By default each project is permitted a single public IPv4 address due to the world-wide shortage of IPv4 addresses but it is possible to work around this limitation. Projects do not have a quota for a floating IP initially, but can request one as laid out in the Requesting, Allocating and Associating Floating IPs section in our Guide.
Below we lay out the ability to create and use a proxy instance to route your traffic to different instances using a single IPv4 address.
Proxy instance
If offering a public service such as a web application is required, setting up a proxy host instance will permit inbound traffic directed at the public IPv4 address to be redirected to an appropriate instance based on the port number requested. For example, all traffic for port 80 will be directed to an instance running apache and ports 2200 can be set up to forward ssh traffic to the internal instance allowing terminal access.
...
Create a security group for the proxy instance. The security group will need to allow access to the instance itself, and ports that are to be forwarded to internal groups. Name the group Proxy:
Code Block Rule: Custom TCP Rule: Open Port: Port Port: 22 Remote: CIDR CIDR: 0.0.0.0/0 Rule: Custom TCP Rule: Open Port: Port Port: 2200 Remote: CIDR CIDR: 0.0.0.0/0 Rule: Custom TCP Rule: Open Port: Port Port: 80 Remote: CIDR CIDR: 0.0.0.0/0
Create a security group for the internal instances named Internal:
Code Block Rule: Custom TCP Rule: Open Port: Port Range From Port: 1 To Port: 65535 Remote: Security Group Security Group: Proxy
Launch the proxy instance:
Image: Ubuntu 18.04
Flavor: m1.tiny
Security groups: default, Proxy
Key pair: pre-generatedNote The proxy instance must be provisioned from the Ubuntu 18.04 image, as it contains pre-built scripts that enable proxy functionality.
Note We suggest adding the default security group to both instances as the default group has egress rules that permit outbound access to the wide world you normally expect. If you do not wish to use the default security group, you will need to add the egress rules. Please Networking#EgressRulesandSecurityGroups for instructions.
Launch internal instance:
Image: Ubuntu 18.04
Flavor: m1.small
Security Groups: default, Internal
Key pair: pre-generated- Allocate and associate a floating IP to the proxy instance.
- Log-in to the proxy instance.
Add the following lines to
/etc/rac-iptables.sh
to permit network address translation (NAT) forwarding to the internal instance. You must be root to modifyrac-iptables.sh
:Code Block iptables -t nat -A PREROUTING -p tcp --dport 2200 -j DNAT --to-destination <private_ip_internal_instance>:22 iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination <private_ip_internal_instance>:80
Run
/usr/local/bin/proxyServer
to enable IP forwarding, enable the rules added in step 7 to run at boot, and load those same rules immediately.
If you receive an error about rc.local not existing run the following snippet:Code Block cat <<EOF | tee /etc/rc.local bash /etc/rac-iptables.sh exit 0 EOF
If you have not already, load these rules immediately by running:
Code Block sudo /etc/rac-iptables.sh
Log-in to to the internal instance via the proxy instance. Make sure you specify port 2200, else you will only ssh to the proxy:
Code Block $ ssh -p 2200 -i /path/to/<private_key> ubuntu@<floating_ip>
Install apache on the internal instance:
Code Block $ sudo apt-get update && sudo apt-get install -y apache2
...