Open Stack

Hello All,

I've already posted a similar question to openstack general
mailing list, but I feel that it belongs better to this mailing list.

I'm wondering is if there's a way to give a VM instance a limited
"out of band" access to an external http proxy, just to allow the
instances to do regular maintenance or management stuff, like
upgrading packages or connect to some management
tool (puppet, chef, ansible...).

With "Out of Band" I mean without using NAT or Floating IP which
require the VM to have connectivity within the tenant's resource
(Networks, routers thus "in band").

This because  I can imagine a number of situations where VM need
to be reached only from other VM in the tenant but not from outside.

In other words what I really want to understand is if I, in order to handle
software deployment in my project, HAVE to make all VM instances
reachable from outside.

What I'm actually looking for is some sort of "out of band" access to
the VMs that leaverage on the same mechanism used for metadata.

I've successfully set up a nginx reverse proxy with listener in the
tenant's networks namespace to do the task, but I cannot get rid of
the "You're doing it wrong" feeling. :/

I mean I feel like I'm missing something important here, otherwise
someone else would have had the same problem, which seems not to
be the case, as I cannot find any web resources that raises the same
question.

Thanks in advance for any suggestion or direction,

Andrea