Wido, As an operator, would I sell a floating ip with a number of instances it can be applied to? just checking on your envisioned business case, not implying an answer here/yet.
On Mon, Jan 17, 2022 at 2:37 PM Wido den Hollander <w...@widodh.nl> wrote: > Hi, > > Use-case: I have a SG enabled shared network where a VM establishes a > BGP session with the upstream router. > > Over this BGP session the VM announces a /32 (IPv4) and/or /128 (IPv6) > address and the router now installs this route. > > I do the same (with the same IPs) on a few different VMs and this way I > can have a Anycast/Floating IP which is being routed to those VMs. > > Problem: Security Group filtering prohibits this as the 'ipset' on the > hypervisor checks all the packets originating from the VM and drops all > packets not matching the ipset. > > Name: i-79-1328-VM > Type: hash:ip > Revision: 4 > Header: family inet hashsize 1024 maxelem 65536 > Size in memory: 248 > References: 5 > Number of entries: 1 > Members: > 62.221.XXX.11 > > I want to add /32 and /128 addresses to this subnet so that the SG does > not filter away this traffic. > > They could be added as a secondary IP to the VM, but this is not allowed > by the API as the secondary IPs you want to add should always come from > the subnet configured for that network. > > I do not want to turn off security grouping as this poses other > potential issues. > > Solutions I see: > > - Add global/account/domain setting which allows arbitrary secondary IPs > - Add per-network setting which allows arbitrary secondary IPs > - Pre-define subnets which Anycast/Floating IPs can be picked from per > network > > Any ideas or suggestions? > > Wido > -- Daan
