Please view this recording to learn how to get started with Lake Effect and more.  

Security groups are an important concept to understand in Openstack.  Security groups define a set of IP filter rules that determine how network traffic flows to and from an instance like a firewall.  The CCR cloud (Lake Effect) is NOT protected by the UB firewall; therefore, it's important that you setup secure access to your instances.  Only open ports for the services you require and only open those ports to the IP addresses that you want to provide access to.  

It is absolutely crucial that you do NOT open all ports to the world!

The default rule in LakeEffect only allows outbound (egress) traffic - no inbound (ingress) traffic is permitted.  We recommend you create a new security group and leave the default group alone.  Do NOT delete the default security group unless you add these rules to your own security group!  Otherwise you will not be able to connect to your instance.

In order to connect to a linux instance using SSH you must enable port 22 (ssh).  We highly recommend restricting SSH access to only one or two IP addresses for computers you use.  However, if you do not have a static IP address you could restrict access to CCR's network.   This would be a secure option because you would have to login to a CCR server and then login to your instance.  All of our servers are restricted to logins from the UB network and fronted by a firewall.  In this example, we will show you how to allow access using SSH (port 22) to your instance from CCR's network.  

To create a new security group, go to Network - Security Groups, then click the "+ CREATE SECURITY GROUP" button.  Name it something unique to the other security groups in your project and Click CREATE SECURITY GROUP to confirm.

Once created, click on the" Manage Rules" button next to the security group.  Then click "Add Rule"

You will then see the Add Rule pop up where you define the rule itself.

From here you can pick a predefined rule or create your own using the TCP/UDP ports or port ranges. You also can define the remote connections as subnets, IP addresses or other security groups. See the descriptions in the right column for more detail.

To assign this security group to an instance that is already running, go to the Compute - Instances menu and click the arrow on the menu to the right of the instance name.  Choose Edit Security Groups:

Click the Plus button next to the security group you just created which moves it under the list of security groups for your instance.  Now click Save.

NOTE: Security groups are project-specific and can't be shared across projects.  You will see only the security groups available under the current project when editing your instance.

If you would like to open up SSH access from UB's various networks, you would have to add many networks to your security group.  Here is a screenshot of the UB network ranges as of May 2022:

This is the list of UB Subnets:


Other frequently used ports are http (port 80) and https (port 443).  If you need assistance figuring out what ports to open and how to configure the appropriate IP rules, contact CCR help.  We're here to help!

See also:

IP Addresses in Openstack

Updating and securing your operating system

NOTE:  CCR and UBIT reserve the right to scan all cloud instances for security vulnerabilities.  If a major compromise were to be detected, CCR would shut down the instance(s) and contact the account owner.