Hi I am trying to figure out how to build a swift setup with Keystone identity management - and have the environment secured by a firewall. I expect, that a number of proxy nodes are accessible through the firewall (traffic will be NAT'ed). The proxy nodes are connected to a private "storage network" (not accessible from the outside) on a second network interface. Will the keystone have to be on the "public" side of the proxy nodes - or can it be on the "private" side (see http://docs.openstack.org/trunk/openstack-object-storage/admin/content/example-object-storage-installation-architecture.html - here it is on the "public" side) But I am not quite sure about the configuration of the different service when it comes to specifying the different URL's... For example, for the Keystone service: Assuming, that storage/swift nodes are located in the range 172.21.100.20-172.21.100.80, the keystone server on 172.21.100.10 - and the proxies on 172.21.100.100-172.21.100.120 (and external 10.32.30.10-10.32.30.30). What would be the correct IP's to use on this command ? keystone service-create --name keystone --type=identity --description "Keystone Identity Service" keystone endpoint-create --region RegionOne --service-id $KEYSVC_ID --publicurl 'http://x.x.x.x5000/v2.0' --adminurl 'http://x.x.x.x:35357/v2.0' --internalurl 'http://x.x.x.x:5000/v2.0' And for swift: keystone service-create --name keystone --type=identity --description "Swift Storage Service" keystone endpoint-create --service-id $SWIFTSVC_ID --publicurl 'http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s' --adminurl ' http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s ' --internalurl ' http://x.x.x.x:8080/v1/AUTH_\$(tenant_id)s ' Regards Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130119/4dcca34c/attachment.html>