On 2015-09-15 6:49 PM, Doug Wiegley wrote: > > >> On Sep 15, 2015, at 4:11 PM, Mathieu Gagné <mga...@internap.com> wrote: >> >>> On 2015-09-15 2:00 PM, Fox, Kevin M wrote: >>> We run several clouds where there are multiple external networks. the "just >>> run it in on THE public network" doesn't work. :/ >>> >>> I also strongly recommend to users to put vms on a private network and use >>> floating ip's/load balancers. For many reasons. Such as, if you don't, the >>> ip that gets assigned to the vm helps it become a pet. you can't replace >>> the vm and get the same IP. Floating IP's and load balancers can help >>> prevent pets. It also prevents security issues with DNS and IP's. Also, for >>> every floating ip/lb I have, I usually have 3x or more the number of >>> instances that are on the private network. Sure its easy to put everything >>> on the public network, but it provides much better security if you only put >>> what you must on the public network. Consider the internet. would you want >>> to expose every device in your house directly on the internet? No. you put >>> them in a private network and poke holes just for the stuff that does. we >>> should be encouraging good security practices. If we encourage bad ones, >>> then it will bite us later when OpenStack gets a reputation for being >>> associated with compromises. >> >> Sorry but I feel this kind of reply explains why people are still using >> nova-network over Neutron. People want simplicity and they are denied it >> at every corner because (I feel) Neutron thinks it knows better. > > Please stop painting such generalizations. Go to the third or fourth email > in this thread and you will find a spec, worked on by neutron and nova, that > addresses exactly this use case. > > It is a valid use case, and neutron does care about it. It has wrinkles. That > has not stopped work on it for the common cases. >
I've read the neutron spec you are referring (which I mentioned in my email) and I'm glad the subject is discussed. This was not my intention to diminish the work done by the Neutron team to address those issues. I wrongly associate a person's opinion to a whole project, this is not fair, I apologize for that. Jeremy Stanley replied to Kevin with much better words than mine. -- Mathieu __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
