Create a Security Group

Create a Security Group

Security Groups are used like a firewall in OpenStack. You can create a Security Group to open and/or close ports for both incoming traffic (Ingress) and outgoing traffic (Egress). OpenStack documentation requires that the operating system firewall be turned off for an image to work properly as an OpenStack instance. Because of this, it is important that you set up your Security Groups properly. The following guide will show you how to create a CRC recommended Security Group that will allow ingoing and outgoing traffic for the campus networks.

Adding the Security Group

To create a security group, navigate to the 'Security Groups' tab on the Access & Security page. It should look something like this:

009 OS Security Group.png

Click on 'Create Security Group' in the upper right hand corner. This will prompt you with the following dialogue box:

010 OS Security Group.png

Enter a name and description for this Security Group then click 'Create Security Group'. Now that you have created your security group, you need to edit the rules.

Editing the Rules

From the Access & Security page, click 'Manage Rules' on your new security group.

011 OS Security Group.png

By default, you only have two egress rules in your new security group, one for IPv4 and one for IPv6, that allow all outward packets from the virtual machine. In general, it is better to delete these rules and create your own to only allow outgoing traffic to the campus network. To create custom ingress and egress rules, click '+ Add Rule' in the upper right hand corner. This will prompt you with the following dialogue box:

OpenStackAddRule1.png

This dialogue box is dynamic and changes based upon the initial rule value you select. Most CRC users will want to allow both incoming and outgoing SSH and ping (ICMP) traffic for their instances, restricted to the campus network (or via VPN). To do this you will need to create Custom TCP and ICMP ingress/egress rules for the following network ranges:

172.16.0.0/12
10.0.0.0/8
66.254.224.0/19
129.74.0.0/16

Here is an example of a Custom TCP rule for SSH:

019 OS TCP.png

Here is an example of a Custom ICMP rule for ping:

020 OS ICMP.png

Here is what your Security Group would look like after setting up ingress/egress rules for ssh and ping:

021 OS Rules.png

back to top

Previous: Security Groups


OpenStack Main Page