Skip to content

Networking

This page guides you through the available options and help you decide how to configure your VM's network, depending on your use case.

ScienceCloud implements a networking service that allows you to create complex network setups on the cloud. For basic usage, choose the "uzh-only" network when creating an instance; your instance will be assigned a UZH-internal IP address.

What you can do with ScienceCloud Networking

You have great flexibility when setting up networking. You can:

  • Create VMs with more than one network interface
  • Add or remove a network interface from a VM that is already running
  • Create private networks
  • Create routers and connect them to private networks or the public internet
  • Switch a floating IP between VMs
  • Temporarily assign a public IP to a VM

Available Networks

By default, there are two pre-configured networks available to ScienceCloud projects: "uzh-only" and "public".

"uzh-only" network

This is the default network for all VM usage. It contains a range of IP addresses that are only accessible from other UZH-owned IP addresses—that is, from computers attached to the UZH network either on campus or via VPN.

"public" network

This is a limited range of IP addresses that can be used to make VM services available to the public internet outside the UZH network. Note that there are strict regulations regarding the usage of these IPs, and they should only be used when strictly necessary for a project.

Other networks

"External Network VLAN 9", "External Network VLAN 24", and "admin24" are for administrative usage and are only to be used by end users at the direction of Science IT. They are not to be used otherwise.

General non-exhaustive security recommendations

Important

ScienceCloud users bear the sole responsibility for maintaining REIM compliance with their VMs.

Please note that a new paragraph has been added to the REIM. Section 15 "Schutz des Netzwerks der UZH" (1bis) now stipulates that:

"Sämtliche Logins für vom Internet erreichbare Services, Applikationen und Informatikmittel der UZH müssen über einen zweiten Authentisierungs-Faktor verfügen (Multifaktor-Authentifizierung MFA). Allfällige Ausnahmen sind durch den Chief Information Security Officer (CISO) zu bewilligen".

(Unofficial English translation) All logins for UZH services, applications and IT resources that can be accessed via the Internet must have a second authentication factor (multifactor authentication, MFA). Any exceptions must be approved by the Chief Information Security Officer (CISO).

Entry into force on 5.11.2024. Transition period for implementation of 9 months until 31.7.2025.

  • Authenticate exclusively with SSH keys
    • Disable password authentication in sshd_config
    • Never set passwords for service accounts (uid < 1000) and accounts with sudo privileges
    • Use passphrase-protected SSH keys (these passphrases must be long and unique)
    • Configure SSH to use two-factor authentication, e.g. libpam-google-authenticator
  • Expose only the ports and applications necessary for normal operation
    • Never expose your backend databases
    • If you need to run an admin or management tool, restrict access to connections coming from UZH IP addresses
  • Install security updates regularly
    • Enable unattended upgrades
    • Follow security bulletins
    • Manually upgrade applications that do not originate from the configured package repositories

This is not an exhaustive list and more work may be needed to secure your instance. For more information, refer to the ZI list of IT security recommendations (in particular the REIM) or contact the IT security team. If your server configuration is particularly complex and you need consulting, please contact Science IT to see if an expert service agreement is right for you.

Basic usage: VM accessible from UZH network plus internet connectivity

Networking use case: UZH network

This is the best option if:

  • You need to access the VM via ssh or copy data with scp only from within the UZH network (or via UZH VPN)
  • You don't need to access the VM from outside the UZH network

This scenario uses the "uzh-only" network and is the default: in this configuration, the VM can only be accessed from hosts in the UZH network or connected via VPN. VMs can still access the internet (for instance, to upgrade the operating system or install new packages) using any network protocol and without limitation.

You can also use this configuration when you want to deploy a service that is only accessible from the UZH network (e.g., a Samba share for your research group).

Important

For security reasons, we may track all connections between the VMs and the internet.

How to start a VM with "uzh-only" networking plus internet access

While starting a new VM, in the wizard, select the "Networking" tab, and assign the "uzh-only" network to the first NIC, if not already selected.

Public Access: VM can be accessed from the public internet

Under certain circumstances, VMs can be made available to the public internet. Please note that based on the Service Agreement you are not allowed to host public services for personal or commercial use, but only for research purposes.

Networking use case: Public access

Since the UZH public network uses IPv4 and these IPs are intrinsically scarce, the initial quota for the floating IPs on ScienceCloud should only be used when there is a need to serve resources to the public internet. Science IT can provide a limited number of public floating IP addresses for use with web services. However, we strongly recommend that you consider using Web Hosting or Virtual Server Housing services instead. They have higher availability and are better suited for web services than ScienceCloud. If you believe that ScienceCloud is still better suited for your needs, contact Science IT with a description of your use case for a public IP. Once your request is accepted, you will be able to see the available floating IPs from the ScienceCloud dashboard and proceed with the rest of this tutorial.

