why instances from different networks can ping each other

asked 2017-06-01

lost007

Hello, I installed OpenStack Newton on Ubuntu 16.04.2 with 3 nodes : controller, compute, block storage.

I created a new project, with three instances, each instance in a separate network : (image description)

I didn't configure any routing on the router, so I thought that instances won't be able to ping each other but it's not the case !! they all have connectivity to each other.

I don't want instances to have connectivity on each other, I want them only to have access to the provider network, how to do that ?


answered 2017-06-01

updated 2017-06-01 06:56:23 -0500

You could create a separate router per network.

By the way, here is the routing table in my router:

$ ip netns
qrouter-3d1dcda5-c743-4535-bcbb-5a1c651adce1 (id: 1)
$ sudo ip netns exec qrouter-3d1dcda5-c743-4535-bcbb-5a1c651adce1 /bin/bash
# ip r
default via dev qg-426ef0ad-56 dev qr-45b6322e-2a  proto kernel  scope link  src dev qr-47b002a5-04  proto kernel  scope link  src dev qg-426ef0ad-56  proto kernel  scope link  src

If you want a single router that doesn't route between the networks, I guess you would have to set up source policy routing, which Neutron's default L3 agent is probably unable to do. Perhaps other routers are more capable, for example Brocade's Vyatta plugin.

thanks for the reply, I will create a separate router per network ( Even though it requires 2 more ip addresses on the provider network ), the solution of the Brocade's Vyatta plugin seems to be interesting but complicated, may be I will try it in the future

lost007 ( 2017-06-02 )

