By default, bwCloud-OS instances are accessible via:

• SSH (port 22) – for remote login and configuration
• ICMP – to allow basic network diagnostics like ping and traceroute

This initial access is explicitly permitted by the automatically assigned security group (named default) in our configuration. This is not a default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

A newly created virtual machine in bwCloud-OS is only accessible from the outside via SSH (port 22) and ICMP. All other inbound traffic is blocked by default — meaning external traffic on those ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to add a rule to the relevant security group. Changes to security group rules apply immediately to all instances using that group — there's no need to reboot the instance.

If you're running a web server that should be accessible via HTTPS, you typically need to open port 443 in a security group attached to your instance.

Steps in the Dashboard:

1. In the left menu, go to Network → Security Groups. A list of all defined security groups will appear.
   • Recommended: Consider creating a dedicated security group (e.g. named https-access), and assign it to your instance using Edit Security Groups in the instance menu before the next step.
2. Find the relevant group and click Manage Rules. You’ll see all currently defined rules for that group.
3. Click Add Rule to create a new one.
4. In the dialog that appears, choose one of the following:
   • HTTPS from the Rule dropdown (automatically fills port 443), or
   • Custom TCP Rule, then manually enter 443 in the Port field.
5. In the CIDR field, specify which IP addresses should be allowed to connect:
   • Use a specific IP range (e.g. 192.168.0.0/24) to limit access
   • ⚠️ Using 0.0.0.0/0 allow access from any IPv4 address, and ::/0 from any IPv6 address.
6. Set the Direction of the rule:
   • Ingress = incoming connections (usually what you want)
   • Egress = outgoing connections
7. Click Add. The rule will be created and added to the list immediately.

Yes. Some ports are centrally blocked in certain bwCloud-OS regions due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see this overview.

No, bwCloud-OS does not provide SSL/TLS certificates. However, you can obtain certificates directly from public providers like Let’s Encrypt using tools such as Certbot, which can be installed and run on your instance.

This allows you, for example, to enable HTTPS for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using security group rules.

If your virtual machine is behaving unexpectedly (e.g. high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

Please take the following steps immediately:

1. Log in to the OpenStack Dashboard
2. Stop the affected instance(s). Do not delete them! This preserves data for further analysis.
3. Submit a support ticket via the bwSupportPortal with the following details:
   • Which instance(s) are potentially affected?
   • How is the suspicious behavior observed? (e.g. logs, performance, alerts)
   • What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

The contents and configuration of user instances are not inspected — we do not perform penetration tests or port scans on the instances. We also never look inside user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.