- What is CREODIAS?
- Computing & Cloud
- Data & Processing
- Pricing Plans
- Examples of usage
- Example of tool usage
- Processing EO Data and Serving www services
- Processing and Storing EO
- Embedding OGC WMS Services into Your website
- GPU Use Case
- Using the EO Browser
- EO Data Finder API Manual
- Use of SNAP and QGIS on a CREODIAS Virtual Machine
- Use of WMS Configurator
- DNS as a Service - user documentation
- Use of Sinergise Sentinel Hub on the CREODIAS EO Data Hub
- Load Balancer as a Service
- Jupyter Hub
- Use of CREODIAS Finder for ordering data
- ESRI ArcGIS on CREODIAS
- Use of CEMS data through CREODIAS
- Searching, processing and analysis of Sentinel-5P data on CREODIAS
- Public Reporting Dashboards
- Sentinel Hub Documentation
- Integration Guides
- OGC API
- Custom Processing Scripts
- Legal Matters
- Partner Services
- About Us
Computing & Cloud
Networking and Security
Virtual Networking Services
In the CREODIAS Platform networking is fully virtualized and is fully configurable. A User can use public shared networks or can create Virtual Networks for their VMs. He can also create Virtual Routers to route traffic between Virtual Networks or from/to the Internet. In addition, CREODIAS Platform provides several network extensions like VPNaaS, LBaaS and FWaaS.
Outside internet can be accessed from VMS by means of: NAT on Virtual Routers (this is one directional access with no initialization of connection from outside), Floating-IPs and NAT on Virtual Routers (this allows for one-to-one mapping of internal private IP numbers to the public Floating-IP numbers) and direct connection of VMs to the public Internet networks.
In all above cases the internet traffic is billed per data transferred in GByte according to the Price List. The Internet traffic is billed per single Project (or Virtual Environment).
A User can use Virtual Networks to interconnect VMs and can create many IP subnets in it. An IP subnet can have a DHCP server enabled to automatically assign IP addresses and provide DNS and default gateway addresses to VMs. Each VM can be connected to one or more Virtual Networks.
A User can see current network topology in a legible form on a diagram and can manage them via API or the Cloud Dashboard.
Virtual Networks within a single Project are free and data transferred via such Networks is also free. Virtual Networks connecting different Projects are also free but data transferred via such Networks is billed according to the Price List.
Figure 1 - llustration of the web, routers
A Virtual Router connects two or more Networks and routes traffic between them. Usually, it is a default gateway for VMs. A User needs to have a Virtual Router between public and private network to provide Internet access to VMs in this private network. Virtual Router uses NAT (Network Address Translation) to provide Internet access to VMs.
User can manage Virtual Routers via API or the Cloud Dashboard.
Virtual Routers are free.
Floating IP is a public IP address that is mapped one-to-one to a private IP address assigned to a VM. It is realized on a Virtual Router using NAT mechanism. Floating IP provides a public access from the Internet to services running on a VM without assigning a public IP directly to the VM.
User can manage Floating IPs assignment via API or the Cloud Dashboard.
First public IP per VM or Bare Metal Machine is free. All further IPs are billed according to Price List.
Load Balancer as a Service (LBaaS)
The LBaaS extension provides users with the ability to setup a L4/L7 load balancer for their services. User can define a listener (HTTP/HTTPS or TCP) with a public IP and then attach a pool of private backend servers with a specific load balancing algorithm (round robin or least connections) to the listener. The LBaaS supports SSL termination and User can also specify how backend servers will be monitored by load balancer (HTTP, HTTPS or TCP connect).
The LBaaS is fully configurable using API and the Cloud Dashboard.
The LBaaS is billed in monthly quanta according to the Price List.
Authentication and Authorization
The CREODIAS Platform cloud security relies on OpenStack's centralized authentication and authorization model managed by the OpenStack Identity Service (Keystone). Keystone manages Tenants (Environments), Projects, Users, user Roles, service Catalogs and service access Policies. Every cloud management operation (such as mounting a volume or accessing object storage) performed by a User or an application through the Dashboard or through the API must first be checked for validity with Keystone. The Keystone security model is further described in Keystone Architecture.
