In Neutron, it is easy to create many private networks that allow communication between your instances. To allow access from your client to these, though, we must create a router on the provider network (an external network) that is routed into our OpenStack environment. This provider network allows us to allocate floating addresses to our instances.
Ensure that you have a suitable client available for using Neutron. If you are using the accompanying Vagrant environment, you can use the controller node. This has the python-neutronclient package installed that provides the neutron command-line client.
If you created this node with Vagrant, you can execute the following command:
vagrant ssh controller
Ensure you have the following credentials set (adjust the path to your certificates and key file to match your environment if not using the Vagrant environment):
export OS_TENANT_NAME=cookbook export OS_USERNAME=admin export OS_PASSWORD=openstack export OS_AUTH_URL=https://192.168.100.200:5000/v2.0/ export OS_NO_CACHE=1 export OS_KEY=/vagrant/cakey.pem export OS_CACERT=/vagrant/ca.pem
To create an external router on our Neutron network for a particular tenant, we need to have tenant admin privileges. We will first create a public network in our admin tenant and then attach this to a tenant's router that requires external access to our instances. This will be achieved by assigning of a floating IP to the instance.
Once our environment has been set correctly with admin privileges, follow these steps:
- We first need to get the service tenant ID that we can reference when creating the public shared network. To do so, issue the following command:
ADMIN_TENANT_ID=$(keystone tenant-list | awk '/ service / {print $2}')
- We can now create a new public network, which we will call
floatingNet, to provide our external routing capability. To do this, we issue the following commands:neutron net-create --tenant-id ${ADMIN_TENANT_ID} --router:external=True floatingNet
- We then create our external/floating range on this network. In this example, this external subnet is
192.168.100.0/24. To do this, we specify a n address range that we will manually assign to instances as floating address, ensuring that the allocation pool (the list of allowed IPs) does not conflict with any IPs used currently in our physical environment:neutron subnet-create --tenant-id ${ADMIN_TENANT_ID} --name floatingSubnet --allocation-pool start=192.168.100.10,end=192.168.100.20 --enable_dhcp=False floatingNet 192.168.100.0/24
- We now need to set a gateway on our Cookbook router (described in step 4 of the Creating a tenant Neutron network recipe) to this floating network using the following commands:
neutron router-gateway-set cookbook_router_1 floatingNet
- With the networking elements complete, we can now utilize this floating network. To do so, we assign a floating IP to our running instance, so first we need to see what IP has been assigned to our instance on the
cookbook_network_1network by issuing anova listcommand:nova listYou will get the following output:
- We also gather some information about the routers and Neutron network ports used in our environment. To collect information about our
cookbook_router_1network, issue the following command:neutron router-show cookbook_router_1You will get the following output. The information we need is the router ID and the Network ID:
- To assign a
floatingIP to the instance attached to this port, we issue the following command that first creates a newfloatingIP available for our use from thefloatingNetnetwork:neutron floatingip-create --tenant-id ${ADMIN_TENANT_ID} floatingNet
You will get the following output:
- We assign this floating IP to the port that our instance is attached to. This information can be found by interrogating the list of ports in use on the router:
neutron port-list --router_id=e63fe19d-7628-4180-994d-72035f770d77
You will get the following output and the information you need matches the IP address listed in the
nova listcommand. In this case, we need the port ID matching the IP address10.200.0.2, as this is assigned to our instance:
- In the preceding output, the instance with the IP address 10.200.0.2 is attached to port ID
3e5a298b-5ca8-4484-b473-fa71410fd31c. When we created thefloatingIP, this had an ID of48e2ca77-af4d-44b3-8c10-b6574d94d6ce. We associate this floating IP ID with the instance port ID to assign the floating IP to the instance using the following commands:neutron floatingip-associate 48e2ca77-af4d-44b3-8c10-b6574d94d6ce 3e5a298b-5ca8-4484-b473-fa71410fd31c
You will get the message
Associated floating IP 48e2ca77-af4d-44b3-8c10-b6574d94d6cewhen successful. - We are now able to access our instance using the assigned Floating IP address of
192.168.100.11, which had limited access from our network node:
We have created a network that allows us to assign floating addresses to our instances. This subnet is routable from the rest of the network outside OpenStack, or a public address space directly on the Internet. To do this, we first create a network in an admin tenant that can have a gateway set by using the --router:external=True flag to our neutron net-create command:
neutron net-create --tenant-id ADMIN_TENANT_ID --router:external=True NAME_OF_EXTERNAL_NETWORK
As we will be configuring addresses manually to allow us to assign floating IP addresses to instances, we specify a subnet where we define the range of IP addresses but disable DHCP:
neutron subnet-create --tenant-id ADMIN_TENANT_ID --name NAME_OF_SUBNET --allocation-pool start=IP_RANGE_START,end=IP_RANGE_END --enable_dhcp=False EXTERNAL_NETWORK_NAME SUBNET_CIDR
We assign a router gateway to the network by issuing the following command on an existing router on our network. This router then provides the appropriate NAT when we assign this to an instance on the private network connected to that router:
neutron router-gateway-set ROUTER_NAME EXTERNAL_NETWORK_NAME
Once configured, we can now allocate a floating IP address from this new range to our running instance. To do this, we run the following command:
nova list
Get the IP address of our running instance using the following command:
neutron router-show ROUTER_NAME
To get the ports in use on our router, use the following command:
neutron port-list --router_id=ROUTER_ID
To create a floating IP for our use from our external network, use the following command (note the tenant ID doesn't have to be the admin tenant as used in the example):
neutron floatingip-create --tenant-id=TENANT_ID EXTERNAL_NETWORK_NAME
To associate the Floating IP to the instance, we use the port ID associated with the instance (as shown in the port listing on our router):
neutron floatingip-associate FLOATING_IP_ID VM_PORT_ON_ROUTER
At this point, we can access this instance from our physical network on this floating IP address.