Opening a specific port on a VM allows access over a certain transport protocol at that port. Each standard application protocol (e.g., ssh, http, https, rdp, ...) has a default port associated with it and uses a certain transport protocol. To allow access via a certain application protocol, you have to open the port for communication over that certain transport protocol on the VM. The default ports and transport protocols for the different application protocols are listed in Table 1: Configuration parameter.
|Application Protocol||Default Port||Transport Protocol||Rule Entry||Public IP required|
|rdp||3389||TCP||Custom TCP Rule||Yes|
When opening a port you are creating so-called access rules allowing access over a certain transport protocol at a certain port – one port/transport protocol pair per access rule. The access rules are encapsulated in so-called security groups, which can have zero or more access rules. The security groups are then associated with the instance(s) where you want to open the ports.
To open a port on a VM execute the following steps, which we explain in detail below:
- Select the security group to modify.
- Make sure the security group contains the required access rules.
- Make sure the VM to be accessed is associated with the desired security group.
Step 1: Select a security group to modify¶
To select the desired security group follow the following steps:
- Go to the Access & Security tab in the Cloud&Heat Dashboard.
- Click on the Security Groups tab at the top (selected by default). Initially the resulting table of security groups will only contain one entry – the default security group. This will initially have no access rules associated with it. Modifying the settings of a security group opens or closes ports on all VMs associated with that security group. If you are unsure of the consequences of modifying an existing security group, create a new security group or read Security Group Overview before continuing with the next step.
- Decide which security group you want to modify. To view the rules contained in a security group you can click on the button Edit Rules next to it and again on the Access & Security tab in the left side bar to get back.
Step 2: Make sure the selected security group contains the required access rules¶
To make sure the selected security group contains the required access rules follow these steps:
- Make sure you are on the Access & Security tab and have selected the Security Groups tab at the top of the page. A table containing all available security groups (Figure 6: Table of available security groups) should be visible.
- Click on the Edit Rules button to the right of the security group you want to modify. An Edit Security Group Rules page will appear (Figure 7: Table of available security group rules) which contains all the access rules associated with this security group. Initially this table will be empty, indicating that no ports are opened.
If the selected security group does not contain the desired access rules, execute the steps given in Section Adding an Access Rule for each port you want to open.
If you want to remove an access rule click on the Delete Rule button next to it.
Step 3: Make sure the VM is associated with the desired security group¶
To associate a security group with an instance at launch time see Section Launching Virtual Machines. If the VM has already been started follow these steps to change the security groups with which the instance is associated:
- Go to the Instances tab in the Cloud&Heat Dashboard (Figure 4: Instances tab in the Cloud&Heat Dashboard).
- Select the instance you want to access and select Edit Security Groups in the More dropdown menu to the right on the table row corresponding to the selected instance (Figure 8: Available actions on an instance).
- In the resulting dialog window under the heading Instance Security Groups, you can see all security groups currently associated with the instance. Under the heading All Security Groups you see a list of all other security groups that are available to use.
- Press either + for adding or – for removing the security group(s) you want to add or remove.
- When you are done click the Save button to save your changes.
Security Group Overview¶
A security group consists of a set of access rules each allowing a certain kind of access. You can associate your VM with one or more security groups at launch time and add or remove security groups to and from the VM while it is running. You can also at any point in time change the access rules of the security group(s) to which the VM belongs. Changing the access rules of a security group however changes the access rules for all VMs belonging to that security group, and therefore should be done with caution.
An access rule is a rule allowing access using a certain protocol over a certain port. If a security group does not have any access rules (and it is the only security group a certain VM belongs to) none of the ports on that VM will be reachable and therefore they all appear to be closed.
You can configure the kind of access you want to allow to your VM either by changing the settings of the security groups to which it belongs, or by changing to which security groups your VM belongs.
For example, if you want to run a web server to be accessed via http on some VMs but only via https on other VMs, then you need at least two different security groups: one group containing only an access rule allowing http access, and a second group with only an access rule allowing https access.
If you go to the Access & Security tab on the left hand side of the Cloud&Heat Dashboard, and select the Security Groups tab at the top of the page, you see a list of all available security groups. Initially this list contains one security group called default. This group is all that is necessary if all VMs can belong to the same security group, i.e., have the same access rules.
Creating a Security Group¶
To create a security group execute the following steps:
- Select the Access & Security tab on the left side bar in the Cloud&Heat Dashboard
- Click the Create Security Group above the resulting list of all available security groups (Figure 6: Table of available security groups)
- Provide a name and description in the dialog window you are presented with (Figure 9: Create Security Group dialog window)
- Then click the Create Security Group button in the dialog window.
Adding an Access Rule¶
To add an access rule make sure you are on the Edit Security Group Rules page (Access & Security → Security Groups → Edit Rules) and perform the following steps:
- If one of the Custom <transport protocol> Rule options was selected in the Rule dropdown menu, specify Port under Open Port and the desired port number under Port. The port number can be found in Table for a given particular application protocol.
- Leave the Remote and CIDR fields untouched.
- Press the Add button in the dialog window and the new rule appears in the Security Group Rules table on the Edit Security Group Rules page.
- To get back to the table listing all available security groups select the Access & Security tab on the left.
<transport_protocol> Rule options in the Rule dropdown menu allow you to open other ports than the standard ssh, http and https ports. To be able to access your VM over such a port you also have to assign a public IP to your VM.
To get back to the overview of the security groups when you are at the Edit Security Group Rules page, you have to click on the Access&Security tab again, and select the Security Groups tab at the top of the page.
It is important to realize that the port settings in a security group affect all running VM instances associated with this security group.