SNATaaS

There is a number of ways to provide servers with internet access. For outbound traffic, this can be achieved with a floating IP, a proxy server or through the activated SNAT-as-a-Service for internet. Whereas a floating IP is a associated to a single instance, multiple instances can share the SNAT service.

Contents

The SNAT service has be be activated by project administration and is visible to the OpenStack user as a logical router.

SNAT activation

The SNAT service is implemented by a logical router which is a separate node from the project local router. It is visible in the list of routers as snat_juice_<project-name>_external_internet_provider_x (Figure 1).

Router configuration

First, the local network and subnet are created as described in https://pannet.atlassian.net/l/c/LBPBhoJt

After the SNAT service has been enabled (by the project administrator), outbound internet access is provided to project instances after adding the subnet to the SNAT logical router:

openstack router add subnet <router-id> <subnet-id>

Testing

To test the SNAT service, SSH access to an instance on the SNAT enabled local network is needed, such as by SSH proxy command through another instance with a floating IP.

No configuration is needed on the instance, provided that DNS server information has been added to the subnet declaration. A ping or curl to a public IP address would verify its operation. The SNAT is therefore easier to set up and use than a proxy server, see https://pannet.atlassian.net/l/c/WAJtuo5E