Configure secure access for instances (2/4)

In this tutorial, part of the getting started series, we explain what a security group is and how you can create IP filter rules, this way you can grant SSH access to your instance (virtual machine).

SSH (Secure Shell) offers an encrypted, secure connection over an unsecured network (internet) for client-server communication. In other words, log in to your instance remotely.

Prerequisites:

Security Groups

Before you launch an instance, you have to configure a security group. A security group acts as a virtual firewall and is a container with a set of IP filter rules which specifies what traffic has access to which port. For example, you can make SSH access and ping traffic available on your instance.

Add rules to the default security group

In this example, we are going to add some IP filter rules to the already existing default security group. Of course, you can create a new security group for this. It is possible to add several security groups to your instance.

Before you can access an instance by SSH and ICMP (ping) you need to apply some rules to all instances within a project. You always need to set up the following unless there is a particular reason to prohibit SSH or ICMP access to an instance.

  1. From your project in the dashboard go to the Networking tab and click Security groups.
  2. You can see the available security groups for this project.
  3. Click Manage Rules and then Add Rule.

Enable SSH

To enable SSH access fill out the following:
  • Rule source: SSH
  • Remote: CIDR
  • CIDR: 0.0.0.0/0

Enable ICMP


To add ICMP (ping) access fill out the following:

  • Rule source: ALL ICMP
  • Remote: CIDR
  • CIDR: 0.0.0.0/0

Key Pairs

A key pair, also known as an SSH key, consists of two keys; a ‘public key’ and a ‘private key’. The private key is only for you and should not be shared with anyone. Your public key is inserted into your instance(s) when first deployed.

The public key ensures that all traffic, from and to your instance, is encrypted via SSH. This encryption can only be deciphered with your private key. If you want to log in to your instance remotely via SSH, your private key will decrypt the traffic so that you can talk to your instance. Because the traffic is encrypted, it is not possible to eavesdrop (man-in-the-middle attack) or to guess your password through brute force. This makes SSH the most used and safest way to log in remotely.

Each project should have at least one key pair. You can use a key pair for multiple instances at the same time. If you already have a key pair or created one with another tool, you can import that key pair. After this section, you should be able to import or create a key pair and add or create security groups.

Create a new key pair

If you wish to use a new key pair for your OpenStack platform, follow the steps below:

  1. Navigate to the Access tab and click on Key Pairs.
  2. In the key pairs tab, please click on the button Create Key Pair.
  3. Give your key pair a name and click on the button Create Key Pair.
  4. Your browser will prompt you for saving your "<name>.pem" file, save this file on a secure place on your machine.
  5. Your key is created.

Upload an existing Key Pair

If you wish to use an existing key pair, follow the steps below:

  1. Navigate to the Access tab and click on Key Pairs.
  2. Click on the button Upload Public key.
  3. Give your key pair a name.
  4. Paste your public key in the Public Key field.
  5. Click on the button Upload public key.

Conclusion

You have now added an IP filter rule granting SSH access (port 22) to instances configured with your security group. You also created or uploaded a key pair. This will be used later on for instance authentication.

Now it’s time to launch your first instance. In the next tutorial, we show you step by step how we can do that.