Chapter 5. Managing floating IP addresses

In addition to a having a private, fixed IP address, VM instances can have a public, or floating IP address to communicate with other networks. The information in this section describes how to create and manage floating IPs with the Red Hat OpenStack Platform (RHOSP) Networking service (neutron).

5.1. Creating floating IP pools

You can use floating IP addresses to direct ingress network traffic to your OpenStack instances. First, you must define a pool of validly routable external IP addresses, which you can then assign to instances dynamically. OpenStack Networking routes all incoming traffic destined for that floating IP to the instance that you associate with the floating IP.

Note

OpenStack Networking allocates floating IP addresses to all projects (tenants) from the same IP ranges in CIDR format. As a result, all projects can consume floating IPs from every floating IP subnet. You can manage this behavior using quotas for specific projects. For example, you can set the default to 10 for ProjectA and ProjectB, while setting the quota for ProjectC to 0.

Procedure

  • When you create an external subnet, you can also define the floating IP allocation pool.

    $ openstack subnet create --no-dhcp --allocation-pool start=IP_ADDRESS,end=IP_ADDRESS --gateway IP_ADDRESS --network SUBNET_RANGE NETWORK_NAME

    If the subnet hosts only floating IP addresses, consider disabling DHCP allocation with the --no-dhcp option in the openstack subnet create command.

    Example

    $ openstack subnet create --no-dhcp --allocation_pool start=192.168.100.20,end=192.168.100.100 --gateway 192.168.100.1 --network 192.168.100.0/24 public

Verification

  • You can verify that the pool is configured properly by assigning a random floating IP to an instance. (See the later link that follows.)

Additional resources

5.2. Assigning a specific floating IP

You can assign a specific floating IP address to a VM instance.

Procedure

  • Allocate a floating IP address to an instance by using the openstack server add floating ip command.

    Example

    $ openstack server add floating ip prod-serv1 192.0.2.200

Validation steps

  • Confirm that your floating IP is associated with your instance by using the openstack server show command.

    Example

    $ openstack server show prod-serv1

    Sample output

    +-----------------------------+------------------------------------------+
    | Field                       | Value                                    |
    +-----------------------------+------------------------------------------+
    | OS-DCF:diskConfig           | MANUAL                                   |
    | OS-EXT-AZ:availability_zone | nova                                     |
    | OS-EXT-STS:power_state      | Running                                  |
    | OS-EXT-STS:task_state       | None                                     |
    | OS-EXT-STS:vm_state         | active                                   |
    | OS-SRV-USG:launched_at      | 2021-08-11T14:45:37.000000               |
    | OS-SRV-USG:terminated_at    | None                                     |
    | accessIPv4                  |                                          |
    | accessIPv6                  |                                          |
    | addresses                   | public=198.51.100.56,192.0.2.200         |
    |                             |                                          |
    | config_drive                |                                          |
    | created                     | 2021-08-11T14:44:54Z                     |
    | flavor                      | review-ephemeral                         |
    |                             | (8130dd45-78f6-44dc-8173-4d6426b8e520)   |
    | hostId                      | 2308c8d8f60ed5394b1525122fb5bf8ea55c78b8 |
    |                             | 0ec6157eca4488c9                         |
    | id                          | aef3ca09-887d-4d20-872d-1d1b49081958     |
    | image                       | rhel8                                    |
    |                             | (20724bfe-93a9-4341-a5a3-78b37b3a5dfb)   |
    | key_name                    | example-keypair                          |
    | name                        | prod-serv1                               |
    | progress                    | 0                                        |
    | project_id                  | bd7a8c4a19424cf09a82627566b434fa         |
    | properties                  |                                          |
    | security_groups             | name='default'                           |
    | status                      | ACTIVE                                   |
    | updated                     | 2021-08-11T14:45:37Z                     |
    | user_id                     | 4b7e19a0d723310fd92911eb2fe59743a3a5cd32 |
    |                             | 45f76ffced91096196f646b5                 |
    | volumes_attached            |                                          |
    +-----------------------------+------------------------------------------+

Additional resources

5.3. Creating an advanced network

Advanced network options are available for administrators, when creating a network in the Dashboard from the Admin view. Use these options to specify projects and to define the network type that you want to use.

