Floating IPs


About floating IPs

A floating IP address exposes instances directly to the Internet. Floating IPs are typically globally routable (public) IPs. They are not allocated by the instances by default, as they are only needed for those instances that should have direct access from the internet.

Unlike a fixed (private) IP that you can create at any time to use internally, you as a user can't create a floating IP. These IPs belong to your service provider, so in order to use one, you need to grab it from the provider's pool (reserve it), and then you can use the IP with an instance.

In general, a floating IP that you reserve can be used in one of the following ways:

  • It can be assigned to an instance - means, any traffic coming to this IP will be delivered to the specified instance port (subject to restrictions set by security groups)
  • Floating IP may be used in port forwarding
  • Finally, the IP may be reserved, but not used (not assigned to any instance, and not used in port forwarding)

Note that floating IPs are typically a billable resource - which means you will get an invoice for one a long as you keep it reserved in your project, no matter if it is used or not (see billing section for more details). If you no longer need a floating IP, you can release it back to the provider's pool. However, once IP is released, another user may grab it - so there is no guarantee that you will be able to get the same IP back.

Floating IP addresses and fixed (private) IP addresses are used at the same time on a single network interface (or port). The private IP address is always there and is used to access the instance by other devices within the private network(s). In contrast, the floating IP address is only used for the instances or devices that need to have direct access from the public network.

Floating IPs are not assigned to the instance interface directly. In the other words, if you run a command like ip a inside your instance, you will not see the floating IP on the network interface. Instead, that IP is exposed by the networking service of the cloud, and the traffic incoming to that IP will be forwarded to the designated port of the instance. While most applications won't see any difference, some applications may need to be specially configured to properly work in that configuration.

When assigning a floating IP, it is especially important to make sure the instance is protected, as it will likely to become a target for attacks from the Internet. So it is a good practice to regularly deploy security updates, and only expose necessary network ports using security groups.

Port forwarding

Since floating IPs are a billable resource, there is a mechanism that allows sharing a single floating IP between multiple instances. This mechanism is called port forwarding.

When configuring port forwarding on a floating IP, you take an incoming TCP or UDP port (for example, 1022), and then create a forward for that port to a designated instance IP and TCP/UDP port (for example, IP 192.168.3.15 port 22 ). That way, multiple ports of that single floating IP can be forwarded to different instances, for example:

  • Floating IP 1.2.3.4 port 1022 -> internal ip 192.168.3.15 port 22
  • Floating IP 1.2.3.4 port 1023 -> internal ip 192.168.3.20 port 22
  • Floating IP 1.2.3.4 port 443 -> internal ip 10.1.25.84 port 443
  • and so on.

As a result, you can share a single public IP address to deliver Internet traffic to many instances.

Note that you cannot use the same floating IP in two scenarios simultaneously (use in port forwarding and assign to an instance) - it's one or the other. So, if you have a floating IP with some port forwarding rules assigned, you need to remove all those rules before you can assign that floating IP to an instance.

Security groups with port forwarding

In order to understand how to properly leverage security groups with port forwarding, consider the following:

  • Port forwarding only redirects a single TCP/UDP port at the time. Thus, incoming traffic going to the TCP/UDP ports that are not configured for port forwarding will be discarded since it has no destination.
  • Security group rules apply on the instance network port level, and not on the floating IP level.

Therefore, port forwarding already exhibits some of the security group behavior - only delivering configured traffic and discarding anything else. Nevertheless, before reaching the destination instance, the traffic will still be filtered by the security groups assigned to the instance (at that point, the port number is already converted to the internal port.). For example, if you want to deliver traffic reaching IP 1.2.3.4 port 1022 to instance IP 192.168.3.15 port 22 - that instance must have security groups allowing TCP port 22 incoming traffic to go through (unless it has port security disabled). However, in this example you don't need to make any security group rules for TCP port 1022.


Floating IP management

Attaching a floating IP to an instance

To attach a floating IP to an instance, do the following:

  1. In the right-hand "Instance" panel, click on the instance to which you desire to attach a floating IP (if you are on the instance list, click "Manage" in the action menu to get to that page).
  2. In the Networks section of the instance details page, click on the dropdown list that is found beside Public IP field.
  3. Choose to add an existing floating IP that is reserved (it will be in the list), or add a new one.

Note that in order to allow floating IP to be connected, the target network must be connected to a router, and the router must have an external gateway. Without it, the platform will not be able to deliver Internet traffic to the port, and floating IP assignment will fail.

If you no longer need a floating ip on an instance, you can do one of the following:

  • To remove floating IP from the instance but keep it as reserved, select "Detach".
  • To release floating IP from your datacenter back to the provider's pool, select "Release". Note that once released, there is no guarantee you can get it back later - a new floating IP request will simply return you next floating IP available from the pool, which will likely be a different one.

Viewing floating IPs

To view your floating IPs, simply navigate to the "Floating IPs" page by clicking on the "Floating IP" tab on the left column of the portal (under "Networking" section). On this page you can view all created floating IPs and their status (Active means it is used by instances, while Down means it is reserved but not used).

Reserving a floating IP

In some cases, you may need to reserve a floating IP even before assigning it to any device. For example, you may want to use this IP to register DNS records in advance. For that, follow these steps:

  1. Click on "Networking" on the left column of the portal, and then click on "Floating IPs"
  2. In the Floating IPs page, click on the "Create floating ip" button to open the creation window.
  3. Select the desired network (typically there would be only one called ext-net. The $ sign next to the network indicates a billable resource.
  4. Click "Create" to reserve a floating IP.

Using Floating IP in port forwarding

To create a new port forwarding rule, do the following:

  1. Click on "Networking" on the left column of the portal, and then click on "Floating IPs"
  2. In the Floating IPs page, select an IP you'd like to use (you may also click on the "Create floating ip" button to allocate a new one). Note that the IP should not be in the "Assigned" state, as this state indicates it is assigned to an instance or other device, and not available for port forwarding.
  3. Click IP action menu, and select "Forwarded Ports".
  4. In the opened window, specify protocol (TCP/UDP), external port, target instance and its IP, and target port.

Sometimes, you may find that some of the instance internal IPs are grayed out and not available for selection. This could be due to one of the following reasons:

  • The internal IP already has a floating IP associated with it.
  • The internal IP is allocated on a network that does not have router connected, or the router does not have external gateway (means, there is path for the external traffic to be delivered to that instance).

To delete a port forwarding rule, look at the list at the bottom of the same screen. Select the rules you want to remove, and click the "Delete" icon.