Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Hi all,

I didn't get any responses on this question so far so I have built the following for our environment and I'd be interested in any feedback / suggestions:

Three in-tenant RFC1918 (private) networks and subnets*

  1. Management Network - suggested IPv4 range 172.16.0.0/24 (you can use any RFC1918 CIDR)
  2. Private Network - suggested IPv4 range 10.1.0.0/24 (you can use any RFC1918 CIDR)
  3. Public Network - suggested IPv4 range 10.1.4.0/24 (you can use any RFC1918 CIDR)

Two external networks (FIP for SNAT/DNAT):

  1. External i.e. internet (default gw for app / web servers)
  2. Management i.e. DC network (default gw for management servers)

I create two routers:

  1. router-ext
  2. router-mgt

The management subnet is primarily attached to router-mgt to default route back to our DC management network via the SNAT. The public and private subnets are attached to router-ext to allow them to default route to Internet

The management subnet also has an interface connected to router-ext in order to SSH into the other servers - I don't want or need multiple NICs on the servers.

I host a bastion server on Management and wrap all servers in Neutron security groups. All servers allow SSH inbound from the bastion in the management SG and specific application ports are allowed via other security groups as required.

Not sure at the moment if I take this a stage further and use FWaaS between the public, private and management but I would guess that the individual SGs are adequate.

I've built all of this into a HOT that creates the environment and a single test VM in each - I will try to attach below in a separate post if that is of interest.

Appreciate your thoughts?

Best regards, Ian

Hi all,

I didn't get any responses on this question so far so I have built the following for our environment and I'd be interested in any feedback / suggestions:

Three in-tenant RFC1918 (private) networks and subnets*

  1. Management Network - suggested IPv4 range 172.16.0.0/24 (you can use any RFC1918 CIDR)
  2. Private Network - suggested IPv4 range 10.1.0.0/24 (you can use any RFC1918 CIDR)
  3. Public Network - suggested IPv4 range 10.1.4.0/24 (you can use any RFC1918 CIDR)

Two external networks (FIP for SNAT/DNAT):

  1. External i.e. internet (default gw for app / web servers)
  2. Management i.e. DC network (default gw for management servers)

I create two routers:

  1. router-ext
  2. router-mgt

The management subnet is primarily attached to router-mgt to default route back to our DC management network via the SNAT. The public and private subnets are attached to router-ext to allow them to default route to Internet

The management subnet also has an interface connected to router-ext in order to SSH into the other servers - I don't want or need multiple NICs on the servers.

I host a bastion server on Management and wrap all servers in Neutron security groups. All servers allow SSH inbound from the bastion in the management SG and specific application ports are allowed via other security groups as required.

Not sure at the moment if I take this a stage further and use FWaaS between the public, private and management but I would guess that the individual SGs are adequate.

I've built all of this into a HOT that creates the environment and a single test VM in each - I will try to attach below in a separate post if that is of interest.seems to work nicely.

Appreciate your thoughts?thoughts on any other related topics? I can share the HOT but no idea where best to host that...

Best regards, Ian

Hi all,

I didn't get any responses on this question so far so I have built the following for our environment and I'd be interested in any feedback / suggestions:

Three in-tenant RFC1918 (private) networks and subnets*

  1. Management Network - suggested IPv4 range 172.16.0.0/24 (you can use any RFC1918 CIDR)
  2. Private Network - suggested IPv4 range 10.1.0.0/24 (you can use any RFC1918 CIDR)
  3. Public Network - suggested IPv4 range 10.1.4.0/24 (you can use any RFC1918 CIDR)

Two external networks (FIP for SNAT/DNAT):

  1. External i.e. internet (default gw for app / web servers)
  2. Management i.e. DC network (default gw for management servers)

I create two routers:

  1. router-ext
  2. router-mgt

The management subnet is primarily attached to router-mgt to default route back to our DC management network via the SNAT. The public and private subnets are attached to router-ext to allow them to default route to Internet

The management subnet also has an interface connected to router-ext in order to SSH into the other servers - I don't want or need multiple NICs on the servers.servers. This requires host_routes to be configured - I tried to do this in heat for the router but this is not supported.

I host a bastion server on Management and wrap all servers in Neutron security groups. All servers allow SSH inbound from the bastion in the management SG and specific application ports are allowed via other security groups as required.

Not sure at the moment if I take this a stage further and use FWaaS between the public, private and management but I would guess that the individual SGs are adequate.

I've built all of this into a HOT that creates the environment and a single test VM in each - seems to work nicely.

Appreciate your thoughts on any other related topics? I can share the HOT but no idea where best to host that...

Best regards, Ian

Hi all,

I didn't get any responses on this question so far so I have built the following for our environment and I'd be interested in any feedback / suggestions:

Three in-tenant RFC1918 (private) networks and subnets*

  1. Management Network - suggested IPv4 range 172.16.0.0/24 (you can use any RFC1918 CIDR)
  2. Private Network - suggested IPv4 range 10.1.0.0/24 (you can use any RFC1918 CIDR)
  3. Public Network - suggested IPv4 range 10.1.4.0/24 (you can use any RFC1918 CIDR)

Two external networks (FIP for SNAT/DNAT):

  1. External i.e. internet (default gw for app / web servers)
  2. Management i.e. DC network (default gw for management servers)

I create two routers:

  1. router-ext
  2. router-mgt

The management subnet is primarily attached to router-mgt to default route back to our DC management network via the SNAT. The public and private subnets are attached to router-ext to allow them to default route to Internet

The management subnet also has an interface connected to router-ext in order to SSH into the other servers - I don't want or need multiple NICs on the servers. This requires host_routes to be configured - I tried to do this in heat for the router but this is not supported.supported but host_routes work fine.

I host a bastion server on Management and wrap all servers in Neutron security groups. All servers allow SSH inbound from the bastion in the management SG and specific application ports are allowed via other security groups as required.

Not sure at the moment if I take this a stage further and use FWaaS between the public, private and management but I would guess that the individual SGs are adequate.

I've built all of this into a HOT that creates the environment and a single test VM in each - seems to work nicely.

Appreciate your thoughts on any other related topics? I can share the HOT but no idea where best to host that...

Best regards, Ian