An Environment consists of one or several Projects and is usually associated with a customer/User (an organization), sometimes called a Tenant. A single customer/User may very well have several projects. Each Project consists of a separate virtual environment composed of different resources such as VM-s, storage volumes, etc. Accounts are attributed to individual Users (persons). There may be several User accounts within a Project. The same User can participate in several Projects. Every User can be attributed certain Roles within a Project, that allow him to perform cloud management tasks on different kinds of resources (Virtual Machines, Volumes, Object Storage etc.), according to usage policies defined for these resources.
This model improves security by centralizing identity services while allowing flexible access rights management, in particular for the creation of User/person accounts, per project administrative accounts and service manager accounts having visibility and access to contract billing information across several projects. Single project administrative accounts have management and visibility rights limited to their project.
Users/persons are able to provision, start resources such as VMs and volume storage, manage their contents and configure connectivity and firewalling rules for VM-s. While provisioning a new VM, Users may provide or generate a key pair and associate it with the new VM instance. The public key will be injected in the VM and used for ssh authentication of the root account (or account with root privileges depending on os). Users may login to the instance via ssh with root privileges and setup other accounts using key pairs or passwords for authentication. Authorized Users can submit tickets for the helpdesk using either the www Customer Portal or a mail interface.
As part of other services.
The CREODIAS Platform authentication and authorization based on the Keystone module are free of charge.
Security Group is a set of IP traffic filtering rules which forms a firewall installed just before VM on its all interfaces. User can specify rules, their order and can assign a Security Group to a VM. Single rule specifies protocol, source and destination addresses, ports and an action (allow/drop). Security Groups are a security mechanism attributed directly to VMs.
Security Groups can be managed via API or the Cloud Dashboard.
Security Groups are free within predefined limits.
Firewall as a Service (FWaaS)
The FWaaS extension provides Users with the ability to deploy virtual firewalls to protect their whole private network globally at the network edge. The FWaaS extension enables you to apply firewall rules on traffic entering and leaving Tenant networks from/to Internet (north-south traffic). In the current version there is no support for traffic filtering between private networks (east-west traffic).
The FWaaS supports applying TCP, UDP, ICMP or protocol agnostic rules. User has full control of the firewall rules as well as their order. The firewall can be enabled on one, several or all Virtual Routers (User configurable) which connect private Virtual Networks to the Internet.
The firewall is fully configurable using API and the Cloud Dashboard.
The FWaaS is billed in monthly quanta according to the Price List.
VPN as a Service (VPNaaS)
The VPNaaS extension provides Users with the ability to deploy site-to-site IPsec tunnel to their private networks. Tunnel endpoint is placed on a router and gives access to private networks connected to the router. In the current version there is a support for IKE with PSK (pre-shared key) authentication mode. User has full control of IKE and IPsec policies parameters.
The VPNaaS is fully configurable using API and the Cloud Dashboard.
The VPNaaS is billed in monthly quanta according to the Price List.
Image Software upgrades
All the operating system image templates will be updated/patched on regular base (at least once per week) with security/bugfix patches and similar hot-fixes of the system and preinstalled software. Copies of all intermediate versions will be maintained. All the virtual machines will be configured with automatic updates feature enabled. The platform will include an internal proxy server, devoted for updates for machines intentionally disconnected from Internet, but the same proxy server will serve also other machines as an update performance booster. By principle, we will not perform any operations inside the Tenant’s Virtual Machines after their provisioning.
Therefore, users will be responsible for maintaining and patching the guest system and applications after provisioning of the machine. On request we will provide technical assistance for users willing to perform major upgrades of their systems, migrate their machines to different operation system, or request similar assistance
Upgraded operating software images will be available in the platform image service (Glance)
Image software security upgrades are free of charge.