Configuring Access and Security for Instances

Before you launch an instance, you should add security group rules to enable users to ping and use SSH to connect to the instance.

Security groups are sets of IP filter rules that define networking access and apply to all instances within a project. To apply a new rule, you either add rules to the default security group or add a new security group with rules.

Key pairs are SSH credentials that are injected into an instance when it is launched. To use key pair injection, the image that the instance is based on must contain the cloud-init package. Each project should have at least one key pair. For more information, see Adding a Key Pair.

If you generated a key pair using an external tool, you can import it into Metacloud. The key pair can be used for multiple instances that belong to a project. For more information, see Importing a Key Pair.

Note
A key pair belongs to an individual user, not to a project. To share a key pair across multiple users, each user needs to import that key pair.

Adding a Rule to the Default Security Group

This procedure enables SSH and ICMP (ping) access to instances. The rules apply to all instances within a given project and should be set for every project, unless there is a reason to prohibit SSH or ICMP access to the instances.

This procedure can be adjusted as necessary to add additional security group rules to a project, if your cloud requires them.

Note
When adding a rule, you must specify the protocol used with the destination port or the source port.

To add an SSH rule to the default security group:

  1. Log in to the Dashboard.
  2. On the Project drop-down, click ACCESS & SECURITY.
  3. The Security Groups tab shows the security groups that are available for this project. Select the default security group and click Manage Rules in the Actions column.
  4. In the Security Group Rules panel, click Add Rule.
  5. In the Add Rule dialog box, enter the following values:
    • RuleSSH
    • RemoteCIDR
    • CIDR0.0.0.0/0

    Note
    To accept requests from a particular range of IP addresses, specify the IP address block in the CIDR field.

  6. Click Add. Instances now have SSH port 22 available for requests from any IP address.

To add an ICMP rule to the default security group:

  1. Log in to the Dashboard.
  2. On the Project drop-down, click ACCESS & SECURITY.
  3. The Security Groups tab shows the security groups that are available for this project. Select the default security group and click Manage Rules in the Actions column.
  4. In the Security Group Rules panel, click Add Rule.
  5. In the Add Rule dialog box, enter the following values:
    • RuleAll ICMP
    • DirectionIngress
    • RemoteCIDR
    • CIDR0.0.0.0/0
  6. Click Add. Instances now accept all incoming ICMP packets.

Adding a Key Pair

Create at least one key pair for each project.

  1. Log in to the Dashboard.
  2. On the Project drop-down, click ACCESS & SECURITY.
  3. Click the Key Pairs tab, which shows the key pairs that are available for this project.
  4. Click Create Key Pair.
  5. In the Create Key Pair dialog box, enter a name for your key pair, and click Create Key Pair.
  6. Respond to the prompt to download the key pair.

Importing a Key Pair

  1. Log in to the Dashboard.
  2. On the Project drop-down, click ACCESS & SECURITY.
  3. Click the Key Pairs tab, which shows the key pairs that are available for this project.
  4. Click Import Key Pair.
  5. In the Import Key Pair dialog box, enter the name of your key pair, copy the public key into the Public Key field, and then click Import Key Pair.
  6. Save the *.pem file locally.
  7. To change the permissions so that only you can read and write to the file, run the following command: $ chmod 0600 yourPrivateKey.pem

    Note
    If you are using the Dashboard from a Windows computer, use PuTTYgen to load the *.pem file and convert and save it as *.ppk. For more information see the WinSCP web page for PuTTYgen.

  8. To make the key pair known to SSH, run the ssh-add command.

     $ ssh-add yourPrivateKey.pem
    

    The Compute database registers the public key of the key pair. The Dashboard lists the key pair on the ACCESS & SECURITY tab.

Allocating a Floating IP Address to an Instance

When an instance is created in Metacloud, it is automatically assigned a fixed IP address in the network to which the instance is assigned. This IP address is permanently associated with the instance until the instance is terminated.

In addition to the fixed IP address, a floating IP address can be attached to an instance. Unlike fixed IP addresses, floating IP addresses can have their associations modified at any time, regardless of the state of the instances involved.

To associate an IP address with a specific instance:

  1. Log in to the Dashboard.
  2. On the Project drop-down, click INSTANCES.
  3. Select the instance and click the Associate Floating IP option in the Actions column.
  4. In the Manage Floating IP Associations dialog box, enter the following values:
    • IP Address—select an IP address from the list or allocate a new IP address by clicking the + button.

      Note
      You can also allocate and associate an IP address in PROJECT > ACCESS & SECURITY > Floating IPs.

    • Port to be Associated—select a port from the list. The list shows all the instances with their fixed IP addresses.

  5. Click Associate.

To disassociate an IP address from an instance, click Disassociate in the Actions column of the instance.

To release a floating IP address:

  1. On the Project drop-down, click ACCESS & SECURITY.
  2. On the Floating IPs tab, select the IP address and click the Release Floating IP option from the Actions column.