Ask Your Question

Tenant / Project Best Practice / Quick Start Templates

asked 2018-03-08 11:26:35 -0500

Ian G gravatar image

updated 2018-03-10 16:17:06 -0500

My apologies if this question has been asked before but I am trying to define best practice / standards for tenants (projects) and most of the searches for OpenStack talk in-depth about the underlay but not about the tenant environment. What would be great is if we had more reference designs / heat orchestration templates to allow people to create a kind of "quick start" that has well known security organisational approval and works (with little customisation) for most use cases.

What I want to achieve is at least the following:

  • What features to enable for each tenant or changes to policy.json to provide new roles like secops or secadm etc.
  • A set of standard virtual networks
    • private (for backend)
    • public (for frontend)
    • management (for bastion SSH access)
  • Use a user-defined RFC1918 range
  • Routing approach where more than one external network is used (e.g. on node,
  • Single vNIC on all VMs
  • A set of standard security groups that secure resources on the above
  • Shared services - what do these look like in OpenStack - do we need them?
  • Security best practice (beyond security groups e.g. FWaaS)
  • IPv6

I've looked at the github resources for Heat and just don't find the level of detail or best practice.

Any suggestions? Thanks a lot! Ian

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2018-03-15 08:51:50 -0500

Ian G gravatar image

updated 2018-03-15 08:56:33 -0500

Hi all,

I didn't get any responses on this question so far so I have built the following for our environment and I'd be interested in any feedback / suggestions:

Three in-tenant RFC1918 (private) networks and subnets*

  1. Management Network - suggested IPv4 range (you can use any RFC1918 CIDR)
  2. Private Network - suggested IPv4 range (you can use any RFC1918 CIDR)
  3. Public Network - suggested IPv4 range (you can use any RFC1918 CIDR)

Two external networks (FIP for SNAT/DNAT):

  1. External i.e. internet (default gw for app / web servers)
  2. Management i.e. DC network (default gw for management servers)

I create two routers:

  1. router-ext
  2. router-mgt

The management subnet is primarily attached to router-mgt to default route back to our DC management network via the SNAT. The public and private subnets are attached to router-ext to allow them to default route to Internet

The management subnet also has an interface connected to router-ext in order to SSH into the other servers - I don't want or need multiple NICs on the servers. This requires host_routes to be configured - I tried to do this in heat for the router but this is not supported but host_routes work fine.

I host a bastion server on Management and wrap all servers in Neutron security groups. All servers allow SSH inbound from the bastion in the management SG and specific application ports are allowed via other security groups as required.

Not sure at the moment if I take this a stage further and use FWaaS between the public, private and management but I would guess that the individual SGs are adequate.

I've built all of this into a HOT that creates the environment and a single test VM in each - seems to work nicely.

Appreciate your thoughts on any other related topics? I can share the HOT but no idea where best to host that...

Best regards, Ian

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2018-03-08 08:51:59 -0500

Seen: 301 times

Last updated: Mar 15 '18