Configure access and security for instances

Before you launch an instance, you should add security group rules to enable users to ping and use SSH to connect to the instance. Security groups are sets of IP filter rules that define networking access and are applied to all instances within a project To do so, you either add rules to the default security group Add a rule to the default security group or add a new security group with rules.

Key pairs are SSH credentials that are injected into an instance when it is launched. To use key par injection, the image that the instance is based on must contain the cloud-init package. Each project should have at least one key pair. For more information, see the section Add a key pair.

If you have generated a key pair with an external tool, you can import it into OpenStack. The key pair can be used for multiple instances that belong to a project. For more information, see the section Import a key pair.

When an instance is created in OpenStack, it is automatically assigned a fixed UP adress in the network to which the instance is assigned. This IP address is permanently associated with the instance until the instance is terminated. However, in addition to the fixed IP adress, a public IP address can also be attached to an instance. Unlike fixed IP addresses. public IP addresses are able to have their associations modified at any time, regardless of the state of the instance involved.

Add a rule to the default security group

This procedure enables SSH and ICMP (ping) access to instances. The rules apply to all instances within a given project, and should be set for every project unless there is a reason for prohibit SSH or ICMP access to the instances.

The procedure can be adjusted as necessary to add additional security group rules to a project, if your cloud requires them.

1. Log in to the dashboard, choose a project, and click Access & Security. The Security Groups tab shows the security groups that are available for this project.
2. Select the default security group and click Edit Rules.
3. To allow SSH access, click Add Rule.
4. In the Add Rule dialog box, enter the following values:
   Rule: SSH, Remote: CIDR.

To accept requests from particular range of IP addresses, specify the IP address block in the CIDR box.

1. Click Add.
   Instance will now have SSH port 22 open for requests from any IP address.
2. To add an ICMP rule, click Add Rule.
3. In the Add Rule dialog box, enter the following values:
   Rule: All ICMP, Direction: Ingress.
4. Click Add.
   Instances will now accept all incoming ICMP packets.

Add a key pair

Create at least one key pair for each project.

1. Log in to the dashboard, choose a project and click Access & Security.
2. Click on the Keypairs tab, which shows the key pairs that are available for this project.
3. Click Create Keypair.
4. In the Create Keypair dialog box, enter a name for your keypair and click Create Key box.
5. Respond to the prompt to the download the key pair.

Import a key pair

1. Log in to the dashboard, choose a project, and click Access & Security.
2. Click the Keypairs tab, which shows the key pairs that are available for this project.
3. Click Import Keypair.
4. In the Import Keypair dialog box, enter the name of your key pair, copy the public key into the Public Key box, and the click Import Keypair.
5. Save the *.pem file locally.
6. To change its permissions so that only you can read and write to the file, run the following command:
   $ chmod 0600 yourPrivateKey.pem
   

If you are using the dashboard from a Window computer, use PuTTYgen to load the *.pem file and convert and save it as *.ppk. 

1. To make the key pair known to SSH, run the SSH-add command.
   $ ssh-add YourPrivateKey.pem

The Compute database registers the public key of the key pair.
The dashboard lists the key pair on the Access & Security tab.

Allocate a public IP address to an instance

When an instance is created in OpenStack, it is automatically assigned a fixed IP address in the network to which the instance is assigned. This IP addresses is permanently associated with the instance until the instance is terminated.

However, in addition to the fixed IP address, a public IP address can also be attached to an instance. Unlike fixed IP addresses, public IP addresses can have their associations modified at any time, regardless of the state of the instances involved. This procedure details the reservation of a public IP address from an existing pool of addresses and the association of the address with a specific instance.

1. Log in to the dashboard, choose infrastructure and click Access & Security.
2. Click the public IPs tab, which shows the public IP addresses allocated to instances.
3. Click Allocate IP to Project.
4. Choose the pool from which to pick the IP address.
5. Click Allocate IP.
6. In the public IPs list, click Associate.
7. In the Manage public IP Associations dialog box, choose the following options:
   - The IP Address field is filled automatically, but you can add a ned IP address by clicking the + button.
   - In the Ports to be associated field, select a port from the list. The list shows all the instances with their fixed IP addresses.
8. Click Associated.

To disassociate an IP address from an instance, click the Disassociate button. To release the public IP address back into the pool of addresses, click the More botton and select the Release public IP option.