Connection refused means that no process is listening at port 9999. Have you configured Glance to use this port? Is it running at all?
EDIT
Let's use Glance as an example, and assume port 9999. Glance endpoints are configured, for example, in the install guide (step 4); use 9999 instead of 9292.
In the glance-api.conf, set bind_port to 9999.
You also need to configure the Glance endpoint for all the Services that use Glance, such as Nova and Cinder.
That's probably it, except if I forgot something :)
And of course, you will have to do similar things for all those services with non-default ports.
Depending on the tool or method you use to deploy the cloud, there may be shortcuts. Check the documentation if there are easier ways to configure all that.
end of EDIT
EDIT 2
I am not sure if it is possible to separate internal/public/admin endpoints. Keystone used to do that, but it's not recommended anymore AFAIK. Most services don't seem to allow this at all.
Further info in the Security Guide, which says:
Each project may present an inconsistent way of defining target API endpoints. Future releases of OpenStack seek to resolve these inconsistencies through consistent use of the Identity service catalog.
It seems that Nova is already doing this, see https://specs.openstack.org/openstack.... This means that in the future, all you have to do is setting the endpoints in Keystone's service catalog rather than configuration files.
End of EDIT 2
By the way, OpenStack is moving away from using ports, which will help with your problem. Most OpenStack services now support being front-ended by a web server, to which they connect via uwsgi (see spec https://governance.openstack.org/tc/g...). This means that instead of ports, symbolic URLs like http://10.10.150.101/glance are increasingly used.