External Connectivity

Allowing traffic to the Internet

Next, we will allow external traffic to the Group Provider. Go to Project | Policy | Groups and in the tab External click Create External Group. Provide internet as the name for this group and click Next.

Ultimum OpenStack Cisco ACI - External Connectivity

As we want to use separate contract for access from internet, we will create new Policy Rule Set in Consumed Policy Rule Set by clicking +:

Ultimum OpenStack Cisco ACI - External Connectivity

Use contract_internet as the name for this contract and click Next

Ultimum OpenStack Cisco ACI - External Connectivity

Select ssh-policy as this is the policy group we want to use and click Create

Ultimum OpenStack Cisco ACI - External Connectivity

Confirm the selection of contract_internet as the Consumed Policy Set and click Create

Ultimum OpenStack Cisco ACI - External Connectivity

Confirm the selection of contract_internet as the Consumed Policy Set and click Next

Ultimum OpenStack Cisco ACI - External Connectivity

Select the public segment as external connectivity and click Create

Ultimum OpenStack Cisco ACI - External Connectivity

Now you should see a new Group representing public Internet

Ultimum OpenStack Cisco ACI - External Connectivity

Now, include contract_internet to the provided contracts for group-provider. Go To Internal tab and click Edit next to the group-provider

Ultimum OpenStack Cisco ACI - External Connectivity

L3 Policy

Next we create L3 policy for external communication. Go to Project | Policy | Network and Services Policy and click Edit button of the default L3 policy created by OpenStack.

Ultimum OpenStack Cisco ACI - L3 Policy

Click + to create a new external segment

Ultimum OpenStack Cisco ACI - L3 Policy

Click Create to confirm the creation

Ultimum OpenStack Cisco ACI - L3 Policy

Select the external segment and click Save Changes

Ultimum OpenStack Cisco ACI - L3 Policy

You should see the updated External segment of default L3 Policy. External IP adress begins with 169. that means it is a private IP, which is used for internal addresses (something as linklocal). In fact a router in the network topology was created the will link the corresponding networks with outside Internet.

Ultimum OpenStack Cisco ACI - L3 Policy

You can check the new L3 policy and contract_internet in CISCO ACI.

Ultimum OpenStack Cisco ACI - L3 Policy

The last step is to associate a Floating IP to vm-provider. Go To Project | Access & Security select the Floating IPs tab and click Allocate IP To Project. Then confirm the allocation by clicking Allocate IP

Ultimum OpenStack Cisco ACI - Floating IP

Click Associate button Ultimum OpenStack Cisco ACI - Floating IP

In the following dialog, select the port of vm-provider instance and click Associate

Ultimum OpenStack Cisco ACI - Floating IP

Notice the Floating IP address of vm-provider is now 91.220.201.117

Ultimum OpenStack Cisco ACI - Floating IP

Now you are able to connect to 91.220.201.117 with ssh from Internet.

Floating IPs can be seen through CISCO ACI common tenant

Ultimum OpenStack Cisco ACI - Floating IP

Last modified: 2017-05-25