[Openstack-operators] [Neutron]floatingip with security group

Kris G. Lindgren klindgren at godaddy.com
Wed Apr 8 15:17:22 UTC 2015


Mike is talking about our specific way of doing floating ips - which is not the default for neutron, so you do *NOT* have to add an allowed-address pair for the floating ip to work.

You will however have to add to the security group rules to allow traffic from whatever networks are connecting to your floating ip.  The reason for this is because the floating Ip is performed via nat.  So traffic from say the internet hits the floating IP and is destination nat'd to the IP of you vm.  So from your vm's stand point it sees traffic from the internet trying to connect to it.  If the security group rules on the vm do not allow this traffic it will be dropped.
____________________________________________

Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.


From: Michael Dorman <mdorman at godaddy.com<mailto:mdorman at godaddy.com>>
Date: Wednesday, April 8, 2015 at 8:38 AM
To: OpenStack Operators <openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>>
Subject: Re: [Openstack-operators] [Neutron]floatingip with security group

Yup, you need to configure an "address pair" for the floating IP.  This isn't specifically a security groups thing, but it will allow traffic to the floating IP to pass into the VM to which it is associated.

Under the covers, it's implemented similarly to security groups, but is not directly a security groups function.


From: LeeKies
Date: Wednesday, April 8, 2015 at 2:42 AM
To: OpenStack Operators
Subject: [Openstack-operators] [Neutron]floatingip with security group

I create a VM with a default security group , then I create and associate a floating ip with this VM.
But I can't connect the floating ip, I check the security group, and I think it's the sg problem. I add a rule in default sg, and then I can connect the floating ip.

When I create a floating ip , Does I have to add a rule in security group to allow the ip for ingress ??
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150408/d1daa6a1/attachment.html>


More information about the OpenStack-operators mailing list