Managing instance networking

Manage Floating IP Addresses
Manage Security Groups

Manage Floating IP Addresses

Reserve and associate floating IP addresses
Remove and de-allocate a floating IP address

A floating IP address is an IP address (typically public) that can be dynamically assigned to an instance. Pools of floating IP addresses are created outside of python-novaclient with the nova-manage floating * commands. Refer to "Configuring Public (Floating) IP Addresses" in the OpenStack Compute Administration Manual for more information.

Before you begin, use nova floating-ip-pool-list to determine what floating IP pools are available.

    $ nova floating-ip-pool-list
    +------+ 
    | name | 
    +------+ 
    | nova | 
    +------+

In this example, the only available pool is nova.

Reserve and associate floating IP addresses

You can reserve floating IP addresses with the nova floating-ip-create command. This command reserves the addresses for the tenant, but does not immediately associate that address with an instance.

  
  $ nova floating-ip-create nova
+--------------+-------------+----------+------+ 
|      Ip      | Instance Id | Fixed Ip | Pool | 
+--------------+-------------+----------+------+ 
| 50.56.12.232 |     None    |   None   | nova |
+--------------+-------------+----------+------+

The floating IP address has been reserved, and can now be associated with an instance with the nova add-floating-ip command. For this example, we'll associate this IP address with an image called smallimage.

    $ nova add-floating-ip smallimage 50.56.12.232

After the command is complete, you can confirm that the IP address has been associated with the nova floating-ip-list and nova-list commands.

$ nova floating-ip-list
+--------------+--------------------------------------+------------+------+
|      Ip      |             Instance Id              |  Fixed Ip  | Pool |
+--------------+--------------------------------------+------------+------+
| 50.56.12.232 | 542235df-8ba4-4d08-90c9-b79f5a77c04f | 10.4.113.9 | nova |
+--------------+--------------------------------------+------------+------+

$ nova list
+--------------------------------------+------------+--------+-------------------------------------------------------+
|                  ID                  |    Name    | Status |                        Networks                       |
+--------------------------------------+------------+--------+-------------------------------------------------------+
| 4bb825ea-ea43-4771-a574-ca86ab429dcb | tinyimage2 | ACTIVE |        public=10.4.113.6; private=172.16.101.6        |
| 542235df-8ba4-4d08-90c9-b79f5a77c04f | smallimage | ACTIVE | public=10.4.113.9, 50.56.12.232; private=172.16.101.9 |
+--------------------------------------+------------+--------+-------------------------------------------------------+

The first table shows that the 50.56.12.232 is now associated with the smallimage instance ID, and the second table shows the IP address included under smallimage's public IP addresses.

Remove and de-allocate a floating IP address

To remove a floating IP address from an instance, use the nova remove-floating-ip command.

$ nova remove-floating-ip smallimage 50.56.12.232

After the command is complete, you can confirm that the IP address has been associated with the nova floating-ip-list and nova-list commands.

$ nova floating-ip-list
+--------------+-------------+----------+------+
|      Ip      | Instance Id | Fixed Ip | Pool |
+--------------+-------------+----------+------+
| 50.56.12.232 |     None    |   None   | nova |
+--------------+-------------+----------+------+
$ nova list
+--------------------------------------+------------+--------+-----------------------------------------+
|                  ID                  |    Name    | Status |                 Networks                |
+--------------------------------------+------------+--------+-----------------------------------------+
| 4bb825ea-ea43-4771-a574-ca86ab429dcb | tinyimage2 | ACTIVE | public=10.4.113.6; private=172.16.101.6 |
| 542235df-8ba4-4d08-90c9-b79f5a77c04f | smallimage | ACTIVE | public=10.4.113.9; private=172.16.101.9 |
+--------------------------------------+------------+--------+-----------------------------------------+

You can now de-allocate the floating IP address, returning it to the pool so that it can be used by another tenant.

  $ nova floating-ip-delete 50.56.12.232

In this example, 50.56.12.232 was the only IP address allocated to this tenant. Running nova floating-ip-list after the de-allocation is complete will return no results.

Manage Security Groups

Add or delete a security group
Modify security group rules

A security group is a named collection of network access rules that can be used to limit the types of traffic that have access to instances. When you spawn an instance, you can assign it to one or more groups. For each security group, the associated rules permit you to manage the allowed traffic to instances within the group. Any incoming traffic which is not matched by a rule is denied by default. At any time, it is possible to add or remove rules within a security group. Rules are automatically enforced as soon as they are created.