Procedure

  1. In the dashboard, select Admin > Networks > Create Network > Project.
  2. Select the project that you want to host the new network with the Project drop-down list.
  3. Review the options in Provider Network Type:

    • Local - Traffic remains on the local Compute host and is effectively isolated from any external networks.
    • Flat - Traffic remains on a single network and can also be shared with the host. No VLAN tagging or other network segregation takes place.
    • VLAN - Create a network using a VLAN ID that corresponds to a VLAN present in the physical network. This option allows instances to communicate with systems on the same layer 2 VLAN.
    • GRE - Use a network overlay that spans multiple nodes for private communication between instances. Traffic egressing the overlay must be routed.
    • VXLAN - Similar to GRE, and uses a network overlay to span multiple nodes for private communication between instances. Traffic egressing the overlay must be routed.
  4. Click Create Network.

    Review the Project Network Topology to validate that the network has been successfully created.

5.4. Assigning a random floating IP

You can dynamically allocate floating IP addresses to VM instances from a pool of external IP addresses.

Prerequisites

Procedure

  1. Enter the following command to allocate a floating IP address from the pool. In this example, the network is named public.

    Example

    $ openstack floating ip create public

    Sample output

    In the following example, the newly allocated floating IP is 192.0.2.200. You can assign it to an instance.

    +---------------------+--------------------------------------------------+
    | Field               | Value                                            |
    +---------------------+--------------------------------------------------+
    | fixed_ip_address    | None                                             |
    | floating_ip_address | 192.0.2.200                                      |
    | floating_network_id | f0dcc603-f693-4258-a940-0a31fd4b80d9             |
    | id                  | 6352284c-c5df-4792-b168-e6f6348e2620             |
    | port_id             | None                                             |
    | router_id           | None                                             |
    | status              | ACTIVE                                           |
    +---------------------+--------------------------------------------------+
  2. Enter the following command to locate your instance:

    $ openstack server list

    Sample output

    +-------------+-------------+--------+-------------+-------+-------------+
    | ID          | Name        | Status | Networks    | Image | Flavor      |
    +-------------+-------------+--------+-------------+-------+-------------+
    | aef3ca09-88 | prod-serv1  | ACTIVE | public=198. | rhel8 | review-     |
    | 7d-4d20-872 |             |        | 51.100.56   |       | ephemeral   |
    | d-1d1b49081 |             |        |             |       |             |
    | 958         |             |        |             |       |             |
    |             |             |        |             |       |             |
    +-------------+-------------+--------+-------------+-------+-------------+

  3. Associate the instance name or ID with the floating IP.

    Example

    $ openstack server add floating ip prod-serv1 192.0.2.200

Validation steps

  • Enter the following command to confirm that your floating IP is associated with your instance.

    Example

    $ openstack server show prod-serv1

    Sample output

    +-----------------------------+------------------------------------------+
    | Field                       | Value                                    |
    +-----------------------------+------------------------------------------+
    | OS-DCF:diskConfig           | MANUAL                                   |
    | OS-EXT-AZ:availability_zone | nova                                     |
    | OS-EXT-STS:power_state      | Running                                  |
    | OS-EXT-STS:task_state       | None                                     |
    | OS-EXT-STS:vm_state         | active                                   |
    | OS-SRV-USG:launched_at      | 2021-08-11T14:45:37.000000               |
    | OS-SRV-USG:terminated_at    | None                                     |
    | accessIPv4                  |                                          |
    | accessIPv6                  |                                          |
    | addresses                   | public=198.51.100.56,192.0.2.200         |
    |                             |                                          |
    | config_drive                |                                          |
    | created                     | 2021-08-11T14:44:54Z                     |
    | flavor                      | review-ephemeral                         |
    |                             | (8130dd45-78f6-44dc-8173-4d6426b8e520)   |
    | hostId                      | 2308c8d8f60ed5394b1525122fb5bf8ea55c78b8 |
    |                             | 0ec6157eca4488c9                         |
    | id                          | aef3ca09-887d-4d20-872d-1d1b49081958     |
    | image                       | rhel8                                    |
    |                             | (20724bfe-93a9-4341-a5a3-78b37b3a5dfb)   |
    | key_name                    | example-keypair                          |
    | name                        | prod-serv1                               |
    | progress                    | 0                                        |
    | project_id                  | bd7a8c4a19424cf09a82627566b434fa         |
    | properties                  |                                          |
    | security_groups             | name='default'                           |
    | status                      | ACTIVE                                   |
    | updated                     | 2021-08-11T14:45:37Z                     |
    | user_id                     | 4b7e19a0d723310fd92911eb2fe59743a3a5cd32 |
    |                             | 45f76ffced91096196f646b5                 |
    | volumes_attached            |                                          |
    +-----------------------------+------------------------------------------+

Additional resources

5.5. Creating multiple floating IP pools

OpenStack Networking supports one floating IP pool for each L3 agent. Therefore, you must scale your L3 agents to create additional floating IP pools.

