Brand Claim Brand Claim
by Kurt Garloff

Public Services in OTC

The Open Telekom Cloud (OTC) offers a number of services to customer VMs that these can use without needing to have internet access.

While many of these are preconfigured in the public images from the OTC ImageFactory and thus will automatically be used, customers with private images will need to configure their images (and networks) to use these explicitly. Customers creating subnets via the API will also need to configure the name server (DNS) themselves.

We thus provide an overview over the services in this document.

There is s shorter description of images and public services available in our document center: Customer Documentation Public Images

Public service zone services

T-Systems operates the OTC public services in the public service zone 100.125.4/24 of the OTC provider network. These services can not be reached from outside the OTC (unless you have a VPN tunnel); they are reachable by all VMs in OTC without the need for an external IP address (EIP / Floating-IP).

Find here the overview table:

Hostname IP address Type of Service Notes
- DNS HA setup 1 NTP AZ1 NTP AZ2 Repo (HTTP[S]) openSUSE, SLES, CentOS 2 Repo (HTTP[S]) dito Repo (HTTP[S]) Debian 8.x RHUI (HTTP[S]) RedHat 6/7 Update Infra RHUI (HTTP[S]) dito KMS Windows activation WSUS Windows updates (WSUS)

Except for the DNS server, we recommend not to use the IP addresses explicitly anywhere as they are subject to change. The above IP addresses refer to the eu-de region and may differ (except for DNS server) in other regions.

The hostnames are all in the domain; the region-independent domain has been used on purpose here. The region name can be prefixed to the domain name, though this is not recommended.


We explicitly recommend using the internal DNS server; not only does it provide better performance and avoids the need to allow outgoing traffic into the internet, it also provides internal addresses for the API endpoints, see below.

The DNS server is normally pushed to the VMs via a DHCP setting which is configured through the subnet configuration in OTC/OpenStack. The internal DNS server ( is preconfigured in the subnet config in the Web Interface ("Service Console"). When creating a subnet via API, you need to specify the name server(s):

neutron subnet-create --dns-nameserver --dns-nameserver --name MYSUBNET MYNET MYCIDR

Here we have used the google public nameserver ( as seoncdary DNS -- feel free to use any server that suits your needs. Replace MYSUBNET with you desired name for the subnet, MYNET with the name of a configured network and MYCIDR with the network IP range in CIDR notation (such as e.g. 172.16.224/20). Note that will only work for VMs that have outgoing internet access (via an external IP address or SNAT service.)


While the correct time is injected from the host into a VM at boot time, the time can diverge and lose synchronicity over time; NTP is recommended in each VM. Our public images (except for Ubuntu 3) have NTP configured; for Ubuntu and private images, we recommend setting up NTP via `user_data`:

    #    -

In the future, we intend to use a DHCP extension to push NTP config to the VMs.

Linux repository mirrors

The free Linux distributions come with the public online repositories preconfigured in the images. These only work, when the VM has outgoing internet access (be it via an EIP address or via SNAT). The commercial Linux distributions do not come with preconfigured update repositories.

If the image is booted without being set to bring you own license (BYOL) / bring your own subscription, a vendor_data script will configure the internal repository servers to provide maintenance updates from the Linux distribution / vendor. This way, we make it easy for customers to stay up to date with updates; we highly recommend installing at least security updates regularly and promptly -- it is the single most important activity to keep your VMs secure.

Important: Do not override bootcmd in user_data nor disable vendor_data if you need working update repositories in your VM created from public images in OTC!

For BYOL VMs, it is the customers responsibility to ensure license compliance and to provide and configure working update repositories for the VMs. (When booting a VM from one of the ImageFactory free Linux images with BYOL set, the public internet repositories will remain configured as opposed to the mirrors in OTC.)

The repository mirrors are synced several times per day and should thus trail the upstream repositories by no more than a few hours.

Windows update service

The Windows Key Management Server (KMS) allows Windows images to be activated and be subscribed to the update server (WSUS) for updates.

API endpoints

The API endpoints of OTC are available to the public internet, well protected behind Web-Application Firewalls (WAF) and intrusion detection systems. For VMs inside OTC, there are also internal IP addresses available via the above DNS server. This shortens the internal network path and provides a more reliable and better performing service, so we explicitly recommend using the OTC APIs via VMs on OTC with the internal DNS server ( resolving the endpoint names.

Hostname Internal IPv4 External IPv4 Service keystone, nova, ... 4 Object Storage (S3) DMS, SMN, CTS 5

The hostnames here are in domain and the listed IP addresses refer to the eu-de region. We again recommend to not hardcode the IP addresses as we do reserve the right to change them.


The trademarks referenced in this document are property of their respective owner. This applies but is not limited to Windows (Microsoft), RedHat, SUSE, Ubuntu (Canonical), Open Telekom Cloud (T-Systems).

  1. While DNS does provide application level fallback, a load balancing solution has been chosen for DNS to deal with higher loads and to allow customers to use an independent secondary name server. 

  2. The SUSE repository mirror also hosts the repositories from Open Build Service and the vendor-data. 

  3. Canonical does not allow to change images; this is the reason for lack of preconfiguration in Ubuntu. 

  4. Many other OTC API endpoints (nova, cinder, glance, neutron, etc.) are on the same IP address, as they are all routed through the same API gateway. 

  5. These are the new OTC 2.0 services behind a new API gateway.