Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Task 3: Restrict traffic between instances in two different virtual networks using security groups

 

Goal

In Task 1 and Task 2 you connected the red and green instances using either a network policy or a logical router. In this task, you will restrict traffic to these instances using security groups in Contrail.

Disclaimer: The steps in this task are only applicable to Juniper’s Cloud Software Trial tool.

Some values and/or information may vary for users executing this task using a non-Juniper trial tool.

 

Step-by-Step Procedure

If you have completed task 1 in this series, you can skip steps 1 through 7 below where you will setup the red and green instances and networks using OpenStack and Contrail. You can continue from Step 8 of restricting traffic between the red and green instances. If this is your first task, please start from Step 1 in this task.

  1. Open the Contrail web interface in the browser by navigating to https://192.168.250.1:8143.

    Then, login to the Contrail dashboard using the below credentials.

    Username: admin

    Password: contrail123

    Domain: (leave blank)

  2. Once you are in the dashboard, click the “Configure” tab (the purple wrench icon in the top left navigation panel).

    Click on Networking > Networks in the left navigation panel.

    1. Click on the (+) icon on the top right corner of the page to create a new virtual network. Name it “red-network” and choose a subnet range. Click “Save”.

      In the example given below, a virtual network called “red-network” and subnet “1.1.1.0/24” is created. The gateway will be automatically populated.

    2. Repeat steps 1 and 2 to create a second virtual network with the name “green-network” and choose a different subnet range. Click “Save”.

      A virtual network with “name=green network” & “subnet=2.2.2.0/24” is created. Verify that both virtual networks, “red-network” and “green-network” are created.

  3. Now that the two virtual networks are created in Contrail, instances need to be attached to both the networks so you can test the connectivity between the two instances.

    To create the instances, you need to go to the OpenStack Dashboard. Open a new tab and go to https://192.168.250.1/horizon

    Use the below credentials to login.

    Username: admin

    Password: contrail123

    Open a new tab in the browser and point it to https://192.168.250.1/horizon.

    Use the below credentials to login.

    Username: admin

    Password: contrail123

  4. In your OpenStack Dashboard, navigate to Project > Compute > Instances.

    At the top of the page, select the project as “admin” because you have created the Contrail virtual networks in the “admin” project in the previous step.

  5. Click create instance button on the right.

    1. Provide a name for the instance. In the example, the instance is called “red-instance”. Click Next.

    2. Under the “images” tab in the left navigation bar and select an image source. Choose “cirros” from the list of available images.

    3. Under the “Flavor” tab in the left navigation bar, select a flavor of your choice. Choose “m1.tiny” from the list of available flavors.

    4. Under the “Networks” tab in the left navigation bar, select the virtual network in which you want to launch the virtual machine. Since, this VM is called “red-instance”, launch in the “red-network”.

    5. Click on “Launch” instance button and confirm that the VM was spawned without any errors.

      To confirm that IP address was properly assigned to the “red-instance”, click on the “red-instance” and navigate to the “console” tab.

      Use the following credentials to login:

      Username: cirros

      Password: cubswin:)

      After login, type the command “ifconfig” and hit enter.

      The “red-instance” got an IP address of 1.1.1.4 which is in the 1.1.1.0/24 subnet range assigned to “red-network”.

  6. Repeat the step 5 for creating a new instance called “green-instance” in the “green-network”. Verify that it was assigned an IP address from the “green-network”, that is, the 2.2.2.0/24 range.

  7. Once you verify that the two instances are created and assigned valid IPs, you can test the connectivity between them by logging into the “red-instance” console and pinging the “green-instance” IP address 2.2.2.3.

  8. Now, login to the Contrail web interface and navigate to Configure > Networking > Policies.

    Click on the (+) icon on the right-most side under the “Policy Rule(s)” section to create a new network policy.

    Enter a name of your choice and create a network policy to allow bi-directional “ICMP” traffic between “red-network” and “green-network”.

  9. Once the network policy is created, navigate to the “Networks” tab (Configure > Networking > Networks) and edit the virtual networks. Select “red-network” virtual network and click on the edit button to the right of them.

    Once in the “edit” tab under the “Network Policy(s)” section, select the policy you created in the previous step to allow ICMP traffic between the “red-network” & “green-network” virtual networks. Repeat the same for “green network”.

    Verify that the network policy is attached to the “red-network” and “green-network” by looking at the “Attached Policies” tab.

  10. Once you have verified that the network policy is attached to the “red-network” and “green-network”, return to “OpenStack Dashboard” and reinitiate the ping from “red-instance” towards “green-instance”. This time the ping should go through, since the network policy leaks the ICMP routes between the two virtual networks.

    Now launch another VM in the “green-network”. Verify that you can ping “green-instance-2” from “red-instance” and “green-instance”

  11. Now, from Contrail Web-UI and navigate to Configure > Networking > Security Groups to create a security-group & add a rule to block access for “green-instance2” (2.2.2.4) from “red-instance” (1.1.1.4)

    Click on the (+) icon on the right-most side under the “Security Group(s)” section to create a new security group

    Once, the security-group is created, now navigate to Configure > Networking > Ports Edit the port of “green-instance-2” (2.2.2.4) and attach the security group you created In the previous step

  12. Now repeat STEP 13 and verify the ICMP traffic from “red-instance” towards “green-instance-2” is blocked but not from “green-instance”