Skip to main content

Overview

The Xloud Compute control plane manages hypervisor hosts, instance lifecycle, and metadata delivery. Securing it against unauthorized access, network eavesdropping, and API abuse is critical in any production deployment. This guide covers the three primary hardening areas: metadata service protection, live migration TLS, and API rate limiting.
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.
The following hardening measures must be applied to all production deployments. Failure to secure the compute control plane exposes hypervisor hosts, instance metadata, and inter-node communication to unauthorized access and data interception.
Prerequisites
  • Admin credentials sourced from admin-openrc.sh
  • XDeploy access for host-level configuration changes
  • TLS certificates issued by the cluster CA (required for live migration TLS)

Metadata Service Protection

The instance metadata service (169.254.169.254) is accessible from every running instance by default. It delivers user data, SSH public keys, and cloud-init configuration. Unrestricted access to this endpoint is a common attack vector in multi-tenant environments.
Apply security group rules to limit which instances can reach the metadata endpoint. In environments where instances do not require cloud-init or credential injection at boot, block metadata access entirely.
Verify instance metadata service status
openstack compute service list
Configure metadata access restrictions through XDeploy under Compute → Advanced Settings → Metadata Security.
Metadata service authentication requires instances to present a signed token when requesting user data and credentials. This prevents unauthorized metadata reads from compromised instances or SSRF attacks.Enable authenticated metadata through XDeploy under Compute → Advanced Settings → Metadata Security → Require Authentication.
Enabling metadata authentication requires cloud-init 20.3 or later in the guest OS. Instances running older cloud-init versions will fail to retrieve their cloud configuration at boot. Verify guest OS compatibility before enabling this setting in production.
Configure rate limits on the metadata endpoint to prevent abuse:
  • Maximum 60 requests per minute per instance
  • Temporary block after 3 consecutive rate limit violations within 5 minutes
Configure endpoint rate limits through XDeploy under Compute → Security → Metadata Rate Limiting.

Live Migration TLS

By default, live migration transfers instance memory and disk data over the management network without encryption. Enable TLS for live migration to protect in-flight instance data from network interception.
Live migration TLS encrypts the migration data channel between source and destination hypervisor nodes using mutual TLS authentication.
Verify current live migration configuration
openstack compute service list --long
Enable TLS through XDeploy under Compute → Security → Live Migration TLS. This requires all compute nodes to have valid TLS certificates issued by the cluster CA.
Enabling live migration TLS requires restarting the Compute Agent on all hypervisor nodes. Schedule this change during a maintenance window. Instances remain running during the agent restart, but live migrations cannot be initiated until all nodes complete the restart.
After enabling live migration TLS and restarting all compute agents, verify the configuration is active:
Check compute agent configuration on a host
openstack hypervisor show <hostname>
Initiate a test live migration between two hosts and verify in the migration log that the connection uses TLS. Inspect the migration network traffic to confirm data is encrypted.
A successful live migration after enabling TLS confirms the configuration is working. Any migration failure at this stage typically indicates a certificate validation error — verify certificate validity and CA trust chain on all nodes.

API Rate Limiting

The Compute API does not enforce rate limits by default. Without rate limiting, malicious actors or misconfigured automation can issue thousands of API requests per second, degrading control plane performance and enabling denial-of-service conditions.
Xloud recommends the following rate limits for production deployments:
Operation TypeRecommended LimitScope
Write operations (POST/PUT/DELETE)100 per minutePer user
Read operations (GET)1,000 per minutePer user
Admin operations500 per minutePer admin user
Apply these limits at the load balancer layer or via the Compute API service configuration through XDeploy under Compute → Security → API Rate Limiting.
Configure automatic temporary bans for clients that repeatedly exceed rate limits:
  • Clients exceeding the rate limit threshold 3 times within 5 minutes receive a temporary 15-minute block
  • All blocked requests return HTTP 429 Too Many Requests
  • Block events are logged for security audit review
Enable automatic bans through XDeploy under Compute → Security → API Rate Limiting → Automatic Blocking.
Review API access logs regularly for patterns that indicate credential stuffing, automated instance enumeration, or quota exhaustion attacks. Set up an alert in Xloud Monitoring (XIMP) for sustained 429 error rates above 1% of total API traffic.

Security Checklist

Review these items on every production deployment.
ControlConfigured ViaPriority
Metadata service authentication enabledXDeploy → Compute → Metadata SecurityHigh
Metadata endpoint rate limiting appliedXDeploy → Compute → Metadata Rate LimitingHigh
Live migration TLS enabledXDeploy → Compute → Security → Live Migration TLSHigh
API rate limiting configuredXDeploy → Compute → Security → API Rate LimitingMedium
Console proxy ports firewalled to admin CIDRsFirewall / security group rulesMedium
Admin API endpoints restricted to management networkLoad balancer / HAProxy ACLHigh

Next Steps

Live Migration

Configure and test live migration after enabling TLS on the migration channel.

Advanced Features

Enable vTPM and UEFI Secure Boot for instance-level hardware security.

Admin Guide

Return to the Compute Administration Guide index.