Procedure

  • Make sure that in /var/lib/config-data/puppet-generated/neutron/etc/neutron/neutron.conf the property handle_internal_only_routers is set to True for only one L3 agent in your environment. This option configures the L3 agent to manage only non-external routers.

5.6. Configuring floating IP port forwarding

To enable users to set up port forwarding for floating IPs, you must enable the Red Hat OpenStack Platform (RHOSP) Networking service (neutron) port_forwarding` service plug-in.

Prerequisites

  • You must have RHOSP administrator privileges.
  • The port_forwarding service plug-in requires that you also set the router service plug-in.

Procedure

  1. Log in to the undercloud host as the stack user.
  2. Source the stackrc undercloud credentials file:

    $ source ~/stackrc
  3. In a custom environment YAML file, set the port_forwarding service plug-in:

    parameter_defaults:
      NeutronPluginExtensions: "router,port_forwarding"
    Note

    The port_forwarding service plug-in requires that you also set the router service plug-in.

  4. If you use the ML2/OVS mechanism driver with the Networking service, you must also set the port_forwarding extension for the OVS L3 agent:

    parameter_defaults:
      NeutronPluginExtensions: "router,port_forwarding"
      NeutronL3AgentExtensions: "port_forwarding"
  5. Deploy your overcloud and include the core heat templates, environment files, and this new custom environment file.

    Important

    The order of the environment files is important because the parameters and resources defined in subsequent environment files take precedence.

    $ openstack overcloud deploy --templates \
     -e <your_environment_files> \
     -e /home/stack/templates/my-environment.yaml

    RHOSP users can now set up port forwarding for floating IPs. For more information, see Section 5.7, “Creating port forwarding for a floating IP”.

Verification

  1. Source the overcloud credentials file.

    Example

    $ source ~/overcloudrc

  2. Ensure that the Networking service has successfully loaded the port_forwarding and router service plug-ins:

    $ openstack extension list --network -c Name -c Alias --max-width 74 | \
    grep -i -e 'Neutron L3 Router' -i -e floating-ip-port-forwarding

    Sample output

    A successful verification produces output similar to the following:

    | Floating IP Port Forwarding       | floating-ip-port-forwarding        |
    | Neutron L3 Router                 | router                             |

Additional resources

5.7. Creating port forwarding for a floating IP

You can use Red Hat OpenStack Platform Networking service (neutron) to set up port forwarding for a floating IP.

Prerequisites

Procedure

  1. Source your credentials file.

    Example

    $ source ~/overcloudrc

  2. Use the following command to create port forwarding for a floating IP:

    $ openstack floating ip port forwarding create \
    --internal-ip-address <internal-ip-address> \
    --port <port> \
    --internal-protocol-port <port-number> \
    --external-protocol-port <port-number> \
    --protocol <protocol> \
    <floating-ip>
    • Replace <internal-ip-address> with the internal, destination IP address.

      This is the IP address that is associated with the instance on which the application is running.

    • Replace <port> with the name or ID of the Networking service port to which the instance is attached.
    • Replace <port-number> in --internal-protocol-port with the internal, destination port number.

      This is the port number that the application running in the instance uses.

    • Replace <port-number> in --external-protocol-port with the external, source port number.

      This is the port number that the application running outside of your RHOSP cloud uses.

    • Replace <protocol> with the protocol, such as TCP or UDP, used by the application that receives the port-forwarded traffic.
    • Replace <floating-ip> with the floating IP whose specified port traffic you want to forward.

