Step 18: Making your VM reachable via IPv4
Start
Now that your template has defined the full network and can reach the internet, you next need to ensure that the VM is reachable externally.
Floating-IP
Define a floating public IPv4 address, which is a resource with type OS::Neutron::FloatingIP.
Note that it is important to define the external network this IP is assigned from and the port this IP leads to:
heat_template_version: 2014-10-16
parameters:
key_name:
type: string
public_network_id:
type: string
default: provider
resources:
Instanz:
type: OS::Nova::Server
properties:
key_name: { get_param: key_name }
image: Ubuntu 16.04 Xenial Xerus - Latest
flavor: m1.small
networks:
- port: {get_resource: Port }
Netzwerk:
type: OS::Neutron::Net
properties:
name: BeispielNetzwerk
Port:
type: OS::Neutron::Port
properties:
network: { get_resource: Netzwerk }
Router:
type: OS::Neutron::Router
properties:
external_gateway_info: { "network": { get_param: public_network_id }
name: BeispielRouter
Subnet:
type: OS::Neutron::Subnet
properties:
name: BeispielSubnet
dns_nameservers:
- 8.8.8.8
- 8.8.4.4
network: { get_resource: Netzwerk }
ip_version: 4
cidr: 10.0.0.0/24
allocation_pools:
- { start: 10.0.0.10, end: 10.0.0.250 }
Router_Subnet_Bridge:
type: OS::Neutron::RouterInterface
depends_on: Subnet
properties:
router: { get_resource: Router }
subnet: { get_resource: Subnet }
Floating_IP:
type: OS::Neutron::FloatingIP
properties:
floating_network: { get_param: public_network_id }
port_id: { get_resource: Port }
Security Groups
If you create a stack as outlined above, the VM would start but it would not be reachable. As previously stated, VMs do not receive traffic without a security group in place which explicitly allows this.
So, the logical next step is to create a resource with type OS::Neutron::SecurityGroup.
The security group must be defined to use the Port. On the resource itself, the rules are specified. These rules include the direction, port range, remote IP prefix, and protocol that these rules intend to allow.
heat_template_version: 2014-10-16
parameters:
key_name:
type: string
public_network_id:
type: string
default: provider
resources:
Instanz:
type: OS::Nova::Server
properties:
key_name: { get_param: key_name }
image: Ubuntu 16.04 Xenial Xerus - Latest
flavor: m1.small
networks:
- port: {get_resource: Port }
Netzwerk:
type: OS::Neutron::Net
properties:
name: BeispielNetzwerk
Port:
type: OS::Neutron::Port
properties:
network: { get_resource: Netzwerk }
security_groups: { get_resource: Sec_SSH }
Router:
type: OS::Neutron::Router
properties:
external_gateway_info: { "network": { get_param: public_network_id }
name: BeispielRouter
Subnet:
type: OS::Neutron::Subnet
properties:
name: BeispielSubnet
dns_nameservers:
- 8.8.8.8
- 8.8.4.4
network: { get_resource: Netzwerk }
ip_version: 4
cidr: 10.0.0.0/24
allocation_pools:
- { start: 10.0.0.10, end: 10.0.0.250 }
Router_Subnet_Bridge:
type: OS::Neutron::RouterInterface
depends_on: Subnet
properties:
router: { get_resource: Router }
subnet: { get_resource: Subnet }
Floating_IP:
type: OS::Neutron::FloatingIP
properties:
floating_network: { get_param: public_network_id }
port_id: { get_resource: Port }
Sec_SSH:
type: OS::Neutron::SecurityGroup
properties:
description: Diese Security Group erlaubt den eingehenden SSH-Traffic über Port22 und ICMP
name: Ermöglicht SSH (Port22) und ICMP
rules:
- { direction: ingress, remote_ip_prefix: 0.0.0.0/0, port_range_min: 22, port_range_max: 22, protocol:tcp }
- { direction: ingress, remote_ip_prefix: 0.0.0.0/0, protocol: icmp }
Conclusion
You can now create a stack that contains a single reachable instance.
In the next step, you will customize the instance using CloudConfig.