Hello Bernd, thank you for taking time in answering:)
Unfortunately one of the problems in my configuration is that L3 is handled directly from ToR switches which do not support NAT, and as far as I understand NAT should happen at L3 router. So it's not really a matter of will , I actually can't do NAT. :( Moreover I feel the question goes a little deeper than the simple use, or not use, of NAT, what I really want to understand is if I, in order to handle software deployment in my project, HAVE to make all VM instances reachable from outside. This bothers me as I can imagine a number of situations where VM need to be reached only from other VM in the tenant but not from outside. What I'm really looking for is some sort of "out of band" access to the VMs that leaverage on the same mechanism used for metadata. Thanks, Andrea 2017-12-01 14:12 GMT+01:00 Bernd Bausch <berndbau...@gmail.com>: > I don't know what works for you, and I am not really a practitioner, but here > are a few suggestions. > > - openstack router set --enable-snat for a short window of time. Of course, > that would give access to the entire internet and only limit the time. > - Use egress rules in security groups, or FWaaS, to limit the instance's > internet access > - Set up a second external network that provides the limited access you need > - Apart from the built-in default L3 router, plugins for other routers like > vyatta are available. Perhaps they provide more features than the L3 router. > > I am sure there are other possibilities. > > Bernd > > -----Original Message----- > From: Andrea Franceschini [mailto:andrea.franceschini...@gmail.com] > Sent: Friday, December 1, 2017 10:48 AM > To: openstack@lists.openstack.org > Subject: [Openstack] Accessing from and to VM instances without using a > floating IP > > Hello All, > > I'm quite new at Openstack and I'm stil trying to figure out how things works > or are supposed to work. > > This is the scenario. > > Let's imagine we've spun a new instance on a network which is not intended > to reach or to be reached from an external network (absence of NAT support > at L3 or for security/design reasons) > > This istance will be given a cloud-init configuration to upgrade the packages > or the O.S. , but due the absence of external connectivity those operations > will fail. > > What I'm wondering is if there's a way to give this instance a limited "out > of band" access to an external http proxy, just to allow the instance to do > regular maintenance or management stuff, like I said, upgrading packages > connect to some management tool (puppet, chef, ansible...). > > Just like the way metadata-proxy works. > > I've successfully set up a nginx reverse proxy with listener in the tenant's > networks namespace to do the task, but I cannot get rid of the "You're doing > it wrong" feeling. :/ > > I mean I feel like I'm missing something important here, otherwise someone > else would have had the same problem, which seems not to be the case, as I > cannot find any web resources that raises the same question. > > Thanks in advance for any suggestion or direction, > > Andrea > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack