Ask Your Question
1

Allow Direct Routing between External Network and Tenant Network

asked 2014-09-11 05:32:31 -0500

wanderlust gravatar image

We've begun the POC stage of deploying OpenStack within our internal network. The idea behind why we're using OpenStack rather that VMware, XenServer or even just KVM, is because we want to give our Developers the ability to automagically build their own servers and application platforms to deliver our products and services, without having the need to take time away from our BAU operations guys with having to build each server, and yes we can build it with templates etc, but there is either a requirement to give them access, which we certainly do not want, due to the high change that they'd balls the hypervisor, or the requirement that we need to actually spend time deploying the template.

Anyway, back to the requirement, is it possible, to directly route traffic from the proverbial "external network" to the tenant network, WITHOUT the use of NAT?

The external network already sits on it's own dedicated VLAN, and is routed back out from the tenant network?

The other reason for this, is because we wish to move our production servers for things such as Active Directory and Exchange across to the OpenStack cluster, but obviously with the tenant VM's having a "private ip" address that is not directly reachable causes some issues with AD reachability with the "external network".

Anyway, any suggestions or thoughts would be great.

At the moment we have a 5 node setup, 1 Controller, 1 Neutron, 3 Compute+Block nodes deployed using ML2 Neutron with Icehouse.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-09-27 20:48:39 -0500

larsks gravatar image

You may want to investigate the use of Neutron "provider networks". This lets you attach your Nova instances directly to existing networks in your environment. Documentation on this feature is sparse, but there is some introductory material available here:

edit flag offensive delete link more

Comments

Hey larsks, thanks for the info! We'll definitely look into it. The primary thing that we're wanting to do with this is to achieve is to enable support for our existing legacy Active Directory network, and Domain Controllers/Servers hosted on OpenStack.

wanderlust gravatar imagewanderlust ( 2014-09-28 04:54:37 -0500 )edit
0

answered 2014-09-27 12:42:00 -0500

edmv gravatar image

We used to do it, althouth later we saw no benefit over floating IPs NAT and discarded the use of static routes, but what we did was configure a static route on our firewall (route-eth1) with the following:

10.10.10.0/24 via 172.16.20.15 dev eth1

The 10.x.x.x is a tenant network, in openstack we defined our company's network (172.16.20.0/24) as a public network and interconnected the two using a neutron router. The static route uses the IP address (172.16.20.15) of the port the neutron router had taken from our public network.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-09-11 05:32:31 -0500

Seen: 2,784 times

Last updated: Sep 27 '14