Networking and Security

Note

Red Cloud 2 is currently in beta testing and not available to all users. If you are not a Red Cloud 2 beta tester, use the production Red Cloud instead. This Red Cloud 2 documentation is still under development.

Beta testers: Report all problems to CAC Help. Please specify Red Cloud 2 when reporting problems. Thank you!

Networking

When you create a new instance, you can specify the instance to be connected to one of the 2 types of networks:

  1. Public Network (public): Red Cloud has a public network that connects instances to the Internet.
  2. A Private Network connects one or multiple instances. A floating IP address can be dynamically assigned to an instance connected to a private network so the instance can accept incoming connections from the Internet at the floating IP address.

Public Network

The public network is a pre-configured network in Red Cloud that's offers direct connectivity to the Internet. The public network has the IP range of 128.84.40.0/22.

When you create an instance, specify the public network under the "Network" tab (Horizon) or the --network option (CLI client). An IP address from 128.84.40.0/22 range will be automatically assigned to the instance during the instance's entire lifecycle. The new instance will be created on the public network at the assigned IP address. You can restrict access to the instance using security groups.

Private Network and Floating IP

A private network connects one or multiple instances inside a vxlan tunnel. The network traffic is accessible to only instances on the same private network. To connect an instance to a private network:

  1. If the private network does not already exist, create a new private network.
  2. When creating a new instance, specify the private network under the "Network" tab (Horizon) or the --network option (CLI client).

By default a private network does not have connectivity to the public Internet.

Networking Operations

Create a Private Network

Horizon | CLI

Delete a Network

Horizon | CLI

Create a Router

Horizon | CLI

Connect a Router to a Subnet

Horizon | CLI

Delete a Router

Horizon | CLI

Create a Floating IP Address

Horizon | CLI

Delete a Floating IP Address

Horizon | CLI

Assign a Floating IP Address to an Instance

Horizon | CLI

Remove a Floating IP Address from an Instance

Horizon | CLI

Security

Security Group

Security groups are firewalls that control inbound and outbound network traffic to your instances. A security group is a collection of rules, each of which specifies that internet traffic will be allowed to come from (ingress) or go to (egress) a set of Internet Protocol (IP) addresses through a given set of ports. The permissions given by these rules accumulate to form the net effect of the security group. Multiple security groups can be assigned to an instance, and the permissions from multiple groups also accumulate.

Each Red Cloud project has a default security group that cannot be deleted. The default rules for the default security group allow outbound traffic is allowed but block all inbound traffic. Users will want to either modify the project's default security group or create additional security groups to provide access to types of internet communication that are not enabled by the default group.

When launching a new instance, the new instance is assigned to at least 1 security group (the default security group if not specified). Unless you modify the rules for your project's default security group or assign the instance to a new security group, access to the new instance from outside the cloud is disabled by default!

Security Group Operations

Create a Security Group

Horizon | CLI

Delete a Security Group

Horizon | CLI

List Security Groups

Horizon | CLI

Add a Security Group Rule

Horizon | CLI

Add a security group rule to explicitly allow access. Each rule can contain the following filters:

  • Direction: ingress or egress
  • Protocol: icmp, tcp, or udp
  • Port: destination port number or port range
  • Remote IP: specify remote IP address or CIDR. Enter 0.0.0.0/0 for the entire internet.
  • Remote Security Group: allow access

When creating rules for the security group, limit access as much as possible for better security. For example, use the following IP ranges to limit access to Cornell campus network or CU VPN.

Cornell Campus Network IP Ranges

Cornell campus network uses the following IP ranges:

  • 128.84.0.0/16
  • 128.253.0.0/16
  • 132.236.0.0/16
  • 192.35.82.0/24
  • 192.122.235.0/24
  • 192.122.236.0/24
  • 10.0.0.0/0
CU VPN IP Ranges

CU VPN uses the following IP ranges:

  • 10.41.224.0/19
  • 10.17.0.0/14

Common Security Group Rule Sets

The appropriate security group configuration depends on the instance operating system and your intended use of the Red Cloud instance. For example, if the instance only needs to be accessible from the Cornell campus network or VPN, it is good practice to use a security group rule set that enforces this expectation. If the instance should be accessible to off-campus collaborators who do not have access to the Cornell VPN, then certain services (ports) can be set to allow access from the whole internet. In general, it is best to only open the ports for services you will be using and to limit access to the smallest reasonable sets of IP addresses. The tables below show security group rule sets that correspond to common use cases.

Linux instance accessible via SSH from the Cornell network or VPN
Direction Ether Type IP Protocol Port Range Remote IP Prefix Remote Security Group
Egress IPv6 Any Any ::/0 -
Egress IPv4 Any Any 0.0.0.0/0 -
Ingress IPv4 TCP 22 (SSH) 128.84.0.0/16 -
Ingress IPv4 TCP 22 (SSH) 132.236.0.0/16 -
Ingress IPv4 TCP 22 (SSH) 10.0.0.0/8 -
Linux instance accessible via SSH from the entire internet (requires enhanced security measures)
Direction Ether Type IP Protocol Port Range Remote IP Prefix Remote Security Group
Egress IPv6 Any Any ::/0 -
Egress IPv4 Any Any 0.0.0.0/0 -
Ingress IPv4 TCP 22 (SSH) 0.0.0.0/0 -
Windows instance accessible via Remote Desktop from the Cornell network or VPN
Direction Ether Type IP Protocol Port Range Remote IP Prefix Remote Security Group
Egress IPv6 Any Any ::/0 -
Egress IPv4 Any Any 0.0.0.0/0 -
Ingress IPv4 TCP 3389 (RDP) 128.84.0.0/16 -
Ingress IPv4 TCP 3389 (RDP) 132.236.0.0/16 -
Ingress IPv4 TCP 3389 (RDP) 10.0.0.0/8 -

Delete an Access Rule

Horizon | CLI