a key pair for a Windows instance.
Procedure
Create the key pair and save the private key in your local
.ssh
directory:$ openstack keypair create <keypair> > ~/.ssh/<keypair>.pem
Replace
<keypair>
with the name of your new key pair.Protect the private key:
$ chmod 600 ~/.ssh/<keypair>.pem
9.2.4. Importing an existing SSH key pair
You can import an SSH key to your project that you created outside of the Red Hat OpenStack Platform (RHOSP) by providing the public key file when you create a new key pair.
Procedure
Create the key pair from the existing key file and save the private key in your local
.ssh
directory:To import the key pair from an existing public key file, enter the following command:
$ openstack keypair create --public-key ~/.ssh/<public_key>.pub \ <keypair> > ~/.ssh/<keypair>.pem
-
Replace
<public_key>
with the name of the public key file that you want to use to create the key pair. -
Replace
<keypair>
with the name of your new key pair.
-
Replace
To import the key pair from an existing private key file, enter the following command:
$ openstack keypair create --private-key ~/.ssh/<private_key> \ <keypair> > ~/.ssh/<keypair>.pem
-
Replace
<private_key>
with the name of the public key file that you want to use to create the key pair. -
Replace
<keypair>
with the name of your new key pair.
-
Replace
Protect the private key:
$ chmod 600 ~/.ssh/<keypair>.pem
9.2.5. Additional resources
- Configuring security groups in Configuring Red Hat OpenStack Platform networking.
- Project security management in Managing OpenStack Identity resources.
9.3. Assigning a floating IP address to an instance
You can assign a public floating IP address to an instance to enable communication with networks outside the cloud, including the Internet. The cloud administrator configures the available pool of floating IP addresses for an external network. You can allocate a floating IP address from this pool to your project, then associate the floating IP address with your instance.
Projects have a limited quota of floating IP addresses that can be used by instances in the project, 50 by default. Therefore, release IP addresses for reuse when you no longer need them.
Prerequisites
- The instance must be on an external network, or on a project network that is connected to a router that has the external network configured as the gateway.
- The external network that the instance will connect to must have a subnet to provide the floating IP addresses.
Procedure
Check the floating IP addresses that are allocated to the current project:
$ openstack floating ip list
If there are no floating IP addresses available that you want to use, allocate a floating IP address to the current project from the external network allocation pool:
$ openstack floating ip create <provider-network>
Replace
<provider-network>
with the name or ID of the external network that you want to use to provide external access.TipBy default, a floating IP address is randomly allocated from the pool of the external network. A cloud administrator can use the --floating-ip-address option to allocate a specific floating IP address from an external network.
Assign the floating IP address to an instance:
$ openstack server add floating ip [--fixed-ip-address <ip_address>] \ <instance> <floating_ip>
-
Replace
<instance>
with the name or ID of the instance that you want to provide public access to. -
Replace
<floating_ip>
with the floating IP address that you want to assign to the instance. -
Optional: Replace
<ip_address>
with the IP address of the interface that you want to attach the floating IP to. By default, this attaches the floating IP address to the first port.
-
Replace
Verify that the floating IP address has been assigned to the instance:
$ openstack server show <instance>
Additional resources
- Creating floating IP pools in the Configuring Red Hat OpenStack Platform networking guide.
9.4. Disassociating a floating IP address from an instance
When the instance no longer needs public access, disassociate it from the instance and return it to the allocation pool.
Procedure
Disassociate the floating IP address from the instance:
$ openstack server remove floating ip <instance> <ip_address>
-
Replace
<instance>
with the name or ID of the instance that you want to remove public access from. -
Replace
<floating_ip>
with the floating IP address that is assigned to the instance.
-
Replace
Release the floating IP address back into the allocation pool:
$ openstack floating ip delete <ip_address>
Confirm the floating IP address is deleted and is no longer available for assignment:
$ openstack floating ip list
9.5. Creating an instance with SSH access
You can provide SSH access to an instance by specifying a key pair when you create the instance. Key pairs are SSH or x509 credentials that are injected into an instance when it is launched. Each project should have at least one key pair. A key pair belongs to an individual user, not to a project.
You cannot associate a key pair with an instance after the instance has been created.
You can apply a security group directly to an instance during instance creation, or to a port on the running instance.
You cannot apply a role-based access control (RBAC)-shared security group directly to an instance during instance creation. To apply an RBAC-shared security group to an instance you must first create the port, apply the shared security group to that port, and then assign that port to the instance. See Adding a security group to a port.
Prerequisites
- A key pair is available that you can use to SSH into your instances. For more information, see Generating a new SSH key pair.
- The network that you plan to create your instance on must be an external network, or a project network connected to a router that has the external network configured as the gateway. For more information, see Adding a router in the Configuring Red Hat OpenStack Platform networking guide.
- The external network that the instance connects to must have a subnet to provide the floating IP addresses.
- The security group allows SSH access to instances. For more information, see Securing instance access with security groups and key pairs.
-
The image that the instance is based on contains the
cloud-init
package to inject the SSH public key into the instance. - A floating IP address is available to assign to your instance. For more information, see Assigning a floating IP address to an instance.
Procedure
Retrieve the name or ID of the flavor that has the hardware profile that your instance requires:
$ openstack flavor list
NoteChoose a flavor with sufficient size for the image to successfully boot, otherwise the instance will fail to launch.
Retrieve the name or ID of the image that has the software profile that your instance requires:
$ openstack image list
If the image you require is not available, you can download or create a new image. For information about creating or downloading cloud images, see Creating images.
Retrieve the name or ID of the network that you want to connect your instance to:
$ openstack network list
Retrieve the name of the key pair that you want to use to access your instance remotely:
$ openstack keypair list
Create your instance with SSH access:
$ openstack server create --flavor <flavor> \ --image <image> --network <network> \ [--security-group <secgroup>] \ --key-name <keypair> --wait myInstancewithSSH
-
Replace
<flavor>
with the name or ID of the flavor that you retrieved in step 1. -
Replace
<image>
with the name or ID of the image that you retrieved in step 2. -
Replace
<network>
with the name or ID of the network that you retrieved in step 3. You can use the--network
option more than once to connect your instance to several networks, as required. -
Optional: The
default
security group is applied to instances that do not specify an alternative security group. You can apply an alternative security group directly to the instance during instance creation, or to a port on the running instance. Use the--security-group
option to specify an alternative security group when creating the instance. For information on adding a security group to a port on a running instance, see Adding a security group to a port. -
Replace
<keypair>
with the name or ID of the key pair that you retrieved in step 4.
-
Replace
Assign a floating IP address to the instance:
$ openstack server add floating ip myInstancewithSSH <floating_ip>
Replace
<floating_ip>
with the floating IP address that you want to assign to the instance.Use the automatically created
cloud-user
account to verify that you can log in to your instance by using SSH:$ ssh -i ~/.ssh/<keypair>.pem cloud-user@<floatingIP> [cloud-user@demo-server1 ~]$
9.6. Additional resources
- Creating a network in Configuring Red Hat OpenStack Platform networking.
- Adding a router in Configuring Red Hat OpenStack Platform networking.
- Configuring security groups in Configuring Red Hat OpenStack Platform networking.