I don't know what works for you, and I am not really a practitioner, but here are a few suggestions.
- openstack router set --enable-snat for a short window of time. Of course, that would give access to the entire internet and only limit the time. - Use egress rules in security groups, or FWaaS, to limit the instance's internet access - Set up a second external network that provides the limited access you need - Apart from the built-in default L3 router, plugins for other routers like vyatta are available. Perhaps they provide more features than the L3 router. I am sure there are other possibilities. Bernd -----Original Message----- From: Andrea Franceschini [mailto:[email protected]] Sent: Friday, December 1, 2017 10:48 AM To: [email protected] Subject: [Openstack] Accessing from and to VM instances without using a floating IP Hello All, I'm quite new at Openstack and I'm stil trying to figure out how things works or are supposed to work. This is the scenario. Let's imagine we've spun a new instance on a network which is not intended to reach or to be reached from an external network (absence of NAT support at L3 or for security/design reasons) This istance will be given a cloud-init configuration to upgrade the packages or the O.S. , but due the absence of external connectivity those operations will fail. What I'm wondering is if there's a way to give this instance a limited "out of band" access to an external http proxy, just to allow the instance to do regular maintenance or management stuff, like I said, upgrading packages connect to some management tool (puppet, chef, ansible...). Just like the way metadata-proxy works. I've successfully set up a nginx reverse proxy with listener in the tenant's networks namespace to do the task, but I cannot get rid of the "You're doing it wrong" feeling. :/ I mean I feel like I'm missing something important here, otherwise someone else would have had the same problem, which seems not to be the case, as I cannot find any web resources that raises the same question. Thanks in advance for any suggestion or direction, Andrea _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
