A New Solution to an Old Problem?

Setting up OneGate to work with isolated VNETs has often presented challenges, requiring a fresh approach each time an OpenNebula environment is designed.

The new implementation of Transparent Proxies provides an effective solution. This feature allows the secure reuse of backbone networking within your data center for OneGate traffic without requiring complex design-stage decisions.

How It Works

Inside guest VMs, OneGate is consistently accessible via the link-local address 169.254.16.9, regardless of the number of VNETs in use. Hypervisor hosts automatically route guest requests through the proxy, leveraging the service network to connect to the actual OneGate endpoint. The process is seamless and efficient.

Getting Started

Transparent Proxies are not limited to OneGate traffic. They also allow for the definition of custom services. Here’s an example configuration.

Add the following to your “OpenNebulaNetwork.conf” file:

:tproxy:
# OneGate service.
- :service_port: 5030
  :remote_addr: 10.11.12.13 # OpenNebula Front-end VIP
  :remote_port: 5030
# Custom service.
- :service_port: 1234
  :remote_addr: 10.11.12.34
  :remote_port: 1234

To propagate the changes, simply run “onehost sync -f” as oneadmin, deploy your guests, and you’re ready to go!

For more details, you can read further here. This feature will be available in the next maintenance release.