Networking and Security

Networking

When you create a new instance, you can specify the instance to be connected to one of the 2 types of networks:

1. Public Network (public): Red Cloud has a public network that connects instances to the Internet.
2. Private Network: Connects one or multiple instances. A floating IP address can be dynamically assigned to an instance connected to a private network so the instance can accept incoming connections from the Internet at the floating IP address.

Public Network

The public network is a pre-configured network in Red Cloud that offers direct connectivity to the Internet. The public network has the IP range of 128.84.40.0/22.

When you create an instance, specify the public network under the "Network" tab (Horizon) or the --network option (CLI client). An IP address from 128.84.40.0/22 range will be automatically assigned to the instance during the instance's entire lifecycle. The new instance will be created on the public network at the assigned IP address. You can restrict access to the instance using security groups.

Private Network and Floating IP

A private network connects one or multiple instances inside a vxlan tunnel. The network traffic is accessible to only instances on the same private network. To connect an instance to a private network:

1. If the private network does not already exist, create a new private network.
2. When creating a new instance, specify the private network under the "Network" tab (Horizon) or the --network option (CLI client).

By default a private network does not have connectivity to the public Internet.

• To provide outbound Internet access for instances on a private network, create a router connecting the private network and the public network.
• In addition, to enable inbound access for an instance on a priviate network from the Internet:
  1. Create a floating IP address,
  2. Assign it to the instance,
  3. Move the floating IP address to another instance by first removing the floating IP from the original instance and assignging it to the new instance, and
  4. Remember to delete the floating IP address after you are done.

Networking Operations

Create a Private Network

Horizon | CLI

Delete a Network

Horizon | CLI

Create a Router

Horizon | CLI

Connect a Router to a Subnet

Horizon | CLI

Delete a Router

Horizon | CLI

Create a Floating IP Address

Horizon | CLI

Delete a Floating IP Address

Horizon | CLI

Assign a Floating IP Address to an Instance

Horizon | CLI

Remove a Floating IP Address from an Instance

Horizon | CLI

Security

Security Group

Security groups are firewalls that control inbound and outbound network traffic to your instances. A security group is a collection of rules, each of which specifies that internet traffic will be allowed to come from (ingress) or go to (egress) a set of Internet Protocol (IP) addresses through a given set of ports. The permissions given by these rules accumulate to form the net effect of the security group. Multiple security groups can be assigned to an instance, and the permissions from multiple groups also accumulate.

Each Red Cloud project has a default security group that cannot be deleted. The default rules for the default security group allow outbound traffic is allowed but block all inbound traffic. Users will want to either modify the project's default security group or create additional security groups to provide access to types of internet communication that are not enabled by the default group.

When launching a new instance, the new instance is assigned to at least 1 security group (the default security group if not specified). Unless you modify the rules for your project's default security group or assign the instance to a new security group, access to the new instance from outside the cloud is disabled by default!

Security Group Rules

Add a security group rule to a security group to explicitly allow access. Each rule can contain the following filters:

• Direction: Specifies the direction of network traffic.

  • Ingress: Traffic coming into the instance.
  • Egress: Traffic going out from the instance.

• Protocol: Specifies the type of network protocol. Common options are:

  • ICMP (Internet Control Message Protocol): Used for ping requests.
  • TCP (Transmission Control Protocol): Used for most application-level protocols like HTTP, HTTPS, and SSH.
  • UDP (User Datagram Protocol): Used for protocols like DNS lookups and video playbacks.

• Port: Specifies the destination port number or port range. A port is a number that routes network data to a specific service.

  • Single Port: Specify a single port number (e.g., 22 for SSH).
  • Port Range: Specify a range of ports (e.g., 50000-51000 for Globus Connect Server).

• Remote IP: Specifies the remote IP address or CIDR range allowed to access the instance.

  • Use specific IP ranges to restrict access to certain IPs.
  • Use 0.0.0.0/0 to allow access from the entire internet (not recommended).
  • Example: Use 128.84.0.0/16 to allow access from Cornell VPN. See more Cornell IP addresses below.

• Remote Security Group: Allows access from instances in another security group.

When creating rules for your security group, limit access as much as possible for better security. For example, use the following IP ranges to limit access to Cornell campus network or CU VPN.

Cornell Campus Network IP Ranges

Cornell campus network uses the following IP ranges:

• 128.84.0.0/16
• 128.253.0.0/16
• 132.236.0.0/16
• 192.35.82.0/24
• 192.122.235.0/24
• 192.122.236.0/24
• 10.0.0.0/8

CU VPN IP Ranges

CU VPN uses the following IP ranges:

• 10.41.224.0/19 (General Pool)
• 10.17.0.0/16 (Department VPN)
• 10.18.0.0/16 (Department VPN)

Common Security Group Rule Sets

The best practice is to set up a security group with rules that allow access to your instance only from the expected sources (IP addresses) and methods (port numbers) of access. Doing so will minimize the attack surface and keep your instance as secure from remote attacks as possible. For that reason, in addition to the default security group, your project has two additional security groups: campus-only-rdp and campus-only-ssh.

campus-only-rdp and campus-only-ssh have security group rules, so an instance with either security group is only accessible by the Cornell campus network (Wi-Fi, Ethernet, CU VPN). So, only users on the Cornell campus or off-campus connected to CU VPN will be able to SSH to your instance, not some hacker from halfway around the world.

If you need to add another security group rule to campus-only-rdp or campus-only-ssh, it is highly recommended not to modify either of these security groups, as any changes can affect instances that use them. For that reason, please create another security group and copy the rules from campus-only-rdp or campus-only-ssh, then add your own rules.

Security Group Rules for Windows

Windows instances must NOT use a security group that opens the RDP Port (3389) to the entire internet (0.0.0.0/0) because allowing such access is NOT secure. Your security group rules should only allow access from IP ranges you frequently use. For that reason, it's recommended to use the campus-only-rdp security group, which has all the common rules to allow access from the Cornell network. Please see Common Security Group Rule Sets for the full details.

Security Group Operations

Create a Security Group

Horizon | CLI

Delete a Security Group

Horizon | CLI

Before a security group can be deleted, it must not be in use by any instances.

List Security Groups

Horizon | CLI

Add a Security Group Rule

Horizon | CLI

Delete a Security Group Rule

Horizon | CLI