Networking
Table of Contents
Please read the following rules:
- If you are using a PERSONAL project you have to use either the
147-251-115-pers-proj-net
or78-128-250-pers-proj-net
network to make your instance accessible from an external network (e.g. Internet). Usepublic-muni-147-251-115-PERSONAL
orpublic-cesnet-78-128-250-PERSONAL
for FIP allocation.- If you are using a GROUP project you may choose any of the
-GROUP
suffix networks for FIP allocation to make your instance accessible from external network (e.g. Internet).- Violation of network usage may lead to resource removal and reduction of the quotas assigned.
In MetaCentrum Cloud (MCC) we support both IPv4 and IPv6. IPv4 allocation policies are based on Floating IPs (FIP). This type of networking requires the user to first connect virtual network containing specific VM to the public network before allocating a FIP for specific VM. Further information is available in section virtual networking. IPv6 allocation policy is based on common IPv6 public network, which can be directly attached to VMs.
If you decide to attach second interface to your VM, you should verify the interface is correctly set. Older VM images have secondary interfaces down by default and some images need further configuration to enable IPv6 SLAAC.
Don’t forget to setup security groups accordingly.
Is currently limited to the common internal networks. You can start your machine in network 78-128-250-pers-proj-net
or 147-251-115-pers-proj-net
and allocate floating IP address from pools public-cesnet-78-128-250-PERSONAL
and public-muni-147-251-115-PERSONAL
respectively. All VMs need to be connected to the same network. You cannot use virtual routers with personal projects. We encourage users to also use IPv6 addresses for long term use. Unassigned allocated addresses are released daily.
The situation is rather different for group projects. You cannot use the same approach as for personal projects. You should create a virtual network as described in section virtual networking instead and select one of the pools with -GROUP
suffix. Namely:
public-cesnet-78-128-251-GROUP
public-cesnet-195-113-167-GROUP
public-muni-147-251-21-GROUP
public-muni-147-251-124-GROUP
public-muni-147-251-255-GROUP
Addresses that are unassigned for longer than 3 months can be released.
If you use a MUNI account, you can use private-muni-10-16-116
and log into the network via MUNI VPN or you can set up Proxy networking, which is described in section proxy networking.
We have prepared an IPv6 prefix public-muni-v6-432
, which is available for both personal and group projects. The network is available as an attachable network for VMs. If your VM does not receive the allocated address, check section obtaining IPv6 address.
MetaCentrum Cloud offers software-defined networking as one of its services. Users can create their own networks and subnets, connect them with routers and set up tiered network topologies.
Prerequisites:
- Basic understanding of routing
- Basic understanding of TCP/IP
For details, refer to the official documentation.
For a group project, you need to create an internal network first, you may use auto allocated pool for subnet auto-creation.
Routers can also be used to route traffic between internal networks. This is an advanced topic not covered in this guide.
If you have no gateway on you router, you can assign a new one.
Floating IPs are used to assign public IP address to VMs.
The floating IP address must be from the same network pool which was selected as the router network gateway.
Public IPv6 addresses are assigned via SLAAC. After assigning an interface in OpenStack to your instance, verify correct configuration of your VM. You can assign interface by directly connecting your VM to the network (make sure you setup DNS records if you decide to use only IPv6) upon creation or by assigning secondary interface.
Don’t forget to update your Security Groups.
Security rules in OpenStack serve as a Firewall. Security rules are applied directly on VM ports and therefore proper configuration is necessary. Ingress as well as egress rules can be configured using Horizon and CLI. If you can’t connect via ssh or ping your instance, chances are it is because of security rules.
If you delete default egress rules, your virtual machine loses will not be able to send outgoing communication. To fix this, add a new egress rule with any IP protocol and port range, set Remote IP prefix to 0.0.0.0/0 (IPv4) or ::/0 (IPv6).
Load balancers serve as a proxy between virtualised infrastructure and clients in the outside network. This is essential in OpenStack since it can be used in a scenario where the infrastructure dynamically starts new VMs and adds them into the load balancing pool in order to mitigate inaccessibility of services.
When modifying a load balancer, each operation changes the database into immutable state. It is therefore recommended to use --wait
switch when creating/editing or removing resources from load balancers.
We are currently observing inaccessibility of some load balancers on floating IP after creation. If this happens, please try to rebuild the load balancer before contacting support.
This status represents the overall state of the load balancer backend.
ACTIVE
: the load balancer backend is working as intended.PENDING
: statuses starting withPENDING
usually reflect modification of the load balancer, during which the database is in immutable state and thus any additional operations will fail.ERROR
: the provisioning has failed. This load balancer can’t be modified and usually is not working. Therefore we encourage our users to remove these load balancers. If this happens more often, please make sure to report this problem atcloud@metacentrum.cz
.DELETED
: entity has been deleted.
Operating status is managed by health monitor service of the load balancer and reflects the availibility of endpoint service.
ONLINE
: all endpoint services are available.DEGRADED
: some endpoint services are not available.ERROR
: all endpoint services are unavailable.DRAINING
: not accepting new connections.OFFLINE
: entity is administratively disabled.NO_MONITOR
: health monitor is not configured.
To create a load balancer, first prepare a pool of VMs with operational service you wish to balance to. Next create the load balancer in the same network and assaign the pool as well as listeners on specific ports.
When deleting a loadbalancer, first unassign the floating IP address used by the loadbalancer.
Creation of new networking for project can be divided into these steps:
- Create new network and subnet.
- Create router and assign interface.
- Assign external gateway.
- Assign FIPs to VMs.
In order to correctly migrate to different external network, you can follow the following steps:
- Release all Floating IPs.
- Clear router gateway.
- Assign router gateway into selected external network.
- Allocate and assign new FIPs from selected external network.
In your OpenStack instances, you can use private or public networks. If you use a private network and you need to access the internet for updates etc., you can check proxy issues, where proxy connection is explained.
Please verify correct configuration of security groups on your VM. More information is available in section security rules.
Some VM images have additional interfaces turned down by default. In this case, it is necessary to connect to the VM through default interface and enable these interfaces. Known images with this flaw:
centos-7-x86_64
ubuntu-bionic-x86_64
Usually when you enable the interface, the VM should obtain IPv4 address through DHCP and IPv6 address through SLAAC. If you are able to receive an IPv4 address but not IPv6 address, verify correct configuration of SLAAC on that VM interface. This flaw was spotted on image:
centos-8-x86_64