I did a project where we had all three of them in a sep VLAN, sep net. 

So to answer your question, this depends how much you want to secure, what is 
the requirements of your env, with access etc.. 
here is one of the answer from OpenStack

Keep in mind that public URL are just read only in most cases, where Admin URL 
are used to set password change roles, add roles etc.. 


https://ask.openstack.org/en/question/9255/when-the-internal-endpoint-will-be-used/



Remo 
> On Apr 7, 2016, at 14:48, Kaustubh Kelkar <kaustubh.kel...@casa-systems.com> 
> wrote:
> 
> 
> -----Original Message-----
> From: D'ANDREA, JOE (JOE) [mailto:jdand...@research.att.com] 
> Sent: Thursday, April 7, 2016 4:28 PM
> To: openstack@lists.openstack.org
> Subject: [Openstack] [keystone] publicurl vs adminurl reachability
> 
> 
> More to the point: It's unclear to me whether adminurl endpoints are designed 
> such that they may be restricted to private networks, or if they are expected 
> to be as reachable as publicurl endpoints are. 
> [Kaustubh] I haven't tried this out, but this seems to be supported. 
> (http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-services.html#id1),
>  point 2:
> "In a production environment, the variants might reside on separate networks 
> that service different types of users for security reasons". It does makes 
> sense to isolate at least the public API (read customer traffic )network from 
> the admin and internal API endpoints.
> 
> 
> -Kaustubh
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> !DSPAM:1,5706d86f171871543514637!
> 


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to