← Back to team overview

openstack team mailing list archive

Safe to expose various ports to the public (5000, 8774, etc, and via NAT)?


Something that doesn't seem to be well discussed is how safe Openstack
(and the corresponding services/API's) is to be exposed to the public.
For instance, how safe is it to expose port 5000 to the general
public? Port 8774?

Right now, the only thing we have exposed to the public is the Horizon
dashboard. Our controller current sits on a private LAN segment
(172.x.x.x). Anything that we do with the API, we utilize a VPN for
(for the moment).

So, how safe is it, and what can be safely exposed? We would like to
enable our users (even if it is closely controlled via hardware
firewall rules) to utilize the various API's.

On an alternate topic, since we utilizing hardware firewalls, and
thus, NAT, when we attempt to connect the the PUBLIC IP address (API,
say 5000), our connection stalls attempting to make a connection to
private_ip:8774. We assume this is what the public_endpoint directive
in keystone.conf is for?

(If it matters, we are running the Essex release on Ubuntu 12.04).