I did a project where we had all three of them in a sep VLAN, sep net. So to answer your question, this depends how much you want to secure, what is the requirements of your env, with access etc.. here is one of the answer from OpenStack
Keep in mind that public URL are just read only in most cases, where Admin URL are used to set password change roles, add roles etc.. https://ask.openstack.org/en/question/9255/when-the-internal-endpoint-will-be-used/ Remo > On Apr 7, 2016, at 14:48, Kaustubh Kelkar <kaustubh.kel...@casa-systems.com> > wrote: > > > -----Original Message----- > From: D'ANDREA, JOE (JOE) [mailto:jdand...@research.att.com] > Sent: Thursday, April 7, 2016 4:28 PM > To: openstack@lists.openstack.org > Subject: [Openstack] [keystone] publicurl vs adminurl reachability > > > More to the point: It's unclear to me whether adminurl endpoints are designed > such that they may be restricted to private networks, or if they are expected > to be as reachable as publicurl endpoints are. > [Kaustubh] I haven't tried this out, but this seems to be supported. > (http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html#id1), > point 2: > "In a production environment, the variants might reside on separate networks > that service different types of users for security reasons". It does makes > sense to isolate at least the public API (read customer traffic )network from > the admin and internal API endpoints. > > > -Kaustubh > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > !DSPAM:1,5706d86f171871543514637! > _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack