[Openstack] Accessing from and to VM instances without using a floating IP

Bernd Bausch berndbausch at gmail.com
Fri Dec 1 13:12:22 UTC 2017


I don't know what works for you, and I am not really a practitioner, but here are a few suggestions.

- openstack router set --enable-snat for a short window of time. Of course, that would give access to the entire internet and only limit the time.
- Use egress rules in security groups, or FWaaS, to limit the instance's internet access
- Set up a second external network that provides the limited access you need
- Apart from the built-in default L3 router, plugins for other routers like vyatta are available. Perhaps they provide more features than the L3 router.

I am sure there are other possibilities.

Bernd

-----Original Message-----
From: Andrea Franceschini [mailto:andrea.franceschini.rm at gmail.com] 
Sent: Friday, December 1, 2017 10:48 AM
To: openstack at lists.openstack.org
Subject: [Openstack] Accessing from and to VM instances without using a floating IP

Hello All,

I'm quite new at Openstack and I'm stil trying to figure out how things works or are supposed to work.

This is the scenario.

Let's imagine we've spun a new instance  on a network which is not intended to reach or to be reached  from an external network (absence of NAT support at L3 or for security/design reasons)

This istance will be given a cloud-init configuration to upgrade the packages or the O.S. , but due the absence of external connectivity those operations will fail.

What I'm wondering is if there's a way to give this instance a limited "out of band" access to an external http proxy, just to allow the instance to do regular maintenance or management stuff, like I said, upgrading packages connect to some management tool (puppet, chef, ansible...).

Just like the way metadata-proxy works.

I've successfully set up a nginx reverse proxy with listener in the tenant's networks namespace to do the task, but I cannot get rid of the "You're doing it wrong" feeling. :/

I mean I feel like I'm missing something important here, otherwise someone else would have had the same problem, which seems not to be the case, as I cannot find any web resources that raises the same question.

Thanks in advance for any suggestion or direction,

Andrea

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




More information about the Openstack mailing list