Before you begin, use nova secgroup-list to view the available security groups (specify --all-tenants if you are a cloud administrator wanting to view all tenants' groups) . You can also view the rules for a security group with nova secgroup-list-rules.

$ nova secgroup-list
+---------+-------------+
|   Name  | Description |
+---------+-------------+
| default |   default   |
+---------+-------------+

$ nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port |  IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
|     tcp     |     80    |    80   | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

In this example, the default security group has been modified to allow HTTP traffic on the instance by permitting TCP traffic on Port 80.

Add or delete a security group

Security groups can be added with nova secgroup-create.

The following example shows the creation of the security group secure1. After the group is created, it can be viewed in the security group list.

$ nova secgroup-create secure1 "Test security group"
+---------+---------------------+
|   Name  |     Description     |
+---------+---------------------+
| secure1 | Test security group |
+---------+---------------------+

$ nova secgroup-list
+---------+---------------------+
|   Name  |     Description     |
+---------+---------------------+
| default |       default       |
| secure1 | Test security group |
+---------+---------------------+

Security groups can be deleted with nova secgroup-delete. The default security group cannot be deleted. The default security group contains these initial settings:

All the traffic originated by the instances (outbound traffic) is allowed
All the traffic destined to instances (inbound traffic) is denied
All the instances inside the group are allowed to talk to each other

	Note
	You can add extra rules into the default security group for handling the egress traffic. Rules are ingress only at this time.

In the following example, the group secure1 is deleted. When you view the security group list, it no longer appears.

$ nova secgroup-delete secure1
$ nova secgroup-list
+---------+-------------+
|   Name  | Description |
+---------+-------------+
| default |   default   |
+---------+-------------+

Modify security group rules

The security group rules control the incoming traffic that is allowed to the instances in the group, while all outbound traffic is automatically allowed.

	Note
	It is not possible to change the default outbound behaviour.

Every security group rule is a policy which allows you to specify inbound connections that are allowed to access the instance, by source address, destination port and IP protocol,(TCP, UDP or ICMP). Currently, ipv6 and other protocols cannot be managed with the security rules, making them permitted by default. To manage such, you can deploy a firewall in front of your OpenStack cloud to control other types of traffic. The command requires the following arguments for both TCP and UDP rules :

<secgroup> ID of security group.
<ip_proto> IP protocol (icmp, tcp, udp).
<from_port> Port at start of range.
<to_port> Port at end of range.
<cidr> CIDR for address range.

For ICMP rules, instead of specifying a begin and end port, you specify the allowed ICMP code and ICMP type:

<secgroup> ID of security group.
<ip_proto> IP protocol (with icmp specified).
<ICMP_code> The ICMP code.
<ICMP_type> The ICMP type.
<cidr> CIDR for the source address range.

	Note
	Entering "-1" for both code and type indicates that all ICMP codes and types should be allowed.

	The CIDR notation
That notation allows you to specify a base IP address and a suffix that designates the number of significant bits in the IP address used to identify the network. For example, by specifying a 88.170.60.32/27, you specify 88.170.60.32 as the base IP and 27 as the suffix. Since you use an IPV4 format, there are only 5 bits available for the host part (32 minus 27). The 0.0.0.0/0 notation means you allow the entire IPV4 range, meaning allowing all addresses.

The CIDR notation

That notation allows you to specify a base IP address and a suffix that designates the number of significant bits in the IP address used to identify the network. For example, by specifying a 88.170.60.32/27, you specify 88.170.60.32 as the base IP and 27 as the suffix. Since you use an IPV4 format, there are only 5 bits available for the host part (32 minus 27). The 0.0.0.0/0 notation means you allow the entire IPV4 range, meaning allowing all addresses.

For example, in order to allow any IP address to access to a web server running on one of your instance inside the default security group:

$ nova secgroup-add-rule default tcp 80 80 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port |  IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
|     tcp     |     80    |    80   | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

In order to allow any IP address to ping an instance inside the default security group (Code 0, Type 8 for the ECHO request.):

$ nova secgroup-add-rule default icmp 0 8 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port |  IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
|     icmp    |     0     |    8    | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

$ nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port |  IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
|     tcp     |     80    |    80   | 0.0.0.0/0 |              |
|     icmp    |     0     |    8    | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

In order to delete a rule, you need to specify the exact same arguments you used to create it:

<secgroup> ID of security group.
<ip_proto> IP protocol (icmp, tcp, udp).
<from_port> Port at start of range.
<to_port> Port at end of range.
<cidr> CIDR for address range.

$ nova secgroup-delete-rule default tcp 80 80 0.0.0.0/0

Log a bug against this page

Legal notices