CHAPTER 9. PROVIDING PUBLIC ACCESS TO AN INSTANCE
New instances automatically receive a port with a fixed IP address on the network that the instance is
assigned to. This IP address is private and is permanently associated with the instance until the instance
is deleted. The fixed IP address is used for communication between instances.
You can connect a public instance directly to a shared external network where a public IP address is
directly assigned to the instance. This is useful if you are working in a private cloud.
You can also provide public access to an instance through a project network that has a routed
connection to an external provider network. This is the preferred method if you are working in a public
cloud, or when public IP addresses are limited. To provide public access through the project network,
the project network must be connected to a router with the gateway set to the external network. For
external traffic to reach the instance, the cloud user must associate a floating IP address with the
instance.
To provide access to and from an instance, whether it is connected to a shared external network or a
routed provider network, you must use a security group with the required protocols, such as SSH, ICMP,
or HTTP. You must also pass a key pair to the instance during creation, so that you can access the
instance remotely.
9.1. PREREQUISITES
The external network must have a subnet to provide the floating IP addresses.
The project network must be connected to a router that has the external network configured as
the gateway.
A security group with the required protocols must be available for your project. For more
information see Configuring security groups in Configuring Red Hat OpenStack Platform
networking.
9.2. SECURING INSTANCE ACCESS WITH SECURITY GROUPS AND KEY
PAIRS
Security groups are sets of IP filter rules that control network and protocol access to and from
instances, such as ICMP to allow you to ping an instance, and SSH to allow you to connect to an instance.
All projects have a default security group called default, which is used when you do not specify a security
group for your instances. By default, the default security group allows all outgoing traffic and denies all
incoming traffic from any source other than instances in the same security group. You can apply one or
more security groups to an instance during instance creation. To apply a security group to a running
instance, apply the security group to a port attached to the instance.
For more information on security groups, see Configuring security groups in Configuring Red Hat
OpenStack Platform networking.
NOTE
You cannot apply a role-based access control (RBAC)-shared security group directly to
an instance during instance creation. To apply an RBAC-shared security group to an
instance you must first create the port, apply the shared security group to that port, and
then assign that port to the instance. See Adding a security group to a port .
Key pairs are SSH or x509 credentials that are injected into an instance when it is launched to enable