On 06/30/2016 08:24 AM, Gustavo Randich wrote:
Mike, as far as I know those routers allow only outgoing traffic, i.e. VM can see external networks, but those external networks cannot connect to VM if it doesn't have a FIP, am I right?
That is correct. As Turbo mentioned before, that is kind of the point behind the isolation.
It may be more effort than you wish to undertake, but for your "other?" question, finding some way to make floating IPs less precious would seem to be in order. IPv6 comes to mind but I cannot speak to how ready OpenStack/Neutron is for that.
I suppose, if you were to create an instance with port security disabled and one of the precious floating IPs, which sat on all the private networks you wanted to not actually be private, and was configured as the default router for all the instances on those networks (or at least the router for the external subnet(s) you wanted to reach them from), and was configured in the external network infrastructure as the router for all the private network ranges, you might establish connectivity that way.
You would, of course, have to have not-really-private network IP address ranges which were compatible (didn't overlap) with the external address ranges in the rest of your infrastructure.
rick jones
Thanks! Gustavo On Wed, Jun 29, 2016 at 7:24 PM, Mike Spreitzer <mspre...@us.ibm.com <mailto:mspre...@us.ibm.com>> wrote: Gustavo Randich <gustavo.rand...@gmail.com <mailto:gustavo.rand...@gmail.com>> wrote on 06/29/2016 03:17:54 PM: > Hi operators... > > Transitioning from nova-network to Neutron (Mitaka), one of the key > issues we are facing is how to reach VMs in VXLAN tenant networks > without using precious floating IPs. > > Things that are outside Neutron in our case are: > > - in-house made application orchestrator: needs SSH access to > instances to perform various tasks (start / shutdown apps, configure > filesystems, etc.) > > - various centralized and external monitoring/metrics pollers: need > SNMP / SSH access to gather status and trends > > - internal customers: need SSH access to instance from non-openstack > VPN service > > - ideally, non-VXLAN aware traffic balancer appliances > > We have considered these approaches: > > - putting some of the external components inside a Network Node: > inviable because components need access to multiple Neutron deployments > > - Neutron's VPNaaS: cannot figure how to configure a client-to-site > VPN topology > > - integrate hardware switches capable of VXLAN VTEP: for us in this > stage, it is complex and expensive > > - other? You know Neutron includes routers that can route between tenant networks and external networks, right? You could use those, if your tenant networks use disjoint IP subnets. Regards, Mike _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