Note that there is a cost contribution associated with the reservation of each public IP. The reservation uses DHCP, so the IP will be randomly allocated from this range.

Important

Please keep in mind the responsibilities defined in the Science IT Computing Service Agreement.

How to start a VM with a floating IP using the default "public" network

Please note that you can either have only one interface associated with a public IP, or you can start from the setup in uzh-only-snat.

In principle, you need to create a private network and a router attached to both the private network and the public network already available on the system. Then, you can associate a floating IP to the private IP of your instance. You can later remove the floating IP from the instance, and attach it to another instance. In this way, you can use one single floating IP to connect to multiple VMs, one at a time.

How to create the private network:

  1. On the web interface, main page, select the Network link on the left column
  2. Click on Network Topology (this will show you the current network topology)
  3. Click on the button + Create Network on the upper-right side
  4. Pick a name, for instance, private, then click on Next button
  5. Under Network Address, pick an IP range, for instance, 10.65.4.0/24, then click on Next button
  6. Ensure Enable DHCP is selected, then click on Create button
  7. You should be able to see your new network.

How to create a router and connect it to the networks:

  1. On the web interface, main page, select the Network link on the left column
  2. Click on Network Topology (this will show you the current network topology)
  3. Click on the button + Create Router on the upper-right side
  4. Pick a name, for instance, private-router
  5. From the External Network menu, select public
  6. Click on the Create Router button on the bottom-right side
  7. You should now see the router icon connected to the public network
  8. Move the mouse over the router, and select the + Add interface button
  9. In the Subnet menu, select the private network, and click the Add interface button
  10. On the Network Topology page you should now see that your router is connected to both public and private networks

How to start an instance:

  1. While launching a new instance, click on the Networking tab
  2. Select private as primary interface (assigned to NIC:1)
  3. Make a note of the IP allocated to the VM: this will be necessary later.

After starting the instance, you need to associate a floating IP to it.

  1. On the main page of the web interface select the Network link on the left column
  2. Click the entry Floating IPs.
  3. If you do not yet have an IP listed, click the button Allocate IP to Project.
  4. Make sure the Pool is set to "public" for an IP from the default public range.
  5. Click Allocate IP. An IP should now appear in the list. If there is an error, contact Science IT for support.
  6. Once an IP is available on the IP Address menu, select the button Associate.
  7. Ensure the Port to be associated contains the instance name and the correct private IP for the VM as noted in the earlier step.
  8. Click on the Associate button

Now the public IP you have chosen is assigned to the private IP of your VM. Remember to update the security groups to open the ports needed to connect to your VM with protocols other than SSH.

Important

The public IP address will not be visible from within the VM: this is by design. It is mapped to the private IP address used by the VM via ScienceCloud's networking infrastructure.

Release unused public IPs

This IP range is a scarce resource. Please release them if you no longer need them:

  1. On the web interface, main page, click on the Network link
  2. Click on the Floating IPs link
  3. For each floating IP you want to release, select from the menu on the right Release Floating IP

Special Use Case: Public IP migration from the legacy ScienceCloud

It is possible to have public IPs that are used in the legacy ScienceCloud migrated to the current ScienceCloud along with a project's related resources when this is required. In this case, the requirement needs to be clarified before the migration process is started.

In this case, the IP address will be deactivated on the legacy ScienceCloud and allocated to the project in the current ScienceCloud. In this case, the IP will belong not to the "public" network, but to the "External Network VLAN 24" network. Once the IP has been migrated to your project, you will be notified and the IP will be available for use. To use it, the steps are similar to those above:

  1. While launching a new instance, click on the Networking tab
  2. Select External Network VLAN 24 as primary interface (assigned to NIC:1)
  3. Make a note of the IP allocated to the VM: this will be necessary later.

After the VM is created, you can associate the public IP address:

  1. On the web interface, main page, click on the Network link
  2. Click on the Floating IPs link
  3. For the IP you wish to use, click the Associate button on the right of the IP's row
  4. Make sure the IP Address is correct in the first field.
  5. Ensure the Port to be associated contains the instance name and the correct IP belonging to the correct network and IP for the relevant VM, as noted in the earlier step. .
  6. Click on the Associate button

Advanced networking

This is the best option if:

  • You want to replicate an existing complex network setup for testing purposes
  • You need to deploy a distributed service composed of multiple VMs with different roles and needs in terms of network configuration

You have the ability to create private networks and routers and connect them as you wish. However, since multiple configurations are possible, and this use case is less common, we do not describe it here in detail.

If you need assistance with setting up your network configuration, please contact Science IT.