[Openstack-operators] Access to external resources from (and to) VM instances without NAT/Floating IP

Andrea Franceschini andrea.franceschini.rm at gmail.com
Mon Dec 4 09:09:46 UTC 2017

Hello Sean,

thank you for taking time answering me :)

The only thing that bugs me following this approch is that this way
you have to make sure that all VMs in your tenants are "routable"
up  to the NATed instance.

While I would like to give the freedom to the tenant's user to put up
any type of network topology without the constraint to have every
VM reach at least the proxy instance.

For example I couldn't  make back to back like configurations or put
more than one router in the topology (e.g. double Front-end sharing
the same backend).

I wouldn't be nice if every VM, in spite of its position in network topology
could enjoy 'at infrastructural level' of some basic services  (ssh/http poxy)?

The same way they already do for dnsmasq services (DNS, DHCP) or



2017-12-03 22:19 GMT+01:00 Sean Redmond <sean.redmond1 at gmail.com>:
> Hi,
> We have this case but we just use a instance that does have NAT to and
> access to both networks to act as a http proxy using squid and configure yum
> to use the proxy for outbound connections.
> Thanks
> On Sun, Dec 3, 2017 at 3:44 PM, Andrea Franceschini
> <andrea.franceschini.rm at gmail.com> wrote:
>> Hello All,
>> I've already posted a similar question to openstack general
>> mailing list, but I feel that it belongs better to this mailing list.
>> I'm wondering is if there's a way to give a VM instance a limited
>> "out of band" access to an external http proxy, just to allow the
>> instances to do regular maintenance or management stuff, like
>> upgrading packages or connect to some management
>> tool (puppet, chef, ansible...).
>> With "Out of Band" I mean without using NAT or Floating IP which
>> require the VM to have connectivity within the tenant's resource
>> (Networks, routers thus "in band").
>> This because  I can imagine a number of situations where VM need
>> to be reached only from other VM in the tenant but not from outside.
>> In other words what I really want to understand is if I, in order to
>> handle
>> software deployment in my project, HAVE to make all VM instances
>> reachable from outside.
>> What I'm actually looking for is some sort of "out of band" access to
>> the VMs that leaverage on the same mechanism used for metadata.
>> I've successfully set up a nginx reverse proxy with listener in the
>> tenant's networks namespace to do the task, but I cannot get rid of
>> the "You're doing it wrong" feeling. :/
>> I mean I feel like I'm missing something important here, otherwise
>> someone else would have had the same problem, which seems not to
>> be the case, as I cannot find any web resources that raises the same
>> question.
>> Thanks in advance for any suggestion or direction,
>> Andrea
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

More information about the OpenStack-operators mailing list