Mike is talking about our specific way of doing floating ips - which is not the default for neutron, so you do *NOT* have to add an allowed-address pair for the floating ip to work.
You will however have to add to the security group rules to allow traffic from whatever networks are connecting to your floating ip. The reason for this is because the floating Ip is performed via nat. So traffic from say the internet hits the floating IP and is destination nat'd to the IP of you vm. So from your vm's stand point it sees traffic from the internet trying to connect to it. If the security group rules on the vm do not allow this traffic it will be dropped. ____________________________________________ Kris Lindgren Senior Linux Systems Engineer GoDaddy, LLC. From: Michael Dorman <[email protected]<mailto:[email protected]>> Date: Wednesday, April 8, 2015 at 8:38 AM To: OpenStack Operators <[email protected]<mailto:[email protected]>> Subject: Re: [Openstack-operators] [Neutron]floatingip with security group Yup, you need to configure an "address pair" for the floating IP. This isn't specifically a security groups thing, but it will allow traffic to the floating IP to pass into the VM to which it is associated. Under the covers, it's implemented similarly to security groups, but is not directly a security groups function. From: LeeKies Date: Wednesday, April 8, 2015 at 2:42 AM To: OpenStack Operators Subject: [Openstack-operators] [Neutron]floatingip with security group I create a VM with a default security group , then I create and associate a floating ip with this VM. But I can't connect the floating ip, I check the security group, and I think it's the sg problem. I add a rule in default sg, and then I can connect the floating ip. When I create a floating ip , Does I have to add a rule in security group to allow the ip for ingress ??
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
