Security groups are an important concept to understand in Openstack. Security groups define a set of IP filter rules that determine how network traffic flows to and from an instance like a firewall. The CCR cloud (Lake Effect) is NOT protected by the UB firewall; therefore, it's important that you setup secure access to your instances. Only open ports for the services you require and only open those ports to the IP addresses that you want to provide access to.
It is absolutely crucial that you do NOT open all ports to the world!
The default rule in LakeEffect only allows outbound (egress) traffic - no inbound (ingress) traffic is permitted. We recommend you create a new security group and leave the default group alone. Do NOT delete the default security group unless you add these rules to your own security group! Otherwise you will not be able to connect to your instance.
In order to connect to a linux instance using SSH you must enable port 22 (ssh). We highly recommend restricting SSH access to only one or two IP addresses for computers you use. However, if you do not have a static IP address you could restrict access to CCR's network. This would be a secure option because you would have to login to a CCR server and then login to your instance. All of our servers are restricted to logins from the UB network and fronted by a firewall. In this example, we will show you how to allow access using SSH (port 22) to your instance from CCR's network.
To create a new security group, go to Network - Security Groups, then click the "Create Security Group" button. Name it something unique to the other security groups in your project.
Once created, click on the" Manage Rules" button next to the security group. Then click "Add Rule"
To assign this security group to an instance that is already running, go to the Compute - Instances menu and click the arrow on the menu to the right of the instance name. Choose Edit Security Groups:
Click the Plus button next to the security group you just created which moves it under the list of security groups for your instance. Now click Save.
NOTE: Security groups are project-specific and can't be shared across projects. You will see only the security groups available under the current project when editing your instance.
If you would like to open up SSH access from UB's various networks, you would have to add many networks to your security group. Here is a screenshot of the UB network ranges as of March 2018:
Other frequently used ports are http (port 80) and https (port 443). If you need assistance figuring out what ports to open and how to configure the appropriate IP rules, contact CCR help. We're here to help!
NOTE: CCR and UBIT reserve the right to scan all cloud instances for security vulnerabilities. If a major compromise were to be detected, CCR would shut down the instance(s) and contact the account owner.