What We Offer

Networking and Security


Virtual Networking Services

In the CREODIAS Platform networking is fully virtualized and is fully configurable. A User can use public shared networks or can create Virtual Networks for their VMs. He can also create Virtual Routers to route traffic between Virtual Networks or from/to the Internet. In addition, CREODIAS Platform provides several network extensions like VPNaaS, LBaaS and FWaaS.


Internet Access

Description
Outside internet can be accessed from VMS by means of: NAT on Virtual Routers (this is one directional access with no initialization of connection from outside), Floating-IPs and NAT on Virtual Routers (this allows for one-to-one mapping of internal private IP numbers to the public Floating-IP numbers) and direct connection of VMs to the public Internet networks.

Billing
In all above cases the internet traffic is billed per data transferred in GByte according to the Price List. The Internet traffic is billed per single Project (or Virtual Environment).


Virtual Networks

Description
A User can use Virtual Networks to interconnect VMs and can create many IP subnets in it. An IP subnet can have a DHCP server enabled to automatically assign IP addresses and provide DNS and default gateway addresses to VMs. Each VM can be connected to one or more Virtual Networks.  

Provisioning
A User can see current network topology in a legible form on a diagram and can manage them via API or the Cloud Dashboard.

Billing
Virtual Networks within a single Project are free and data transferred via such Networks is also free. Virtual Networks connecting different Projects are also free but data transferred via such Networks is billed according to the Price List.
 

llustration of the web, routers
 Figure 1 - llustration of the web, routers

 

 
Virtual Routers

Description
A Virtual Router connects two or more Networks and routes traffic between them. Usually, it is a default gateway for VMs. A User needs to have a Virtual Router between public and private network to provide Internet access to VMs in this private network. Virtual Router uses NAT (Network Address Translation) to provide Internet access to VMs.

Provisioning
User can manage Virtual Routers via API or the Cloud Dashboard.

Billing
Virtual Routers are free.


Floating IP

Description
Floating IP is a public IP address that is mapped one-to-one to a private IP address assigned to a VM. It is realized on a Virtual Router using NAT mechanism. Floating IP provides a public access from the Internet to services running on a VM without assigning a public IP directly to the VM.

Provisioning
User can manage Floating IPs assignment via API or the Cloud Dashboard.

Billing
First public IP per VM or Bare Metal Machine is free. All further IPs are billed according to Price List.


Load Balancer as a Service (LBaaS)

Description
The LBaaS extension provides users with the ability to setup a L4/L7 load balancer for their services. User can define a listener (HTTP/HTTPS or TCP) with a public IP and then attach a pool of private backend servers with a specific load balancing algorithm (round robin or least connections) to the listener. The LBaaS supports SSL termination and User can also specify how backend servers will be monitored by load balancer (HTTP, HTTPS or TCP connect).

Provisioning
The LBaaS is fully configurable using API and the Cloud Dashboard.

Billing
The LBaaS is billed in monthly quanta according to the Price List.

 

 

Security Services

Authentication and Authorization

Description
The CREODIAS Platform cloud security relies on OpenStack's centralized authentication and authorization model managed by the OpenStack Identity Service (Keystone). Keystone manages Tenants (Environments), Projects, Users, user Roles, service Catalogs and service access Policies. Every cloud management operation (such as mounting a volume or accessing object storage) performed by a User or an application through the Dashboard or through the API must first be checked for validity with Keystone. The Keystone security model is further described in Keystone Architecture.

An Environment consists of one or several Projects and is usually associated with a customer/User (an organization), sometimes called a Tenant. A single customer/User may very well have several projects. Each Project consists of a separate virtual environment composed of different resources such as VM-s, storage volumes, etc. Accounts are attributed to individual Users (persons). There may be several User accounts within a Project. The same User can participate in several Projects. Every User can be attributed certain Roles within a Project, that allow him to perform cloud management tasks on different kinds of resources (Virtual Machines, Volumes, Object Storage etc.), according to usage policies defined for these resources.

This model improves security by centralizing identity services while allowing flexible access rights management, in particular for the creation of User/person accounts, per project administrative accounts and service manager accounts having visibility and access to contract billing information across several projects. Single project administrative accounts have management and visibility rights limited to their project.

Users/persons are able to provision, start resources such as VMs and volume storage, manage their contents and configure connectivity and firewalling rules for VM-s. While provisioning a new VM, Users may provide or generate a key pair and associate it with the new VM instance. The public key will be injected in the VM and used for ssh authentication of the root account (or account with root privileges depending on os). Users may login to the instance via ssh with root privileges and setup other accounts using key pairs or passwords for authentication. Authorized Users can submit tickets for the helpdesk using either the www Customer Portal or a mail interface.

Provisioning
As part of other services.

Billing
The CREODIAS Platform authentication and authorization based on the Keystone module are free of charge.


Access Groups

Description
Security Group is a set of IP traffic filtering rules which forms a firewall installed just before VM on its all interfaces. User can specify rules, their order and can assign a Security Group to a VM. Single rule specifies protocol, source and destination addresses, ports and an action (allow/drop). Security Groups are a security mechanism attributed directly to VMs.


Provisioning
Security Groups can be managed via API or the Cloud Dashboard.


Billing
Security Groups are free within predefined limits.


Firewall as a Service (FWaaS)

Description
The FWaaS extension provides Users with the ability to deploy virtual firewalls to protect their whole private network globally at the network edge. The FWaaS extension enables you to apply firewall rules on traffic entering and leaving Tenant networks from/to Internet (north-south traffic). In the current version there is no support for traffic filtering between private networks (east-west traffic).

The FWaaS supports applying TCP, UDP, ICMP or protocol agnostic rules. User has full control of the firewall rules as well as their order. The firewall can be enabled on one, several or all Virtual Routers (User configurable) which connect private Virtual Networks to the Internet.

Provisioning
The firewall is fully configurable using API and the Cloud Dashboard.

Billing
The FWaaS is billed in monthly quanta according to the Price List.


VPN as a Service (VPNaaS)

Description
The VPNaaS extension provides Users with the ability to deploy site-to-site IPsec tunnel to their private networks. Tunnel endpoint is placed on a router and gives access to private networks connected to the router. In the current version there is a support for IKE with PSK (pre-shared key) authentication mode. User has full control of IKE and IPsec policies parameters.

Provisioning
The VPNaaS is fully configurable using API and the Cloud Dashboard.

Billing
The VPNaaS is billed in monthly quanta according to the Price List.


Image Software upgrades

Description
All the operating system image templates will be updated/patched on regular base (at least once per week) with security/bugfix patches and similar hot-fixes of the system and preinstalled  software. Copies of all intermediate versions will be maintained. All the virtual machines will be configured with automatic updates feature enabled. The platform will include an internal proxy server, devoted for updates for machines intentionally disconnected from Internet, but the same proxy server will serve also other machines as an update performance booster. By principle, we will not perform any operations inside the Tenant’s Virtual Machines after their provisioning.

Therefore, users will be responsible for maintaining and patching the guest system and applications after provisioning of the machine.  On request we will provide technical assistance for users willing to perform major upgrades of their systems, migrate their machines to different operation system, or request similar assistance

Provisioning
Upgraded operating software images will be available in the platform image service (Glance)

Billing
Image software security upgrades are free of charge.