<div dir="ltr">Mike, as far as I know those routers allow only outgoing traffic, i.e. VM can see external networks, but those external networks cannot connect to VM if it doesn't have a FIP, am I right?<div><br></div><div>Thanks!</div><div>Gustavo</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 29, 2016 at 7:24 PM, Mike Spreitzer <span dir="ltr"><<a href="mailto:mspreitz@us.ibm.com" target="_blank">mspreitz@us.ibm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><tt><font size="2">Gustavo Randich <<a href="mailto:gustavo.randich@gmail.com" target="_blank">gustavo.randich@gmail.com</a>> wrote
on 06/29/2016 03:17:54 PM:<br><br>> Hi operators...</font></tt><br><tt><font size="2">> <br>> Transitioning from nova-network to Neutron (Mitaka), one of the key
<br>> issues we are facing is how to reach VMs in VXLAN tenant networks
<br>> without using precious floating IPs.</font></tt><br><tt><font size="2">> <br>> Things that are outside Neutron in our case are:</font></tt><br><tt><font size="2">> <br>> - in-house made application orchestrator: needs SSH access to <br>> instances to perform various tasks (start / shutdown apps, configure<br>> filesystems, etc.)</font></tt><br><tt><font size="2">> <br>> - various centralized and external monitoring/metrics pollers: need
<br>> SNMP / SSH access to gather status and trends</font></tt><br><tt><font size="2">> <br>> - internal customers: need SSH access to instance from non-openstack<br>> VPN service</font></tt><br><tt><font size="2">> <br>> - ideally, non-VXLAN aware traffic balancer appliances</font></tt><br><tt><font size="2">> <br>> We have considered these approaches:</font></tt><br><tt><font size="2">> <br>> - putting some of the external components inside a Network Node: <br>> inviable because components need access to multiple Neutron deployments</font></tt><br><tt><font size="2">> <br>> - Neutron's VPNaaS: cannot figure how to configure a client-to-site
<br>> VPN topology</font></tt><br><tt><font size="2">> <br>> - integrate hardware switches capable of VXLAN VTEP: for us in this
<br>> stage, it is complex and expensive</font></tt><br><tt><font size="2">> <br>> - other?</font></tt><br><br></span><tt><font size="2">You know Neutron includes routers that can route between
tenant networks and external networks, right? You could use those,
if your tenant networks use disjoint IP subnets.</font></tt><br><br><tt><font size="2">Regards,</font></tt><br><tt><font size="2">Mike</font></tt><br><br><br></blockquote></div><br></div>