You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

The external networks available varies from cloud to cloud. Currently all clouds have only one external network, but this is likely to change.

skyhigh.hig.no

The skyhigh installation has the following external networks:

  • ext-net - 172.16.0.0/16 - An external network which is not routed troughout NTNU. Used for general purpose access to the virtual machines.

skylow.hig.no

The skylow installation (the development platform at Gjøvik) has the following external networks:

  • ext-net - 172.18.128.0/17 - An external network which is not routed troughout NTNU. Used for general purpose access to the virtual machines.

stack.it.ntnu.no

The skyhigh installation has the following external networks:

  • ntnu-internal - 10.212.24.0/22 - Used for general purpose access to the virtual machines. Accessible from all NTNU networks. Use VPN for external access.

 

Restricting access to an external network

In the scenario where you need to have limited access to an external network, do the following:

First, find the ID of the external network. Suppose "test-ext" is the network that needs restricted access:

$ openstack network list -c Name -c ID
+--------------------------------------+-------------+
| ID                                   | Name        |
+--------------------------------------+-------------+
| 50a80b8c-d06c-4b53-97f2-6c0b9f9a405c | test-ext    |
| ab6cf6f2-b320-4522-99bf-e5ab65c51553 | admin-lan   |
| dfc8c97d-8cf1-4b4a-9d42-f2cd184b4540 | ext-net     |
+--------------------------------------+-------------+
 

Then remove the RBAC rule, that allows all project to access "test-ext"

$ neutron rbac-list
+--------------------------------------+-------------+--------------------------------------+
| id                                   | object_type | object_id                            |
+--------------------------------------+-------------+--------------------------------------+
| c1d8506f-a9a2-4f93-9921-0a8969dac3d8 | network     | 50a80b8c-d06c-4b53-97f2-6c0b9f9a405c |
| e8abdcf5-1bdd-4087-82bf-26dc08bf0fa1 | network     | dfc8c97d-8cf1-4b4a-9d42-f2cd184b4540 |
+--------------------------------------+-------------+--------------------------------------+
 
$ neutron rbac-delete <object_id>

Create a new RBAC rule for "test-ext", that states access for given projects only. You need one RBAC rule per project:

$ neutron rbac-create --target-tenant <project id> --action access_as_external --type network <network id>
  • No labels