Ask Your Question

Howto restrict tenants from attaching routers to an external network/subnet?

asked 2014-01-09 21:37:40 -0500

sami gravatar image


I have set up OpenStack Havana with separate Controller/Network and Computing hosts. I believe the neutron is working correctly, I can create, manage etc. networks, subnets and router. I can create an external network in neutron as an admin/service tenant that is connected to a separate physical router and also create a subnet in that network with a pool of public addresses (x.x.x.64/26). The network has an option router:externel set True. I want to use these as floating addresses which I can do. Tenants (which have non-zero floating_ip quota set) can get floating IP addresses from that network's pool. BUT, currently, a tenant can create a router and also connect (set gateway) the router to this external network, thus getting one public IP from the pool, which I don't want. If I set router:externel to False, it prevents the tenants getting floating IPs from the external network pool.

The question is: Is there a way to restrict tenants connecting routers to an external network and only allow an admin to create a router for a tenant that attaches to the external network? And at the same time enable the floating IPs for that network.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-01-13 02:03:05 -0500

updated 2014-01-13 02:04:06 -0500


you can try to set quota of floating IP to zero for the project. In this mode no user in project can assign floating IP to VM. I know that there are policies that you can assign for an action (ex. create a router) but i don't know if exists a particular policy that prevent assign of external gateway to a project router.


edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-01-09 21:37:40 -0500

Seen: 772 times

Last updated: Jan 13 '14