Networking and Security
Note
Red Cloud 2 is currently in beta testing and not available to all users. If you are not a Red Cloud 2 beta tester, use the production Red Cloud instead. This Red Cloud 2 documentation is still under development.
Beta testers: Report all problems to CAC Help. Please specify Red Cloud 2 when reporting problems. Thank you!
Networking
When you create a new instance, you can specify the instance to be connected to one of the 2 types of networks:
- Public Network (
public): Red Cloud has apublicnetwork that connects instances to the Internet. - Private Network: Connects one or multiple instances. A floating IP address can be dynamically assigned to an instance connected to a private network so the instance can accept incoming connections from the Internet at the floating IP address.
Public Network
The public network is a pre-configured network in Red Cloud that offers direct connectivity to the Internet. The public network has the IP range of 128.84.40.0/22.
When you create an instance, specify the public network under the "Network" tab (Horizon) or the --network option (CLI client). An IP address from 128.84.40.0/22 range will be automatically assigned to the instance during the instance's entire lifecycle. The new instance will be created on the public network at the assigned IP address. You can restrict access to the instance using security groups.
Private Network and Floating IP
A private network connects one or multiple instances inside a vxlan tunnel. The network traffic is accessible to only instances on the same private network. To connect an instance to a private network:
- If the private network does not already exist, create a new private network.
- When creating a new instance, specify the private network under the "Network" tab (Horizon) or the
--networkoption (CLI client).
By default a private network does not have connectivity to the public Internet.
- To provide outbound Internet access for instances on a private network, create a router connecting the private network and the
publicnetwork. - In addition, to enable inbound access for an instance on a priviate network from the Internet:
- Create a floating IP address,
- Assign it to the instance,
- Move the floating IP address to another instance by first removing the floating IP from the original instance and assignging it to the new instance, and
- Remember to delete the floating IP address after you are done.
Networking Operations
Create a Private Network
Delete a Network
Create a Router
Connect a Router to a Subnet
Delete a Router
Create a Floating IP Address
Delete a Floating IP Address
Assign a Floating IP Address to an Instance
Remove a Floating IP Address from an Instance
Security
Security Group
Security groups are firewalls that control inbound and outbound network traffic to your instances. A security group is a collection of rules, each of which specifies that internet traffic will be allowed to come from (ingress) or go to (egress) a set of Internet Protocol (IP) addresses through a given set of ports. The permissions given by these rules accumulate to form the net effect of the security group. Multiple security groups can be assigned to an instance, and the permissions from multiple groups also accumulate.
Each Red Cloud project has a default security group that cannot be deleted. The default rules for the default security group allow outbound traffic is allowed but block all inbound traffic. Users will want to either modify the project's default security group or create additional security groups to provide access to types of internet communication that are not enabled by the default group.
When launching a new instance, the new instance is assigned to at least 1 security group (the default security group if not specified). Unless you modify the rules for your project's default security group or assign the instance to a new security group, access to the new instance from outside the cloud is disabled by default!
Security Group Operations
Create a Security Group
Delete a Security Group
List Security Groups
Add a Security Group Rule
Delete an Access Rule
Add a security group rule to explicitly allow access. Each rule can contain the following filters:
- Direction:
ingressoregress - Protocol:
icmp,tcp, orudp - Port: destination port number or port range
- Remote IP: specify remote IP address or CIDR. Enter 0.0.0.0/0 for the entire internet.
- Remote Security Group: allow access
When creating rules for the security group, limit access as much as possible for better security. For example, use the following IP ranges to limit access to Cornell campus network or CU VPN.
Cornell Campus Network IP Ranges
Cornell campus network uses the following IP ranges:
- 128.84.0.0/16
- 128.253.0.0/16
- 132.236.0.0/16
- 192.35.82.0/24
- 192.122.235.0/24
- 192.122.236.0/24
- 10.0.0.0/0
CU VPN IP Ranges
CU VPN uses the following IP ranges:
- 10.41.224.0/19
- 10.17.0.0/14
Common Security Group Rule Sets
The appropriate security group configuration depends on the instance operating system and your intended use of the Red Cloud instance. For example, if the instance only needs to be accessible from the Cornell campus network or VPN, it is good practice to use a security group rule set that enforces this expectation. If the instance should be accessible to off-campus collaborators who do not have access to the Cornell VPN, then certain services (ports) can be set to allow access from the whole internet. In general, it is best to only open the ports for services you will be using and to limit access to the smallest reasonable sets of IP addresses. The tables below show security group rule sets that correspond to common use cases.
Linux instance accessible via SSH from the entire internet (requires enhanced security measures)
| Direction | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Remote Security Group |
|---|---|---|---|---|---|
| Egress | IPv6 | Any | Any | ::/0 | - |
| Egress | IPv4 | Any | Any | 0.0.0.0/0 | - |
| Ingress | IPv4 | TCP | 22 (SSH) | 0.0.0.0/0 | - |
Linux instance accessible via SSH from the Cornell network or VPN
| Direction | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Remote Security Group |
|---|---|---|---|---|---|
| Egress | IPv6 | Any | Any | ::/0 | - |
| Egress | IPv4 | Any | Any | 0.0.0.0/0 | - |
| Ingress | IPv4 | TCP | 22 (SSH) | 128.84.0.0/16 | - |
| Ingress | IPv4 | TCP | 22 (SSH) | 132.236.0.0/16 | - |
| Ingress | IPv4 | TCP | 22 (SSH) | 10.0.0.0/8 | - |
Windows instance accessible via Remote Desktop from the entire internet (requires enhanced security measures)
| Direction | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Remote Security Group |
|---|---|---|---|---|---|
| Egress | IPv6 | Any | Any | ::/0 | - |
| Egress | IPv4 | Any | Any | 0.0.0.0/0 | - |
| Ingress | IPv4 | TCP | 3389 (RDP) | 0.0.0.0/0 | - |
Windows instance accessible via Remote Desktop from the Cornell network or VPN
| Direction | Ether Type | IP Protocol | Port Range | Remote IP Prefix | Remote Security Group |
|---|---|---|---|---|---|
| Egress | IPv6 | Any | Any | ::/0 | - |
| Egress | IPv4 | Any | Any | 0.0.0.0/0 | - |
| Ingress | IPv4 | TCP | 3389 (RDP) | 128.84.0.0/16 | - |
| Ingress | IPv4 | TCP | 3389 (RDP) | 132.236.0.0/16 | - |
| Ingress | IPv4 | TCP | 3389 (RDP) | 10.0.0.0/8 | - |