Fuel for OpenStack

Split the public and floating networks

Asked by Jesse Pretorius

It appears that Fuel assumes that the public and floating networks share a CIDR when deploying with Neutron and GRE tunnels. Is it possible to ensure that these two ranges (and vlan ID's) are separate?

We wish to ensure that the 'Public' network, being the network used by client to access Horizon/the API's/etc, has additional security protection (eg: reverse proxy, SSL-security, etc).

Question information

Language:
English Edit question
Status:
Solved
For:
Fuel for OpenStack Edit question
Assignee:
No assignee Edit question
Solved by:
Miroslav Anashkin
Solved:
Last query:
Last reply:
Revision history for this message
Jesse Pretorius (jesse-pretorius) said : 		#2

Respectfully, I still disagree - especially because I have a production environment with Horizon and the API's on a separate CIDR to the Instance Floating CIDR.

We have the following setup:

Internet - Edge Firewall - Web/API Network
                      | |
                      | ---------- Management Network
                      |-------------- Floating Network

The Edge Firewall is setup as a default gateway for all three networks.
The Floating network is defined in Neutron.
The Management Network is equivalent to a combination of the Fuel/Management networks in a Fuel deployment.
The Web/API Network is setup in the OpenStack configurations, not in Neutron. They are exposed through the Keystone service catalog as endpoints.

Granted, to make this work, L3 routing does need to be in place - but Neutron has nothing to do with the L3 routing required. It's only involved in terms of the Floating network.

Neutron's network configuration is not involved in the defining the networking for the endpoints, so it cannot be involved in setting up L3 routing for them.

Am I missing something? Perhaps we have a mix-up in terminology here?

Revision history for this message
Best Miroslav Anashkin (manashkin) said : 		#3

Greetings Jesse,

Yes, it is Fuel UI limitation. (Though I thought it is Neutron)

Actually, it should be possible to map Public and Floating ranges to different CIDRs with Fuel command line interface, by exporting, editing and importing back the corresponding node configuration .yaml files.
Please note - built-in network connectivity check may not work properly in this case.

Kind regards,
Miroslav

Revision history for this message
Jesse Pretorius (jesse-pretorius) said : 		#4

Thanks - useful to know. I'll be trying this out in a test environment during the next week or two.

Revision history for this message
Jesse Pretorius (jesse-pretorius) said : 		#5

Thanks Miroslav Anashkin, that solved my question.