  1. Update your keystone catalog so that the publicURL for your services points to a routeable ip address. This will probably involve a series of endpoint-delete and endpoint-create commands.
  2. Update your nova configuration to use the public ip for novncproxy_base_url (and any other *_base_url settings that are in use in your environment).
  3. Make sure that any services that rely on Keystone are configured to use the internalURL endpoints, if you want them communicating using your private ip addresses. For example, Heat has an endpoint_type setting for the services it expects to consume.

And don't forget to restart services after you modify their configuration files.