Open Stack

On 06/30/2016 08:24 AM, Gustavo Randich wrote:
> Mike, as far as I know those routers allow only outgoing traffic, i.e.
> VM can see external networks, but those external networks cannot connect
> to VM if it doesn't have a FIP, am I right?

That is correct. As Turbo mentioned before, that is kind of the point 
behind the isolation.

It may be more effort than you wish to undertake, but for your "other?" 
question, finding some way to make floating IPs less precious would seem 
to be in order.  IPv6 comes to mind but I cannot speak to how ready 
OpenStack/Neutron is for that.

I suppose, if you were to create an instance with port security disabled 
and one of the precious floating IPs, which sat on all the private 
networks you wanted to not actually be private, and was configured as 
the default router for all the instances on those networks (or at least 
the router for the external subnet(s) you wanted to reach them from), 
and was configured in the external network infrastructure as the router 
for all the private network ranges, you might establish connectivity 
that way.

You would, of course, have to have not-really-private network IP address 
ranges which were compatible (didn't overlap) with the external address 
ranges in the rest of your infrastructure.

rick jones

>
> Thanks!
> Gustavo
>
> On Wed, Jun 29, 2016 at 7:24 PM, Mike Spreitzer <mspreitz at us.ibm.com
> <mailto:mspreitz at us.ibm.com>> wrote:
>
>     Gustavo Randich <gustavo.randich at gmail.com
>     <mailto:gustavo.randich at gmail.com>> wrote on 06/29/2016 03:17:54 PM:
>
>     > Hi operators...
>     >
>     > Transitioning from nova-network to Neutron (Mitaka), one of the key
>     > issues we are facing is how to reach VMs in VXLAN tenant networks
>     > without using precious floating IPs.
>     >
>     > Things that are outside Neutron in our case are:
>     >
>     > - in-house made application orchestrator: needs SSH access to
>     > instances to perform various tasks (start / shutdown apps, configure
>     > filesystems, etc.)
>     >
>     > - various centralized and external monitoring/metrics pollers: need
>     > SNMP / SSH access to gather status and trends
>     >
>     > - internal customers: need SSH access to instance from non-openstack
>     > VPN service
>     >
>     > - ideally, non-VXLAN aware traffic balancer appliances
>     >
>     > We have considered these approaches:
>     >
>     > - putting some of the external components inside a Network Node:
>     > inviable because components need access to multiple Neutron deployments
>     >
>     > - Neutron's VPNaaS: cannot figure how to configure a client-to-site
>     > VPN topology
>     >
>     > - integrate hardware switches capable of VXLAN VTEP: for us in this
>     > stage, it is complex and expensive
>     >
>     > - other?
>
>     You know Neutron includes routers that can route between tenant
>     networks and external networks, right?  You could use those, if your
>     tenant networks use disjoint IP subnets.
>
>     Regards,
>     Mike
>
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>