<font size=2 face="sans-serif">No, those routers are routers. If
one of them gets a packet, the router will forward the packet as usual
for a router.</font><br><br><font size=2 face="sans-serif">You might think they don't handle connections
into tenant networks, but that might be because nothing is trying to use
them as routers for the tenant networks. That's a question about
the routing tables in the rest of your environment.</font><br><br><font size=2 face="sans-serif">If the client has a route to a Neutron
tenant network that goes through a Neutron router, the client is able to
connect to a server on the Neutron tenant network.</font><br><br><font size=2 face="sans-serif">The normal configuration for routers
on the internet is to not forward traffic to the RFC 1918 addresses. I
do not recall how the Neutron routers handle packets addressed to those
addresses from sources on the "outside".</font><br><br><font size=2 face="sans-serif">Regards,<br>Mike</font><br><br><br><br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">Gustavo Randich <gustavo.randich@gmail.com></font><br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">Mike Spreitzer/Watson/IBM@IBMUS</font><br><font size=1 color=#5f5f5f face="sans-serif">Cc:
</font><font size=1 face="sans-serif">"openstack@lists.openstack.org"
<openstack@lists.openstack.org>, "openstack-operators@lists.openstack.org"
<openstack-operators@lists.openstack.org></font><br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">06/30/2016 11:25 AM</font><br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">Re: [Openstack-operators]
Reaching VXLAN tenant networks from outside (without floating IPs)</font><br><hr noshade><br><br><br><font size=3>Mike, as far as I know those routers allow only outgoing
traffic, i.e. VM can see external networks, but those external networks
cannot connect to VM if it doesn't have a FIP, am I right?</font><br><br><font size=3>Thanks!</font><br><font size=3>Gustavo</font><br><br><font size=3>On Wed, Jun 29, 2016 at 7:24 PM, Mike Spreitzer <</font><a href=mailto:mspreitz@us.ibm.com target=_blank><font size=3 color=blue><u>mspreitz@us.ibm.com</u></font></a><font size=3>>
wrote:</font><br><tt><font size=2>Gustavo Randich <</font></tt><a href=mailto:gustavo.randich@gmail.com target=_blank><tt><font size=2 color=blue><u>gustavo.randich@gmail.com</u></font></tt></a><tt><font size=2>>
wrote on 06/29/2016 03:17:54 PM:<br><br>> Hi operators...<br>> <br>> Transitioning from nova-network to Neutron (Mitaka), one of the key
<br>> issues we are facing is how to reach VMs in VXLAN tenant networks
<br>> without using precious floating IPs.<br>> <br>> Things that are outside Neutron in our case are:<br>> <br>> - in-house made application orchestrator: needs SSH access to <br>> instances to perform various tasks (start / shutdown apps, configure<br>> filesystems, etc.)<br>> <br>> - various centralized and external monitoring/metrics pollers: need
<br>> SNMP / SSH access to gather status and trends<br>> <br>> - internal customers: need SSH access to instance from non-openstack<br>> VPN service<br>> <br>> - ideally, non-VXLAN aware traffic balancer appliances<br>> <br>> We have considered these approaches:<br>> <br>> - putting some of the external components inside a Network Node: <br>> inviable because components need access to multiple Neutron deployments<br>> <br>> - Neutron's VPNaaS: cannot figure how to configure a client-to-site
<br>> VPN topology<br>> <br>> - integrate hardware switches capable of VXLAN VTEP: for us in this
<br>> stage, it is complex and expensive<br>> <br>> - other?</font></tt><font size=3><br></font><tt><font size=2><br>You know Neutron includes routers that can route between tenant networks
and external networks, right? You could use those, if your tenant
networks use disjoint IP subnets.</font></tt><font size=3><br></font><tt><font size=2><br>Regards,<br>Mike</font></tt><font size=3><br><br></font><br><br><br><BR>