Things to Do Before Creating an Instance

One of the most common Horizon workflows is for creating a new instance. During that process you may (and in some cases must) associate previously defined OpenStack entities with your instance. Some entities can be created while you create the instance, but it is a good practice to create all of them beforehand.

The following sections describe the entities that you may want to create. Each section includes links to documentation about how to create them through Horizon. The Jetstream2 team also provides Horizon documentation that includes information that is specific to using Horizon with Jetstream2.

Security Group

Permissions for internet ingress to (and egress from) your instance are specified using security groups. Security groups are made up of rules that each specify an IP address range for which communication is allowed on a specific port. Multiple security groups may be assigned to an instance and the access they specify accumulates.

Security groups belong to a project and your project's "Default" security group will be added by default when an instance is created. Security groups can be added to and removed from an instance after it is created. You will need to add a rule to a security group that allows SSH access (TCP on port 22) so you can log in to your instance.

A best practice, especially in projects where multiple users are active, is to not add rules to the default security group. Instead, users should create their own groups with names that indicate their creator and purpose. Each user can then add one or more of their security groups to their own instances and be free to change those rules at any time without affecting other users.

Key Pair

A key pair represents an SSH credential and is comprised of a public key and a private key. OpenStack requires you to associate a key pair with an instance during its creation, and the key cannot be changed later. The public key is "injected" into the default user account of the instance, allowing you to log in to the instance with SSH by providing the private key.

Key pairs can be imported into OpenStack or created through the Horizon interface. When you create a new key pair, the private key will be downloaded in your browser as a PEM file. Be sure not to lose this file as it can never be downloaded again.

Private Network

Every instance must be assigned a private network over which it will communicate. This network must be available when the instance is created and cannot be replaced later. Each private network can be used by multiple instances.

If you have used the Exosphere web interface to create an instance in your allocation/region, it probably automatically created a private network for your instance called auto_allocated_network. If you look in Horizon's Project→Network→Networks list and see this network, you can use it when creating your instance through Horizon.

If you do not see this network, you can do one of the following:

• Use Exosphere to create a temporary instance (thereby creating the private network for you to use).
• Follow the steps in the Jetstream2 documentation to manually create a private network.
• Follow the steps in the OpenStack documentation to create a private network, specify a subnet, and create a router and connect your private network to it.

Floating IP

Each OpenStack instance on a private network is assigned a fixed internal IP address when it is created. You will need to allocate and assign a floating IP address to your instance in order to access it from the internet. You can allocate the floating IP address before or after creating the instance. Associating an address with the instance is done after the instance has been created. The association remains with the instance through reboots and shelving, and is effectively permanent until you disassociate it from the instance or delete the instance itself.