[openstack-dev] [Fuel] API services available on public VIP
Vladimir Kuklin
vkuklin at mirantis.com
Fri Nov 13 14:15:03 UTC 2015
Adam
I think, the answer is realtively simple - if user does not want to expose
those APIs, he can easily configure his infra to filter this traffic. We
just need to mention this in Ops Guide.
On Fri, Nov 13, 2015 at 4:02 PM, Adam Heczko <aheczko at mirantis.com> wrote:
> Hello fuelers,
>
> today I'd like to raise a questions about Fuel deployment practice related
> to Public (external) network.
> Current approach is to expose by default over public IP openstack API
> endpoints like nova, cinder, glance, neutron etc. These API services are
> exposed through HAProxy with TLS support, so this approach seems to be
> relatively secure.
> OTOH industry practice is to don't expose over public IPs too much and
> rather rely on user action / decision to expose API access to the public.
> I'd like to ask for your opinions regarding this topic and approach taken
> by Fuel.
>
> Thank you,
>
> --
> Adam Heczko
> Security Engineer @ Mirantis Inc.
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Yours Faithfully,
Vladimir Kuklin,
Fuel Library Tech Lead,
Mirantis, Inc.
+7 (495) 640-49-04
+7 (926) 702-39-68
Skype kuklinvv
35bk3, Vorontsovskaya Str.
Moscow, Russia,
www.mirantis.com <http://www.mirantis.ru/>
www.mirantis.ru
vkuklin at mirantis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151113/4f138d04/attachment.html>
More information about the OpenStack-dev
mailing list