How to access instances from the outside world?

asked 2014-11-17 02:40:08 -0600

Xeek gravatar image

We've created a few instances on our MAAS+Juju+Openstack cloud. All these instances have been assigned private IPs but can access the internet via NAT. Only our MAAS cluster controller node has a public IP. Now how should we access these instances from the outside world?. Should we assign separate unique public IP address to each of these instances or is it possible to access them all without public IPs via NAT?

I understand there is a concept of associating a floating IP to an instance from a pool of IPs. But where shall I get the IP addresses that are required to be added to the pool?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-11-17 03:01:06 -0600

dbaxps gravatar image

updated 2014-11-17 03:56:34 -0600

Can you create neutron-router && external network , to set up as gateway for router ? If yes , then allocation pool created with external subnet , is pool of floating IPs for instances to be accessible from outside. DNAT && SNAT rules define mapping Floating IPs to Private ones. Same router should have interface created to desired private network. In this case Neutron L3 routing table for particular qrouter namespace may look like :-

[root@juno1 ~(keystone_admin)]# ip netns exec qrouter-1cf08ea2-959f-4206-b2f1-a9b4708399c1 iptables -S -t nat
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-POSTROUTING
-N neutron-l3-agent-PREROUTING
-N neutron-l3-agent-float-snat
-N neutron-l3-agent-snat
-N neutron-postrouting-bottom
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-OUTPUT -d -j DNAT --to-destination
-A neutron-l3-agent-OUTPUT -d -j DNAT --to-destination
-A neutron-l3-agent-OUTPUT -d -j DNAT --to-destination
-A neutron-l3-agent-OUTPUT -d -j DNAT --to-destination
-A neutron-l3-agent-POSTROUTING ! -i qg-7b037650-10 ! -o qg-7b037650-10 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d -j DNAT --to-destination
-A neutron-l3-agent-PREROUTING -d -j DNAT --to-destination
-A neutron-l3-agent-PREROUTING -d -j DNAT --to-destination
-A neutron-l3-agent-PREROUTING -d -j DNAT --to-destination
-A neutron-l3-agent-float-snat -s -j SNAT --to-source
-A neutron-l3-agent-float-snat -s -j SNAT --to-source
-A neutron-l3-agent-float-snat -s -j SNAT --to-source
-A neutron-l3-agent-float-snat -s -j SNAT --to-source
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s -j SNAT --to-source
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
edit flag offensive delete link more

Comments - belong to the private IP address range right? How can they be used to reach the instances from the outside world?

Xeek gravatar imageXeek ( 2014-11-17 10:57:54 -0600 )edit

Sense or word private in Openstack differs from usual. Create via dashboard for tenant demo private network demo_net say with allocation pool,, dhcp=enabled, DNS= Yours Real DNS Server. Then as demo user create CirrOS VM, which should obtain IP from pool.

dbaxps gravatar imagedbaxps ( 2014-11-17 11:37:02 -0600 )edit

Create router as demo, with gateway to external network and interface to If external network has been created properly your CirrOS VM could ping any site on Internet or run
$ curl

dbaxps gravatar imagedbaxps ( 2014-11-17 11:44:55 -0600 )edit

In my sample above is private , is external network from neutron openstack flow standpoint. View Section "Create Neutron networks on Controller node" and bellow for better understanding Neutron L3 && L2 architecture.

dbaxps gravatar imagedbaxps ( 2014-11-17 11:48:14 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-11-17 02:33:34 -0600

Seen: 1,742 times

Last updated: Nov 17 '14