In order to have an internet access on any instance you need to follow all below steps.
- Creating a virtual router.
- Connecting the instance NETWORK to the created router.
- Setting the router gateway.
- In this step you need to apply only one of these two options
- Assign the default security group to the instance.
- Associate a floating IP to the instance + Assigning any security group which allow all Egress traffic.
Instance Internet Access - Without assigning the default security group
In the above case, we’ve explained how the instance can access the internet but in step no 4 it is mandatory to have a floating IP or assigning the default security group to reach the internet but some use cases have the below challenges.
- No need to assign a floating IP to the instance.
- Default security group have a rule which allow all ingress traffic so in this case we can’t combine between having an internet on the instances and controlling the access between all routed instances ( East-West traffic ).
ALLOW IPv4 any from default ALLOW IPv6 any from default
- Detaching the default security group from all the instances.
- Adding the following rules to the default security group.
ALLOW IPv4 any from <Custom security group ID> ALLOW IPv6 any from <Custom security group ID>
This can be done through Openstack client
openstack security group list
openstack security group rule create --protocol any --ingress --ethertype IPv4 --remote-group <Custome Security Group ID> <Default Security Group ID>
openstack security group rule create --protocol any --ingress --ethertype IPv6 --remote-group <Custome Security Group ID> <Default Security Group ID>
- Repeating step no 2 for each custom security group.
- Attaching a custom security group to all instances and allow only the traffic which you need to allow.