Open Stack

Hello All,

I'm quite new at Openstack and I'm stil trying to figure out how
things works or are supposed to work.

This is the scenario.

Let's imagine we've spun a new instance  on a network which is not
intended to reach or to be reached  from an external network (absence
of NAT support at L3 or for security/design reasons)

This istance will be given a cloud-init configuration to upgrade the
packages or the O.S. , but due the absence of external connectivity
those operations will fail.

What I'm wondering is if there's a way to give this instance a limited
"out of band" access to an external http proxy, just to allow the
instance to do regular maintenance or management stuff, like I said,
upgrading packages connect to some management tool (puppet, chef,
ansible...).

Just like the way metadata-proxy works.

I've successfully set up a nginx reverse proxy with listener in the
tenant's networks namespace to do the task, but I cannot get rid of
the "You're doing it wrong" feeling. :/

I mean I feel like I'm missing something important here, otherwise
someone else would have had the same problem, which seems not to be
the case, as I cannot find any web resources that raises the same
question.

Thanks in advance for any suggestion or direction,

Andrea