The Open Telekom Cloud (OTC) offers a number of services to customer VMs that these can use without needing to have internet access.
While many of these are preconfigured in the public images from the OTC ImageFactory and thus will automatically be used, customers with private images will need to configure their images (and networks) to use these explicitly. Customers creating subnets via the API will also need to configure the name server (DNS) themselves.
We thus provide an overview over the services in this document.
There is s shorter description of images and public services available in our document center: Customer Documentation Public Images
Public service zone services
T-Systems operates the OTC public services in the public service zone
100.125.4/24 of the OTC provider network. These services can not be
reached from outside the OTC (unless you have a VPN tunnel); they are
reachable by all VMs in OTC without the need for an external IP address
(EIP / Floating-IP).
Find here the overview table:
|Hostname||IP address||Type of Service||Notes|
|-||100.125.4.25||DNS||HA setup 1|
|smt01-suse.otc-service.com||100.125.4.20||Repo (HTTP[S])||openSUSE, SLES, CentOS 2|
|debmirror01.otc-service.com||100.125.4.30||Repo (HTTP[S])||Debian 8.x|
|rhui-cds01.otc-service.com||100.125.4.34||RHUI (HTTP[S])||RedHat 6/7 Update Infra|
|winupdate.otc-service.com||100.125.4.22||WSUS||Windows updates (WSUS)|
Except for the DNS server, we recommend not to use the IP addresses
explicitly anywhere as they are subject to change. The above IP
addresses refer to the
eu-de region and may differ (except for DNS
server) in other regions.
The hostnames are all in the
otc-service.com domain; the
region-independent domain has been used on purpose here. The region name
can be prefixed to the domain name, though this is not recommended.
We explicitly recommend using the internal DNS server; not only does it provide better performance and avoids the need to allow outgoing traffic into the internet, it also provides internal addresses for the API endpoints, see below.
The DNS server is normally pushed to the VMs via a DHCP setting which is
configured through the subnet configuration in OTC/OpenStack. The
internal DNS server (
100.125.4.25) is preconfigured in the subnet
config in the Web Interface ("Service Console"). When creating a subnet
via API, you need to specify the name server(s):
neutron subnet-create --dns-nameserver 100.125.4.25 --dns-nameserver 22.214.171.124 --name MYSUBNET MYNET MYCIDR
Here we have used the google public nameserver (
126.96.36.199) as seoncdary
DNS -- feel free to use any server that suits your needs. Replace
MYSUBNET with you desired name for the subnet,
MYNET with the name
of a configured network and
MYCIDR with the network IP range in
notation (such as e.g.
172.16.224/20). Note that 188.8.131.52 will only
work for VMs that have outgoing internet access (via an external IP
address or SNAT
While the correct time is injected from the host into a VM at boot time, the time can diverge and lose synchronicity over time; NTP is recommended in each VM. Our public images (except for Ubuntu 3) have NTP configured; for Ubuntu and private images, we recommend setting up NTP via `user_data`:
#cloud-config ntp: servers: - ntp01.otc-service.com - ntp02.otc-service.com #pools: # - de.pool.ntp.org
In the future, we intend to use a DHCP extension to push NTP config to the VMs.
Linux repository mirrors
The free Linux distributions come with the public online repositories preconfigured in the images. These only work, when the VM has outgoing internet access (be it via an EIP address or via SNAT). The commercial Linux distributions do not come with preconfigured update repositories.
If the image is booted without being set to bring you own license (BYOL) / bring your own subscription, a vendor_data script will configure the internal repository servers to provide maintenance updates from the Linux distribution / vendor. This way, we make it easy for customers to stay up to date with updates; we highly recommend installing at least security updates regularly and promptly -- it is the single most important activity to keep your VMs secure.
Important: Do not override bootcmd in user_data nor disable vendor_data if you need working update repositories in your VM created from public images in OTC!
For BYOL VMs, it is the customers responsibility to ensure license compliance and to provide and configure working update repositories for the VMs. (When booting a VM from one of the ImageFactory free Linux images with BYOL set, the public internet repositories will remain configured as opposed to the mirrors in OTC.)
The repository mirrors are synced several times per day and should thus trail the upstream repositories by no more than a few hours.
Windows update service
The Windows Key Management Server (KMS) allows Windows images to be activated and be subscribed to the update server (WSUS) for updates.
The API endpoints of OTC are available to the public internet, well protected behind Web-Application Firewalls (WAF) and intrusion detection systems. For VMs inside OTC, there are also internal IP addresses available via the above DNS server. This shortens the internal network path and provides a more reliable and better performing service, so we explicitly recommend using the OTC APIs via VMs on OTC with the internal DNS server (100.125.4.25) resolving the endpoint names.
|Hostname||Internal IPv4||External IPv4||Service|
|iam.eu-de.otc.t-systems.com||100.125.1.20||184.108.40.206||keystone, nova, ... 4|
|obs.eu-de.otc.t-systems.com||100.125.80.80||220.127.116.11||Object Storage (S3)|
|dms.eu-de.otc.t-systems.com||100.125.80.130||18.104.22.168||DMS, SMN, CTS 5|
The hostnames here are in
eu-de.otc.t-systems.com domain and the
listed IP addresses refer to the
eu-de region. We again recommend to
not hardcode the IP addresses as we do reserve the right to change them.
The trademarks referenced in this document are property of their respective owner. This applies but is not limited to Windows (Microsoft), RedHat, SUSE, Ubuntu (Canonical), Open Telekom Cloud (T-Systems).
While DNS does provide application level fallback, a load balancing solution has been chosen for DNS to deal with higher loads and to allow customers to use an independent secondary name server. ↩
The SUSE repository mirror also hosts the repositories from Open Build Service and the vendor-data. ↩
Canonical does not allow to change images; this is the reason for lack of preconfiguration in Ubuntu. ↩
Many other OTC API endpoints (nova, cinder, glance, neutron, etc.) are on the same IP address, as they are all routed through the same API gateway. ↩
These are the new OTC 2.0 services behind a new API gateway. ↩