• bwCloud SCOPE - Virtualized server and application infrastructure

  • The state service bwCloud provides virtualized server and application infrastructures as a cloud service for employees, scientists and students at universities and colleges in Baden-Württemberg. bwCloud can operate over 1,000 virtual machines with individual operating systems and software at each operating site. The service runs on dedicated server systems at the four operating sites in Mannheim, Ulm, Freiburg and Karlsruhe.

Description

Since 2019, registration for bwCloud at the Karlsruhe Institute of Technology (KIT) is generally possible in the two authorization levels bwCloud-Basic and bwCloud-Extended. One of these two authorizations must be assigned by the ITB to the OU in the group administration before login is possible. Users can then operate their own virtual machines (VM) and use their own applications and services.

Integrated services

With the bwCloud-Basic authorization, users receive a quota for operating a simple virtual machine with 1 vCPU, 1 GB RAM and 50 GB disk space as well as a fixed IPv4 and IPv6 address from the BelWue network area. The runtime of the virtual machines in Basic use is limited to 6 months.

With the bwCloud-Extended entitlement, 8 instances, 16 vCPUs, 16 gigabytes of RAM, 128 gigabytes of hard disk space and two IPv4 and IPv6 addresses are connected. This makes it possible to start larger and multiple virtual machines and operate them without a time limit.

If the quota settings are not sufficient, an increase can be requested from the bwCloud operating group at any time via the ticket system.

In addition, the resources can be shared and managed in separate user groups. The bwCloud operations team is happy to create separate groups with higher usage limits for individual work areas as well as institute or student groups (see: https://www.bw-cloud.org/de/faq/gruppen and https://bw-cloud.org/q/t).

Via the Baden-Württemberg support portal(bwSupport-Portal), users receive support from the local helpdesk at their home institution.

Services not included

The SCC does not provide know-how for setting up and operating VMs and applications in the bwCloud. Support currently only includes setting up access and managing usage quotas.

Virtual machines or servers with Microsoft Windows as the operating system may not be used by users in the bwCloud.

Organizational requirements

The descriptions of registration and use as well as the scope of services can be found at https://www.bw-cloud.org and www.alwr-bw.de/dienste-der-beteiligten-einrichtungen/bwcloud/.

To register for the service for the first time, the user must log in via "bwIDM via OpenID Connect" at https://portal.bw-cloud.org and agree to the terms of use.

The service can then be accessed via the web interface https://portal.bw-cloud.org under "bwIDM via OpenID Connect" by clicking on "Login". You then select your home organization and authenticate yourself with your identifier or your university login.

Employees and students at universities and colleges in Baden-Württemberg can currently use this service free of charge and each receive their own quota.

It is planned to introduce a charge. All users will receive a notification in good time so that they can adjust to the costs or adjust their resource consumption accordingly. The pricing model will be calculated for the resources actually used (contingent). The prices depend on the selected instance size and memory consumption. The exact values have not yet been determined, but will be announced in good time before the launch.

A separate category and prices are also planned for hard disk space that does not belong to system partitions, so that it will be possible to use bwCloud storage space for larger amounts of data independently of the prices for virtual machines.


Further notes

  • Each VM receives a static IP address from the network: 193.196.36.0/22 and can be reached via DNS at the address ID.ka.bw-cloud-instance.org. "ID" corresponds to the ID assigned to the instance by the cloud system.
  • For security reasons, connections to the VMs via individual ports (e.g. UDP/TCP port 111) are generally blocked. Details can be found at www.bw-cloud.org - "Information on the networks of the bwCloud regions".
  • The IP addresses of the VMs belong to the public part of the BelWue network and are therefore outside the KIT network. Internal services in the KIT network can therefore not initially be used with a VM in the bwCloud. You can find more information on this in the FAQ below.
  • Employees and students of the universities and colleges in Baden-Württemberg can use this service and each receive a certain storage quota. Additional storage quotas can be requested via the bwSupport portal.
  • By default, a new virtual machine in the bwCloud is initially only accessible from outside via SSH(port 22). All other ports are closed, i.e. the VM rejects connections on these ports. If, for example, a web server is to be accessible via HTTPS, the corresponding port(port 443) must be opened in the security group. The following step-by-step guide explains in detail how to open a port via the dashboard:
    • Log in to the bwCloud. To do this, call up the dashboard and enter your login details
      • Click on Network in the left-hand menu and on the sub-item Security groups. You will see an overview of the currently defined security groups. The default group is called default.
      • Click on the Manage Rules button in the corresponding line. An overview of all rules defined for this security group opens
      • If you want to add a new rule, click on the Add rule button. A dialog opens in which you can describe the new rule.
      • For example, if you want to allow access via HTTPS, select HTTPS in the drop-down menu of the first item ("Rule").
      • If the web server should be accessible from anywhere externally, enter the value 0.0.0.0/0 in the "CIDR" field. Here you can restrict access to a specific network segment.
      • Then click on Add. The overview is reloaded and the new rule appears in the list.
      • If an individual port is to be opened, select the Custom TCP Rule option in the dialog under "Rule".
      • You can enter the corresponding port number in the "Port" field.
      • In the "CIDR" field, you can set the access to individual network segments. If you want to create an IPv6 rule, enter the network segment in IPv6 notation here ("0.0.0.0/0" becomes "::/0").
      • The direction can be specified in the "Direction" field: Ingress = incoming connections, Egress = outgoing connections.
      • Click on Add and the new rule is created.
      • As soon as the rules of a security group change, these changes take effect for all instances connected to it. The virtual machines therefore do not need to be rebooted!


FAQ - general

I need more than 32 GB RAM in my virtual machine. Are instances with more than 32 GB RAM possible?

No. The maximum available RAM is currently limited to 32 GB per VM.

After starting a new VM, I would like to access it via http, https or another port (e.g. port 5900 for VNC). However, the connection does not work. What could be the reason for this?
Security groups with security rules are used in bwCloud to implement firewalls at instance level, which can be customized at runtime of an instance. Without customization by the user, incoming traffic is only allowed via port 22 (SSH) by the "Default" security group after the VM is started. If the user wants to access the VM via other ports, they must set this as a rule in a security group and assign the corresponding security group to the VM. Each security rule can be configured so that it is either Ingress or Egress from the VM's point of view. Outgoing security rules also allow the corresponding response packets to be received; this is a stateful firewall. Both address ranges (CIDR) and security groups can be specified as the source/destination. Irrespective of this, the firewall mechanisms within the VM can continue to be used (e.g. Windows Firewall, ufw, firewalld, iptables...). If the connection does not work despite release in a security group, check whether a separate firewall is running in the VM's operating system due to the installations in the VM, which blocks access. If necessary, the corresponding port must also be released there.
How can I access internal servers or services in the KIT network from a virtual server in the bwCloud?
VMs of the bwCloud are located in the BelWue network and therefore outside the KIT network. Access to internal resources is currently only possible via VPN. How to connect a bwCloud VM to the internal KIT network via VPN is described in the explanatory texts on VPN at KIT.