Access to external resources from (and to) VM instances without NAT/Floating IP

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Access to external resources from (and to) VM instances without NAT/Floating IP

Andrea Franceschini
Hello All,

I've already posted a similar question to openstack general
mailing list, but I feel that it belongs better to this mailing list.

I'm wondering is if there's a way to give a VM instance a limited
"out of band" access to an external http proxy, just to allow the
instances to do regular maintenance or management stuff, like
upgrading packages or connect to some management
tool (puppet, chef, ansible...).

With "Out of Band" I mean without using NAT or Floating IP which
require the VM to have connectivity within the tenant's resource
(Networks, routers thus "in band").

This because  I can imagine a number of situations where VM need
to be reached only from other VM in the tenant but not from outside.

In other words what I really want to understand is if I, in order to handle
software deployment in my project, HAVE to make all VM instances
reachable from outside.

What I'm actually looking for is some sort of "out of band" access to
the VMs that leaverage on the same mechanism used for metadata.

I've successfully set up a nginx reverse proxy with listener in the
tenant's networks namespace to do the task, but I cannot get rid of
the "You're doing it wrong" feeling. :/

I mean I feel like I'm missing something important here, otherwise
someone else would have had the same problem, which seems not to
be the case, as I cannot find any web resources that raises the same
question.

Thanks in advance for any suggestion or direction,

Andrea

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Access to external resources from (and to) VM instances without NAT/Floating IP

Andrea Franceschini
Hello Sean,

thank you for taking time answering me :)

The only thing that bugs me following this approch is that this way
you have to make sure that all VMs in your tenants are "routable"
up  to the NATed instance.

While I would like to give the freedom to the tenant's user to put up
any type of network topology without the constraint to have every
VM reach at least the proxy instance.

For example I couldn't  make back to back like configurations or put
more than one router in the topology (e.g. double Front-end sharing
the same backend).

I wouldn't be nice if every VM, in spite of its position in network topology
could enjoy 'at infrastructural level' of some basic services  (ssh/http poxy)?

The same way they already do for dnsmasq services (DNS, DHCP) or
metadata?

Thanks,

Andrea,

2017-12-03 22:19 GMT+01:00 Sean Redmond <[hidden email]>:

> Hi,
>
> We have this case but we just use a instance that does have NAT to and
> access to both networks to act as a http proxy using squid and configure yum
> to use the proxy for outbound connections.
>
> Thanks
>
> On Sun, Dec 3, 2017 at 3:44 PM, Andrea Franceschini
> <[hidden email]> wrote:
>>
>> Hello All,
>>
>> I've already posted a similar question to openstack general
>> mailing list, but I feel that it belongs better to this mailing list.
>>
>> I'm wondering is if there's a way to give a VM instance a limited
>> "out of band" access to an external http proxy, just to allow the
>> instances to do regular maintenance or management stuff, like
>> upgrading packages or connect to some management
>> tool (puppet, chef, ansible...).
>>
>> With "Out of Band" I mean without using NAT or Floating IP which
>> require the VM to have connectivity within the tenant's resource
>> (Networks, routers thus "in band").
>>
>> This because  I can imagine a number of situations where VM need
>> to be reached only from other VM in the tenant but not from outside.
>>
>> In other words what I really want to understand is if I, in order to
>> handle
>> software deployment in my project, HAVE to make all VM instances
>> reachable from outside.
>>
>> What I'm actually looking for is some sort of "out of band" access to
>> the VMs that leaverage on the same mechanism used for metadata.
>>
>> I've successfully set up a nginx reverse proxy with listener in the
>> tenant's networks namespace to do the task, but I cannot get rid of
>> the "You're doing it wrong" feeling. :/
>>
>> I mean I feel like I'm missing something important here, otherwise
>> someone else would have had the same problem, which seems not to
>> be the case, as I cannot find any web resources that raises the same
>> question.
>>
>> Thanks in advance for any suggestion or direction,
>>
>> Andrea
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> [hidden email]
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators