[Openstack-operators] DVR and public IP consumption

Tomas Vondra vondra at czech-itc.cz
Fri Jan 29 08:59:29 UTC 2016


Fox, Kevin M <Kevin.Fox at ...> writes:

> 
> Hi Tomas,
> 
> The using external addresses per tenant router is a feature to a lot of
sites, like ours. We want to know for
> sure, at minimum, which tenant was responsible for bad activity on the
external network. Having the
> external address tied to a tenant router allows you to track bad activity
back at least to the ip, then to the
> tenant router. You won't be able to tell which vm's of the tenant
performed the bad activity because of the
> snat, but you at least have some to talk to about it, instead of your
local security friends asking you to
> unplug the whole cloud.
> 
> Thanks,
> Kevin

Hi Kevin!
Don't worry, I also had this in mind. We do traffic logging at the
datacenter's firewall, so using a private IP per tenant router would still
satisfy this requirement.
Tomas






More information about the OpenStack-operators mailing list