Floating IP/security groups + hardware firewall

asked 2019-02-12 05:40:17 -0500

Marcel gravatar image

Hi All, I'm looking for solution to following OpenStack setup:

  • hardware Juniper firewall faceing the Internet
  • behind firewall there is whole OpenStack infrastructure (RedHat OS 13 "Queens")
  • public IPs stretched to OpenStack, so VMs could have IP exposed to the Internet (via floating IP).

The problem: our FW allows only for outbound traffic (openstack -> internet), and reverse direction all is blocked by default. When we assign/dissociate floating IP or change security group it needs to be reflect on FW settings as well. So my question is what would be the best approach? Is there any ready-to-use solution, plugin we may take advantage of? Or in case if not, is there a way we can get some notification from Nova/Neutron to get information that such event had happend and it's params?

edit retag flag offensive close merge delete