Skip to content

Networking options

ScienceCloud implements a networking service (Neutron), that allows you to create complex network setup on the cloud. This gives the advanced user more flexibility, but also makes things a bit more complicated for the inexperienced user.

This page will guide you through the available options and help you decide how you should configure the network depending on your use case.

What you can do with Neutron

With neutron you have great flexibility when setting up the networking. You can:

  • create VMs with more than one network interface
  • add or remove a network interface from a VM which is already up&running
  • create private networks
  • create routers and connect them to private networks or the public network
  • temporarily assign a public IP to a VM

Use cases

VM Accessible from UZH network only plus internet connectivity

Networking use case: UZH network

This is the best option if:

  • you need to access the VM and copy data to and from the VM via ssh/scp only from within the university network (or via UZH VPN)
  • you don't need to access the VM from outside the university network

This is the default scenario: in this configuration the VM can only be accessed from hosts in the UZH network or connected to the UZH network via VPN. VMs can still access the internet (for instance, to upgrade the operating system or install new packages) using ANY network protocol and without limitation.

You can also use this configuration when you want to deploy a service which is only accessible from the university network (e.g. a samba share for your research group)

NOTE: Please, keep in mind that for security reasons we need to track all connections from the VMs and the internet.

How to start a VM with UZH only networking plus internet access

While starting a new VM, in the wizard, select the "Networking" tab, and assign the uzh-only network to the first NIC, if not already selected.

Public access: Floating IP

Networking use case: Public access

This is the best option if:

  • you need to provide a service for research groups spread around the globe
  • your VM is actually a service and not used for computation

This is the network configuration for VMs used to host a publicly available service, for instance an OpenBIS data management server, or a MOOC like edX. Please note that based on the Service Agreement you are not allowed to host public services for personal or commercial use, but only for research purposes.

Public floating IPs

Since UZH public network uses IPv4 and these IPs are intrinsically scarce, the initial quota for the floating IPs on ScienceCloud is zero. S3IT can provide a limited number of public floating IP addresses for the use with web services. However, we strongly recommend that you consider using Webhosting or Virtual Server Housing services instead. They have a higher availability and are better suited for web services than ScienceCloud. If you believe that ScienceCloud would still suit better for your needs, please send us an email with a description of your use case and a justification for the usage of a public IP. Once your request is accepted, you will be able to see the available floating IPs from the ScienceCloud dashboard and proceed with the rest of this tutorial.

Important

Please keep in mind the responsibilities defined in the S3IT Infrastructure Service Agreement. Below we provide some general security recommendations for ScienceCloud. However, this is not an exhaustive list as we cannot cover all possible scenarios.

General non-exhaustive security recommendations

  • Authenticate exclusively with SSH keys
    • Disable password authentication in sshd_config
    • Never set passwords for service accounts (uid < 1000) and accounts with sudo privileges
    • Use only passphrase-protected SSH keys (these passphrases must be long and unique)
  • Expose only the ports and applications necessary for normal operation
    • Never expose your backend databases
    • If you need to run an admin or management tool, restrict the tool access to the connections coming from UZH IP addresses
  • Install security updates regularly
    • Enable unattended upgrades
    • Follow security bulletins
    • Manually upgrade the applications that do not originate from the configured package repositories

This is not an exhaustive list and much more work might be needed to secure your instance. For more information, you can refer to the ZI list of IT security recommendations (in particular the REIM) or contact the IT security team. In cases when server configuration is particularly complex, please contact S3IT to discuss whether we can accommodate your setup under a custom service agreement.

How to start a VM with floating IPs

Please note that you can either have one interface only associated to a public IP, or you can start from the setup in uzh-only-snat.

In principle, you need to create a private network and a router attached to both the private network and the public network already available on the system. Then, you can associate a floating IP to the private ip of your instance. You can later on remove the floating IP from the instance, and attach it to another instance. In this way, you can use one single floating IP to connect to multiple VMs, one at a time.

How to create the private network:

  1. On the web interface, main page, select the Network link on the left column
  2. Click on Network Topology (this will show you the current network topology)
  3. Click on the button + Create Network on the upper-right side
  4. Pick a name, for instance, private, then click on Next button
  5. Under Network Address, pick an IP range, for instance, 10.65.4.0/24, then click on Next button
  6. Ensure Enable DHCP is selected, then click on Create button
  7. You should be able to see your new network.

How to create a router and connect it to the networks:

  1. On the web interface, main page, select the Network link on the left column
  2. Click on Network Topology (this will show you the current network topology)
  3. Click on the button + Create Router on the upper-right side
  4. Pick a name, for instance, private-router
  5. From the External Network menu, select public
  6. Click on the Create Router button on the bottom-right side
  7. You should now see the router icon connected to the public network
  8. Move the mouse over the router, and select the + Add interface button
  9. In the Subnet menu, select the private network, and click the Add interface button
  10. On the Network Topology page you should now see that your router is connected to both public and private networks

How to start an instance:

  1. While launching a new instance, click on the Networking tab
  2. Select private as primary interface (assigned to NIC:1)

After starting the instance, you need to associate a floating IP to it.

  1. On the web interface, main page, select the Compute link on the left column
  2. Find your instance, and from the menu on the right corresponding to your instance, select Associate Floating IP
  3. If an IP is available on the IP Address menu, select one of them.
  4. If no IP is available on the IP address menu, then click on the + sign next to No floating IP addresses allocated. Please note that if you have not requested the floating IP quota a priori, pressing the + will not allocate any IP address from the pool.
    • from the Pool menu, select public
    • Click on the Allocate IP button
    • Select the newly allocate IP from the IP Address menu
  5. Ensure the Port to be associated contains the instance name and the correct private IP
  6. Click on the Associate button

Now the public IP you have chosen is assigned to the private IP of your VM. Remember to update the security groups to open the ports needed to connect to your VM with protocols other than SSH.

Release unused public IPs

Public IPs is a scarce resource. Please, release them if you don't need them anymore:

  1. On the web interface, main page, click on the Compute link
  2. Click on Access & Security link
  3. Click on the Floating IPs tab
  4. For each floating IP you want to release, select from the menu on the right Release Floating IP

More complex networking

This is the best option if:

  • you want to replicate an existing complex network setup for testing purposes
  • you need to deploy a distributed service composed of multiple VMs with different roles and needs in terms of network configuration

You have the ability to create private networks and routers and connect them as you wish. However, since multiple configurations are possible, and this use case is not so common, we do not describe it here in details.

If you need assistance on setting up your network configuration, feel free to contact S3IT by sending an email to help@s3it.uzh.ch.


Last update: March 21, 2022