By default each project is permitted a single public IPv4 address due to the world-wide shortage of IPv4 addresses but it is possible to work around this limitation. Projects do not have a quota for a floating IP initially, but can request one as laid out in the Requesting, Allocating and Associating Floating IPs section in our Guide.
Below we lay out the ability to create and use a proxy instance to route your traffic to different instances using a single IPv4 address.
If offering a public service such as a web application is required, setting up a proxy host instance will permit inbound traffic directed at the public IPv4 address to be redirected to an appropriate instance based on the port number requested. For example, all traffic for port 80 will be directed to an instance running apache and ports 2200 can be set up to forward ssh traffic to the internal instance allowing terminal access.
The following is a tutorial that will step through building a proxy instance and an internal web server. For comprehensive steps, refer also to the Basic Guide:
Create a security group for the proxy instance. The security group will need to allow access to the instance itself, and ports that are to be forwarded to internal groups. Name the group Proxy:
Rule: Custom TCP Rule: Open Port: Port Port: 22 Remote: CIDR CIDR: 0.0.0.0/0 Rule: Custom TCP Rule: Open Port: Port Port: 2200 Remote: CIDR CIDR: 0.0.0.0/0 Rule: Custom TCP Rule: Open Port: Port Port: 80 Remote: CIDR CIDR: 0.0.0.0/0 |
Create a security group for the internal instances named Internal:
Rule: Custom TCP Rule: Open Port: Port Range From Port: 1 To Port: 65535 Remote: Security Group Security Group: Proxy |
Launch the proxy instance:
Image: Ubuntu 18.04
Flavor: m1.tiny
Security groups: default, Proxy
Key pair: pre-generated
The proxy instance must be provisioned from the Ubuntu 18.04 image, as it contains pre-built scripts that enable proxy functionality. |
We suggest adding the default security group to both instances as the default group has egress rules that permit outbound access to the wide world you normally expect. If you do not wish to use the default security group, you will need to add the egress rules. Please Networking#EgressRulesandSecurityGroups for instructions. |
Launch internal instance:
Image: Ubuntu 18.04
Flavor: m1.small
Security Groups: default, Internal
Key pair: pre-generated
Add the following lines to /etc/rac-iptables.sh
to permit network address translation (NAT) forwarding to the internal instance. You must be root to modify rac-iptables.sh
:
iptables -t nat -A PREROUTING -p tcp --dport 2200 -j DNAT --to-destination <private_ip_internal_instance>:22 iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination <private_ip_internal_instance>:80 |
Run /usr/local/bin/proxyServer
to enable IP forwarding, enable the rules added in step 7 to run at boot.
If you receive an error about rc.local not existing run the following snippet:
cat <<EOF | tee /etc/rc.local bash /etc/rac-iptables.sh exit 0 EOF |
If you have not already, load these rules immediately by running:
sudo /etc/rac-iptables.sh |
Log-in to the internal instance via the proxy instance. Make sure you specify port 2200, else you will only ssh to the proxy:
$ ssh -p 2200 -i /path/to/<private_key> ubuntu@<floating_ip> |
Install apache on the internal instance:
$ sudo apt-get update && sudo apt-get install -y apache2 |
You can now browse to the default apache page using the floating IP address. Just as the ssh session is forwarded to the internal instance via the rules specified in step 7 above, the browser will connect to port 80 on the proxy instance and be forwarded to port 80 of the internal instance.
Using this framework, you can build as many instances as allowed by your Rapid Access Cloud project and need only a single floating IP. What’s more, some measure of security is gained, as the Security Group rule created in step 2 means access to internal instances is allowed only from the proxy instance.
Alternatively, you can use the Rapid Access Cloud VPN to access your instances without requiring a public IPv4 address.