Port Configuration

Opening a specific port on a VM allows access over a certain transport protocol at that port. Each standard application protocol (e.g., ssh, http, https, rdp, ...) has a default port associated with it and uses a certain transport protocol. To allow access via a certain application protocol, you have to open the port for communication over that certain transport protocol on the VM. The default ports and transport protocols for the different application protocols are listed in Table 1: Configuration parameter.

Table 1: Configuration parameter
Application Protocol Default Port Transport Protocol Rule Entry Public IP required
ssh 22 TCP SSH No
rdp 3389 TCP Custom TCP Rule Yes
http 80 TCP HTTP No
https 443 TCP HTTPS No

When opening a port you are creating so-called access rules allowing access over a certain transport protocol at a certain port – one port/transport protocol pair per access rule. The access rules are encapsulated in so-called security groups, which can have zero or more access rules. The security groups are then associated with the instance(s) where you want to open the ports.


Opening Ports

To open a port on a VM execute the following steps, which we explain in detail below:

  1. Select the security group to modify.
  2. Make sure the security group contains the required access rules.
  3. Make sure the VM to be accessed is associated with the desired security group.

Step 1: Select a security group to modify

To select the desired security group follow the following steps:

  1. Go to the Access & Security tab in the Cloud&Heat Dashboard.
  2. Click on the Security Groups tab at the top (selected by default). Initially the resulting table of security groups will only contain one entry – the default security group. This will initially have no access rules associated with it. Modifying the settings of a security group opens or closes ports on all VMs associated with that security group. If you are unsure of the consequences of modifying an existing security group, create a new security group or read Security Group Overview before continuing with the next step.
  3. Decide which security group you want to modify. To view the rules contained in a security group you can click on the button Edit Rules next to it and again on the Access & Security tab in the left side bar to get back.

Step 2: Make sure the selected security group contains the required access rules

To make sure the selected security group contains the required access rules follow these steps:

  1. Make sure you are on the Access & Security tab and have selected the Security Groups tab at the top of the page. A table containing all available security groups (Figure 6: Table of available security groups) should be visible.
../../_images/AccessAndSecurityTab.png

Figure 6: Table of available security groups

  1. Click on the Edit Rules button to the right of the security group you want to modify. An Edit Security Group Rules page will appear (Figure 7: Table of available security group rules) which contains all the access rules associated with this security group. Initially this table will be empty, indicating that no ports are opened.
../../_images/AccessAndSecurityEditSecurityGroupPage.png

Figure 7: Table of available security group rules

  1. If the selected security group does not contain the desired access rules, execute the steps given in Section Adding an Access Rule for each port you want to open.

    If you want to remove an access rule click on the Delete Rule button next to it.

Step 3: Make sure the VM is associated with the desired security group

To associate a security group with an instance at launch time see Section Launching Virtual Machines. If the VM has already been started follow these steps to change the security groups with which the instance is associated:

  1. Go to the Instances tab in the Cloud&Heat Dashboard (Figure 4: Instances tab in the Cloud&Heat Dashboard).
  2. Select the instance you want to access and select Edit Security Groups in the More dropdown menu to the right on the table row corresponding to the selected instance (Figure 8: Available actions on an instance).
../../_images/InstancesTabMoreMenu.png

Figure 8: Available actions on an instance

  1. In the resulting dialog window under the heading Instance Security Groups, you can see all security groups currently associated with the instance. Under the heading All Security Groups you see a list of all other security groups that are available to use.
  2. Press either + for adding or – for removing the security group(s) you want to add or remove.
  3. When you are done click the Save button to save your changes.

Security Group Overview

A security group consists of a set of access rules each allowing a certain kind of access. You can associate your VM with one or more security groups at launch time and add or remove security groups to and from the VM while it is running. You can also at any point in time change the access rules of the security group(s) to which the VM belongs. Changing the access rules of a security group however changes the access rules for all VMs belonging to that security group, and therefore should be done with caution.

An access rule is a rule allowing access using a certain protocol over a certain port. If a security group does not have any access rules (and it is the only security group a certain VM belongs to) none of the ports on that VM will be reachable and therefore they all appear to be closed.

You can configure the kind of access you want to allow to your VM either by changing the settings of the security groups to which it belongs, or by changing to which security groups your VM belongs.

For example, if you want to run a web server to be accessed via http on some VMs but only via https on other VMs, then you need at least two different security groups: one group containing only an access rule allowing http access, and a second group with only an access rule allowing https access.

If you go to the Access & Security tab on the left hand side of the Cloud&Heat Dashboard, and select the Security Groups tab at the top of the page, you see a list of all available security groups. Initially this list contains one security group called default. This group is all that is necessary if all VMs can belong to the same security group, i.e., have the same access rules.


Creating a Security Group

To create a security group execute the following steps:

  1. Select the Access & Security tab on the left side bar in the Cloud&Heat Dashboard
  2. Click the Create Security Group above the resulting list of all available security groups (Figure 6: Table of available security groups)
  3. Provide a name and description in the dialog window you are presented with (Figure 9: Create Security Group dialog window)
  4. Then click the Create Security Group button in the dialog window.
../../_images/CreateSecurityGroup.png

Figure 9: Create Security Group dialog window


Adding an Access Rule

To add an access rule make sure you are on the Edit Security Group Rules page (Access & SecuritySecurity GroupsEdit Rules) and perform the following steps:

../../_images/AddRuleSSH.png

Figure 10: Adding an access rule.

    • If one of the Custom <transport protocol> Rule options was selected in the Rule dropdown menu, specify Port under Open Port and the desired port number under Port. The port number can be found in Table for a given particular application protocol.
    • Leave the Remote and CIDR fields untouched.
    • Press the Add button in the dialog window and the new rule appears in the Security Group Rules table on the Edit Security Group Rules page.
    • To get back to the table listing all available security groups select the Access & Security tab on the left.

Note

The Custom <transport_protocol> Rule options in the Rule dropdown menu allow you to open other ports than the standard ssh, http and https ports. To be able to access your VM over such a port you also have to assign a public IP to your VM.

Note

To get back to the overview of the security groups when you are at the Edit Security Group Rules page, you have to click on the Access&Security tab again, and select the Security Groups tab at the top of the page.

Caution

It is important to realize that the port settings in a security group affect all running VM instances associated with this security group.