Ask Your Question

Making OpenStack API public

asked 2015-02-04 12:21:54 -0500

Mathias Ewald gravatar image

Hi, I am trying to find a good way to give the public (Internet) access to an existing OpenStack cloud. Let's assume the environment was set up using private IP addresses, say for all Open Stack services. Now I would like to allow customers to deploy instances and work with them from the internet. There are 2 problem I am seeing from the top of my head if I tried to NAT OpenStack services to public IP addresses:

1) Keystone's service catalog points to URLs (endpoints) that cannot be reached from the internet. All URLs point to somewhere on the network.

2) The URL that is returned by nova for VNC access also points to an internal address.

Well, one way would be to deploy OpenStack controller(s) in a DMZ right from the beginning but that is a very ugly way in my opinion.

So my questions: How is that typically handled?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-02-05 12:15:24 -0500

Mathias Ewald gravatar image

Thanks for the steps :) Your set up is assuming users from the inside can access the public IPs, right? There is no way to make that unnecessary, is there?

edit flag offensive delete link more

answered 2015-02-04 23:03:05 -0500

larsks gravatar image
  1. Update your keystone catalog so that the publicURL for your services points to a routeable ip address. This will probably involve a series of endpoint-delete and endpoint-create commands.
  2. Update your nova configuration to use the public ip for novncproxy_base_url (and any other *_base_url settings that are in use in your environment).
  3. Make sure that any services that rely on Keystone are configured to use the internalURL endpoints, if you want them communicating using your private ip addresses. For example, Heat has an endpoint_type setting for the services it expects to consume.

And don't forget to restart services after you modify their configuration files.

edit flag offensive delete link more


It is assuming that everyone consuming your API endpoints is accessing them at the same IP address, yes. I don't know if there's a good way around that.

larsks gravatar imagelarsks ( 2015-02-06 10:11:09 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-02-04 12:21:54 -0500

Seen: 915 times

Last updated: Feb 04 '15