Merge branch 'fip_doc' into 'master'

Add documentation for working with FIPs/jump host/sshuttle See merge request cloud/documentation!16

Merge branch 'fip_doc' into 'master'
Add documentation for working with FIPs/jump host/sshuttle See merge request cloud/documentation!16
bb248821 · Andrei Kirushchanka · 50b5fa12 · baa43f14 · bb248821 · bb248821
Commit bb248821 authored 5 years ago by Andrei Kirushchanka
--- a/faq/README.md
+++ b/faq/README.md
@@ -25,3 +25,18 @@ OpenStack instances use 1442 bytes MTU (maximum transmission unit) instead of st
 able to setup correct MTU with its counterpart via Path MTU Discovery. Docker needs MTU setup explicitly. Refer documentation for setting up
 1442 MTU in [Docker](https://docs.docker.com/v17.09/engine/userguide/networking/default_network/custom-docker0/) or
 [Kubernetes](https://docs.projectcalico.org/v3.5/usage/configuration/mtu).
+
+## How many floating IPs does my group project need?
+One floating IP per project should generally suffice. All OpenStack instances are deployed on top of internal OpenStack networks. These internal networks are not by default accessible from outside of OpenStack, but instances on top of same internal network can communicate with each other.
+
+To access internet from an instance, or access instance from the internet, you could allocate floating public IP per instance. Since there are not many public IP addresses available and assigning public IP to every instance is not security best practise, both in public and private clouds these two concepts are used:
+* **internet access is provided by virtual router** - all new OpenStack projects are created with *group-project-network* internal network connected to virtual router with public IP as a gateway. Every instance created with *group-project-network* can access internet through NAT provided by it's router by default.
+* **accessing the instances:**
+ * **I need to access instances by myself** - best practice for accessing your instances is creating one server with floating IP called [jump host](https://en.wikipedia.org/wiki/Jump_server) and then access all other instances through this host. Simple setup:
+   1. Create instance with any Linux.
+   2. Associate floating IP with this instance.
+   3. Install [sshuttle](https://github.com/sshuttle/sshuttle) on your client.
+   4. `sshuttle -r root@jump_host_fip 192.168.0.1/24`. All your traffic to internal OpenStack network *192.168.0.1/24* is now tunneled through jump host.
+ * **I need to serve content (e.g. webservice) to other users** - public and private clouds provide LBaaS (Load-Balancer-as-a-Service) service, which proxies users traffic to instances. We are planning to deploy this functionality in 2020. Currently you can create LB manually by installing and configuring e.g. HAproxy on your jump host.
+
+In case, that these options are not suitable for you usecase, you can still request multiple floating IPs.
--- a/register/README.md
+++ b/register/README.md
@@ -41,7 +41,7 @@ request a group project from User Support and provide the following basic inform
 * __name of the project__,
 * __purpose of the project__,
 * __contact information__,
-* __amount and type of requested resources__,
+* __amount and type of requested resources__ _[(please read first)](/faq/#how-many-floating-ips-does-my-group-project-need)_,
 * __impact would the service have on unavailability for 1h, 1d, 1w__,
 * __estimated length of the project__,
 * __access control information__ _[(info)](#get-access-control-information)_.