In the openstack-installations there are usually two external networks. "ntnu-internal" provides NTNU-RFC1918 adresses, which are reachable from all of NTNU, but global access is only through VPN. "ntnu-global" provides globally reachable IP addresses, making your virtual machine available globally. The following table lists the IP prefixes used in the platform:
| Platform | ntnu-internal | ntnu-global |
|---|---|---|
| SkyHiGh | 10.212.136.0/21 10.212.168.0/21 | 128.39.143.128/25 129.241.150.0/24 |
| StackIT | 10.212.24.0/22 | 129.241.152.0/23 |
| SkyLow | 10.212.131.0/25 | 128.39.45.0/26 |
| PileIT | 10.212.36.0/22 | N/A |
Using ntnu-global
Access to globally available addresses are given on request, if you have a legitimate use for it. Access is given on a per-project basis, and even after the access is given we encourage you to use ntnu-internal where global addresses is not strictly needed.
Security considerations
The global address-space is available globally, meaning any internet-connected system in the world can initiate contact with VM's having a global IP. The IPv4 address space is rather small, and are regularly scanned, and you should thus expect automatic scanning hitting your VM as soon as it gets a global IP. This means that you should be very careful about which services you expose from your VM to the global internet to avoid having your VM exploited. Even though we encourage to be careful about security in all your VM's, it is particulary important for VM's being globally reachable. For VM's having global addresses we recommend:
- Use security-groups to limit access to your services:
- Administrative interfaces (SSH, Remote-Desktop, VNC etc.) should ONLY be allowed from known networks.
- NTNU uses many address-ranges but allowing access from 129.241.0.0/16 and 10.0.0.0/8 should cover the majority.
- Check the addresses used at your systems if they are not covered by these ranges.
- Access to services should only be given globally to the specific ports needed.
- For web-applications this typically means TCP port 80 (HTTP) and 443 (HTTPS).
- You should not give global access to services intended for internal use in your applications, like databases, message-queues, cache-layers etc.
- Administrative interfaces (SSH, Remote-Desktop, VNC etc.) should ONLY be allowed from known networks.
- Keep your services updated
- It is particularly important to keep services available to the global internet updated, to avoid having knows security bugs that can be exploited.
- We recommend to enable automatic updates to automaticly keep things somewhat up to date.
Practical implementation
When having access to more than one external network in openstack you should be avare of a couple of limitations:
- An openstack router is only connected to a single external network.
- A openstack subnet is usually only connected to a single openstack router.
- A floating IP of a certain external network can only be attached to a VM connected to a subnet connected to a router with its external interface connected to the same external network.
In practice this means that you should create two openstack networks/subnets/routers when you have access to ntnu-global. One for ntnu-internal and one for ntnu-global. And then connect VM's needing global IP's to the network services by the router connected to ntnu-global, and all other VM's to the other network.