Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring Network Address Translation

Network Address Translation (NAT) is a process for modifying the source or destination addresses in the headers of an IP packet while the packet is in transit. In general, the sender and receiver applications are not aware that the IP packets are manipulated.

In OpenStack, external network provides Internet access for instances. By default, this network only allows Internet access from instances using Source Network Address Translation (SNAT). In SNAT, the NAT router modifies the IP address of the sender in IP packets. SNAT is commonly used to enable hosts with private addresses to communicate with servers on the public Internet.

OpenStack enables Internet access to an instance by using floating IPs. Floating IPs are not allocated to instances by default. Cloud users should get the floating IPs from the pool configured by the OpenStack administrator and then attach them to their instances. Floating IP is implemented by Destination Network Address Translation (DNAT). In DNAT, the NAT router modifies the IP address of the destination in IP headers.

SNAT – Internet Access from VM

Figure 1 describes an OpenStack instance accessing Internet.

Figure 1: OpenStack Accessing the InternetOpenStack Accessing the Internet

To enable Internet access from VMs, the network to which VM is connected should be connected to a router. This router must have its gateway set to the external network created by the administrator. Juniper Networks Neutron plug-in configures SNAT on the router to modify source address of all the VMs to the address of the interface that is connected to external network.

DNAT – Internet Access to VM

Figure 2 describes accessing OpenStack instance from the Internet.

Figure 2: Accessing OpenStack from the InternetAccessing OpenStack from the Internet

To enable Internet access to VMs, a floating IP is allocated to the VM from a pool of IP addresses allocated to the tenant by administrator. The floating IP should be a routable IP. Juniper Networks Neutron plug-in configures the external facing interface of the router to proxy ARP for this IP address and DNATs for floating IP of the VM.

Plugin Configuration

To configure the plug-in:

  1. Update the Neutron configuration file /etc/neutron/neutron.conf as follows:

  2. Restart the Neutron service as follows:

Configuring an External Network Access

To configure an external network access:

  1. Create a network.

  2. Launch an instance on the network created.

  3. Create a router.

  4. Add the new network to the router.

  5. Set gateway of the router to the external network.

  6. Ping from VM to any IP in the external network.

Configuring Access to VM from an External Network

To configure access to a VM from an external network:

  1. Associate a floating IP from the floating IP pool of the external network to the instance that is created.

  2. Configure security rules in security group to allow traffic from the external network. For example, ICMP ALLOW ALL for both ingress and egress traffic.

  3. You can access the VM through the floating IP.