Configuring Network Address Translation
Network Address Translation (NAT) is a process for modifying the source or destination addresses in the headers of an IP packet while the packet is in transit. In general, the sender and receiver applications are not aware that the IP packets are manipulated.
In OpenStack, external network provides Internet access for instances. By default, this network only allows Internet access from instances using Source Network Address Translation (SNAT). In SNAT, the NAT router modifies the IP address of the sender in IP packets. SNAT is commonly used to enable hosts with private addresses to communicate with servers on the public Internet.
OpenStack enables Internet access to an instance by using floating IPs. Floating IPs are not allocated to instances by default. Cloud users should get the floating IPs from the pool configured by the OpenStack administrator and then attach them to their instances. Floating IP is implemented by Destination Network Address Translation (DNAT). In DNAT, the NAT router modifies the IP address of the destination in IP headers.
SNAT – Internet Access from VM
Figure 1 describes an OpenStack instance accessing Internet.
To enable Internet access from VMs, the network to which VM is connected should be connected to a router. This router must have its gateway set to the external network created by the administrator. Juniper Networks Neutron plug-in configures SNAT on the router to modify source address of all the VMs to the address of the interface that is connected to external network.
DNAT – Internet Access to VM
Figure 2 describes accessing OpenStack instance from the Internet.
To enable Internet access to VMs, a floating IP is allocated to the VM from a pool of IP addresses allocated to the tenant by administrator. The floating IP should be a routable IP. Juniper Networks Neutron plug-in configures the external facing interface of the router to proxy ARP for this IP address and DNATs for floating IP of the VM.
Plugin Configuration
To configure the plug-in:
Update the Neutron configuration file /etc/neutron/neutron.conf as follows:
service plug-ins = neutron.services.juniper_l3_router.dmi.l3.JuniperL3Plugin
Restart the Neutron service as follows:
service neutron-server restart
Configuring an External Network Access
To configure an external network access:
Create a network.
Launch an instance on the network created.
Create a router.
Add the new network to the router.
Set gateway of the router to the external network.
Ping from VM to any IP in the external network.
Configuring Access to VM from an External Network
To configure access to a VM from an external network:
Associate a floating IP from the floating IP pool of the external network to the instance that is created.
Configure security rules in security group to allow traffic from the external network. For example, ICMP ALLOW ALL for both ingress and egress traffic.
You can access the VM through the floating IP.