OVHcloud Community

Welcome to your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.

Private Network shared between two or more Public Cloud projects

vrack

#1

Is it possible to connect two public cloud servers to the same private network if they are on the same vRack but in different projects? The intention would be to have a single project containing database or monitoring servers that are exposed over a private network to a number of frontend projects.

I asked our account manager and they said it was;

You can connect two different instances in different projects, via the same vRack.

Here is a link to our Public Cloud vRack guide - https://docs.ovh.com/gb/en/public-cloud/public-cloud-vrack/ - if you’ve followed the steps in the guide and are still having some trouble, you can reach out to our UK support team via your account, and they will be able to advise further.

I did speak with a colleague and they recommended that you manually assign the IP’s per instance, to avoid the possibility of the same IP being assigned in two different projects.

I created a Private Network (with static IP addressing) in one of the projects and attached a server.
I then tried to use python-novaclient to run nova interface-attach but if I try it from the project containing the network I get “unknown server”, and if I try it from the project with the server I get “unknown network”. Although both projects are on the same vRack each one has its own tenant id, so I can’t see how it would work. There must be some other tool I need to use.

I would just use the Managed Kubernetes Service but it’s not available in the UK region.

Any help would be much appreciated!

  • Paul

#2

Hi Paul,

I had a similar need and I just found the solution.

What I assume you have (VLAN numbers and IP just for the example):
projectA and projectB both in the same vrack.
networkA (VLAN 100, 10.100.0.0/16) in projectA, with serverA using it (eth 10.100.0.54/16)
networkB (VLAN 200, 10.200.0.0/16) in projectB, with serverB using it (eth 10.200.0.66/16)

The need in my case: being able to communicate serverA and serverB, by having a network interface in networkB attached on serverA.

  1. get project ID of projectA
    $ source ./openstack-openrc-projectA.sh
    $ openstack project list

  2. share networkB with projectA
    $ source ./openstack-openrc-projectB.sh
    $ openstack network list # get the ID of networkB to share with projectA
    $ openstack network rbac create --target-project [ID_PROJECT_A] --action access_as_shared --type network [ID_NETWORK_B]

  3. on projectA, create an interface in networkB, and attach it to serverA:
    $ source ./openstack-openrc-projectA.sh
    get the ID of subnetB
    $ openstack subnet list
    create interface
    openstack port create --network [ID_NETWORK_B] --fixed-ip subnet=[ID_SUBNET_B],ip-address=10.200.0.1 [INTERFACE_NAME]
    get serverA ID
    openstack server list
    get the new interface ID
    $ openstack port list
    attach interface to serverA
    openstack server add port [ID_SERVER_A] [ID_NEW_INTERFACE]
    enable interface
    openstack port set --enable [ID_NEW_INTERFACE]

  4. Give an IP on the new interface in serverA, assuming the new interface is seen as eth2:
    debian@serverA $ sudo ip a add 10.200.0.1/16 dev eth2


#3

Yes, setting access controls “access_as_shared” on the network must be the key I was missing here!

I’d have thought this was a common use case - one project containing a shared resource (eg database cluster), and numerous front-end projects connecting to it via a common private network. But apparently not!

Thank you for taking the time to share, this is amazing.


#4

By coincidence, I’ve just had a reply from OVH support!
Their alternative solution is to create individual networks in both projects, configured as static IP, but use the same vLAN ID in both projects which allows cross-communication. They referenced this guide, which I had read but didn’t realise it could be used to join two networks:

This is the advice I was given:

Each project use their own network but if you make the networks on the same vLAN both projects will be able to communicate with each other. But please be careful not to use DHCP. In such a setup you should use STATIC configuration because since they are different openstack networks they can conflict with DHCP

All done on the OVH control panel or the OVH API:
From step 1-4 you should not use OpenStack CLI or Horizon at all.

1- Add project A to vRack
2- Add project B to vRack
3- Create private network on project A
4- Create private network on project B - must be on the same vLAN as project A
5- Add the new private network interface to the instances
6- Manually configure the interfaces within the operating system of the instances - Static config