      Example

      This example creates port fowarding for an instance that is attached to the floating IP 198.51.100.47. The floating IP uses the Networking service port 1adfdb09-e8c6-4708-b5aa-11f50fc22d62. When the Networking service detects incoming, external traffic addressed to 198.51.100.47:80, it forwards the traffic to the internal IP address, 203.0.113.107, on TCP port, 8080:

      $ openstack floating ip port forwarding create \
      --internal-ip-address 203.0.113.107 \
      --port 1adfdb09-e8c6-4708-b5aa-11f50fc22d62 \
      --internal-protocol-port 8080 \
      --external-protocol-port 80 \
      --protocol tcp \
      198.51.100.47

Verification

  • Confirm that the Networking service has established forwarding for the floating IP port.

    Example

    The following example verifies successful port forwarding for the floating IP 198.51.100.47:

    $ openstack floating ip port forwarding list 198.51.100.47 --max-width 74

    Sample output

    The output shows that traffic sent to the floating IP 198.51.100.47 on TCP port 80 is forwarded to port 8080 on the instance with the internal address 203.0.113.107:

    +----------+------------------+---------------------+---------------+---------------+----------+-------------+
    | ID       | Internal Port ID | Internal IP Address | Internal Port | External Port | Protocol | Description |
    +----------+------------------+---------------------+---------------+---------------+----------+-------------+
    | 5cf204c7 | 1adfdb09-e8c6-47 | 203.0.113.107       |          8080 |            80 | tcp      |             |
    | -6825-45 | 08-b5aa-11f50fc2 |                     |               |               |          |             |
    | de-84ec- | 2d62             |                     |               |               |          |             |
    | 2eb507be |                  |                     |               |               |          |             |
    | 543e     |                  |                     |               |               |          |             |
    +----------+------------------+---------------------+---------------+---------------+----------+-------------+

Additional resources

5.8. Bridging the physical network

Bridge your virtual network to the physical network to enable connectivity to and from virtual instances.

In this procedure, the example physical interface, eth0, is mapped to the bridge, br-ex; the virtual bridge acts as the intermediary between the physical network and any virtual networks.

As a result, all traffic traversing eth0 uses the configured Open vSwitch to reach instances.

To map a physical NIC to the virtual Open vSwitch bridge, complete the following steps:

Procedure

  1. Open /etc/sysconfig/network-scripts/ifcfg-eth0 in a text editor, and update the following parameters with values appropriate for the network at your site:

    • IPADDR
    • NETMASK GATEWAY
    • DNS1 (name server)

      Here is an example:

      # vi /etc/sysconfig/network-scripts/ifcfg-eth0
      DEVICE=eth0
      TYPE=OVSPort
      DEVICETYPE=ovs
      OVS_BRIDGE=br-ex
      ONBOOT=yes
  2. Open /etc/sysconfig/network-scripts/ifcfg-br-ex in a text editor and update the virtual bridge parameters with the IP address values that were previously allocated to eth0:

    # vi /etc/sysconfig/network-scripts/ifcfg-br-ex
    DEVICE=br-ex
    DEVICETYPE=ovs
    TYPE=OVSBridge
    BOOTPROTO=static
    IPADDR=192.168.120.10
    NETMASK=255.255.255.0
    GATEWAY=192.168.120.1
    DNS1=192.168.120.1
    ONBOOT=yes

    You can now assign floating IP addresses to instances and make them available to the physical network.

Additional resources

5.9. Adding an interface

You can use interfaces to interconnect routers with subnets so that routers can direct any traffic that instances send to destinations outside of their intermediate subnet.

To add a router interface and connect the new interface to a subnet, complete these steps:

Note

This procedure uses the Network Topology feature. Using this feature, you can see a graphical representation of all your virtual routers and networks while you to perform network management tasks.

  1. In the dashboard, select Project > Network > Network Topology.
  2. Locate the router that you want to manage, hover your mouse over it, and click Add Interface.
  3. Specify the Subnet that you want to connect to the router.

    You can also specify an IP address. The address is useful for testing and troubleshooting purposes, since a successful ping to this interface indicates that the traffic is routing as expected.

  4. Click Add interface.

    The Network Topology diagram automatically updates to reflect the new interface connection between the router and subnet.

5.10. Deleting an interface

You can remove an interface to a subnet if you no longer require the router to direct traffic for the subnet.

To delete an interface, complete the following steps:

  1. In the dashboard, select Project > Network > Routers.
  2. Click the name of the router that hosts the interface that you want to delete.
  3. Select the interface type (Internal Interface), and click Delete Interfaces.