Ask Your Question
0

How to access instances from the outside world?

asked 2014-11-17 02:40:08 -0600

Xeek gravatar image

We've created a few instances on our MAAS+Juju+Openstack cloud. All these instances have been assigned private IPs but can access the internet via NAT. Only our MAAS cluster controller node has a public IP. Now how should we access these instances from the outside world?. Should we assign separate unique public IP address to each of these instances or is it possible to access them all without public IPs via NAT?

I understand there is a concept of associating a floating IP to an instance from a pool of IPs. But where shall I get the IP addresses that are required to be added to the pool?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-11-17 03:01:06 -0600

dbaxps gravatar image

updated 2014-11-17 03:56:34 -0600

Can you create neutron-router && external network , to set up as gateway for router ? If yes , then allocation pool created with external subnet , is pool of floating IPs for instances to be accessible from outside. DNAT && SNAT rules define mapping Floating IPs to Private ones. Same router should have interface created to desired private network. In this case Neutron L3 routing table for particular qrouter namespace may look like :-

[root@juno1 ~(keystone_admin)]# ip netns exec qrouter-1cf08ea2-959f-4206-b2f1-a9b4708399c1 iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-POSTROUTING
-N neutron-l3-agent-PREROUTING
-N neutron-l3-agent-float-snat
-N neutron-l3-agent-snat
-N neutron-postrouting-bottom
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-OUTPUT -d 192.168.1.179/32 -j DNAT --to-destination 50.0.0.25
-A neutron-l3-agent-OUTPUT -d 192.168.1.175/32 -j DNAT --to-destination 50.0.0.32
-A neutron-l3-agent-OUTPUT -d 192.168.1.174/32 -j DNAT --to-destination 50.0.0.26
-A neutron-l3-agent-OUTPUT -d 192.168.1.176/32 -j DNAT --to-destination 50.0.0.35
-A neutron-l3-agent-POSTROUTING ! -i qg-7b037650-10 ! -o qg-7b037650-10 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d 192.168.1.179/32 -j DNAT --to-destination 50.0.0.25
-A neutron-l3-agent-PREROUTING -d 192.168.1.175/32 -j DNAT --to-destination 50.0.0.32
-A neutron-l3-agent-PREROUTING -d 192.168.1.174/32 -j DNAT --to-destination 50.0.0.26
-A neutron-l3-agent-PREROUTING -d 192.168.1.176/32 -j DNAT --to-destination 50.0.0.35
-A neutron-l3-agent-float-snat -s 50.0.0.25/32 -j SNAT --to-source 192.168.1.179
-A neutron-l3-agent-float-snat -s 50.0.0.32/32 -j SNAT --to-source 192.168.1.175
-A neutron-l3-agent-float-snat -s 50.0.0.26/32 -j SNAT --to-source 192.168.1.174
-A neutron-l3-agent-float-snat -s 50.0.0.35/32 -j SNAT --to-source 192.168.1.176
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 50.0.0.0/24 -j SNAT --to-source 192.168.1.173
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
edit flag offensive delete link more

Comments

192.168.0.0 - 192.168.255.255 belong to the private IP address range right? How can they be used to reach the instances from the outside world?

Xeek gravatar imageXeek ( 2014-11-17 10:57:54 -0600 )edit

Sense or word private in Openstack differs from usual. Create via dashboard for tenant demo private network demo_net say 192.168.1.0/24 with allocation pool 192.168.1.10,192.168.1.254, dhcp=enabled, DNS= Yours Real DNS Server. Then as demo user create CirrOS VM, which should obtain IP from pool.

dbaxps gravatar imagedbaxps ( 2014-11-17 11:37:02 -0600 )edit

Create router as demo, with gateway to external network and interface to 192.168.1.0/24. If external network has been created properly your CirrOS VM could ping any site on Internet or run
$ curl http://lxer.com

dbaxps gravatar imagedbaxps ( 2014-11-17 11:44:55 -0600 )edit

In my sample above 50.0.0.0/24 is private , 192.168.1.0/24 is external network from neutron openstack flow standpoint. View http://textuploader.com/1hey Section "Create Neutron networks on Controller node" and bellow for better understanding Neutron L3 && L2 architecture.

dbaxps gravatar imagedbaxps ( 2014-11-17 11:48:14 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-11-17 02:33:34 -0600

Seen: 1,349 times

Last updated: Nov 17 '14