[Openstack] Accessing from and to VM instances without using a floating IP

Andrea Franceschini andrea.franceschini.rm at gmail.com
Fri Dec 1 14:30:06 UTC 2017

Hello Bernd,

thank you for taking time in answering:)

Unfortunately one of the problems in my configuration is that L3 is
handled directly from ToR switches which do not support NAT, and as
far as I understand NAT should happen at L3 router.

So it's not really a matter of will , I actually can't do NAT. :(

Moreover I feel the question goes a little deeper than the simple use,
or not use, of NAT, what I really want to understand is if I, in order
to handle software deployment in my project, HAVE to make all VM
instances reachable from outside.

This bothers me as I can imagine a number of situations where VM need
to be reached only from other VM in the tenant but not from outside.

What I'm really looking for is some sort of "out of band" access to
the VMs that leaverage on the same mechanism used for metadata.



2017-12-01 14:12 GMT+01:00 Bernd Bausch <berndbausch at gmail.com>:
> I don't know what works for you, and I am not really a practitioner, but here are a few suggestions.
> - openstack router set --enable-snat for a short window of time. Of course, that would give access to the entire internet and only limit the time.
> - Use egress rules in security groups, or FWaaS, to limit the instance's internet access
> - Set up a second external network that provides the limited access you need
> - Apart from the built-in default L3 router, plugins for other routers like vyatta are available. Perhaps they provide more features than the L3 router.
> I am sure there are other possibilities.
> Bernd
> -----Original Message-----
> From: Andrea Franceschini [mailto:andrea.franceschini.rm at gmail.com]
> Sent: Friday, December 1, 2017 10:48 AM
> To: openstack at lists.openstack.org
> Subject: [Openstack] Accessing from and to VM instances without using a floating IP
> Hello All,
> I'm quite new at Openstack and I'm stil trying to figure out how things works or are supposed to work.
> This is the scenario.
> Let's imagine we've spun a new instance  on a network which is not intended to reach or to be reached  from an external network (absence of NAT support at L3 or for security/design reasons)
> This istance will be given a cloud-init configuration to upgrade the packages or the O.S. , but due the absence of external connectivity those operations will fail.
> What I'm wondering is if there's a way to give this instance a limited "out of band" access to an external http proxy, just to allow the instance to do regular maintenance or management stuff, like I said, upgrading packages connect to some management tool (puppet, chef, ansible...).
> Just like the way metadata-proxy works.
> I've successfully set up a nginx reverse proxy with listener in the tenant's networks namespace to do the task, but I cannot get rid of the "You're doing it wrong" feeling. :/
> I mean I feel like I'm missing something important here, otherwise someone else would have had the same problem, which seems not to be the case, as I cannot find any web resources that raises the same question.
> Thanks in advance for any suggestion or direction,
> Andrea
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

More information about the Openstack mailing list