On 2015-12-16 11:11 AM, Anne Gentle wrote: > > Another use case I hadn't heard yet is if a public URL is DDoSed, you > can have a second URL on internal-only systems that can't be attacked > from the outside world. So it's a publicURL in that you can access the > service, but an internal-only URL so we can protect.
This is one of the reason we have a split catalog. We are using Keystone templated catalog to publish different URLs for users and services. (no SQL catalog) This is so services can continue to work if public API is DDoSed. This is done by having 2 sets of Keystone services (all fed from the same database for auth and assignments) but with different templated catalog. Users use the public one and services the private one which all have a dedicated URL. We also don't use split DNS to ease debug and preserve our sanity. By having an explicitly different URL, you can easily see and understand which API is contacted (public vs internal). This greatly reduce misunderstanding or gotcha: oh, you are querying DNS from this desktop, nan, you won't get the "right" internal IP. We do not use the internalURL field as we do not wish to publish those endpoints to the end users. Our understanding is that they were meant for a different use case than ours. We could provide an other set of internal URLs so they can access our API from within the cloud network but that's an other need we haven't encounter yet. -- Mathieu _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
