Juju expects a public address for all machines maybe insecure

From Dimiter:
We still assume to have public IPs in most providers and have no way of not using them if the user doesn't want to (except for the use-floating-ips setting for openstack)

Removing 2.1 milestone as we will not addressing this issue in 2.1.

Status changed to 'Confirmed' because the bug affects multiple users.

Hi this is santhosh,

ran into same kind of issue. when i specify a particular vpc-id ( it is not default so i did vpc-id-force). it bootstraps controller in that vpc and was loosing/cannot connect to the api after that. BELOW IS THE BOOTSTRAP COMMAND I GAVE:

ubuntu@x86inst-1a:~$ juju bootstrap --config "vpc-id=vpc-08b1e3735cf3" --config "vpc-id-force=true" aws test

it gives the error as below:

ERROR unable to contact api server after 1 attempts: unable to connect to API: dial tcp 172.86.1.14:17070: connect: connection refused

*IF IT CAN REACH THE VPC AND CAN BOOTSTRAP CONTROLLER IN PARTICULAR VPC, WHY IS IT UNABLE TO REACH OR RUNNING INTO API ERROR(17070) AFTER BOOTSTRAP.
*WHY DID JUJU EXPECT IT TO BE PUBLIC, IF I GIVE VPC AS PARAMETER WHY CAN'T IT ACCEPT WHAT SHOULD I DO TO MAKE IT ACCEPT BUT NEED IT TO BE PRIVATE AS FOR THE SECURITY CONCERNS.

The main issue is that Juju controllers need to retrieve the binaries it runs from streams.canonical.com and that the client (typically running on an operator laptop outside the cloud) needs to be able to reach the controller API endpoints.

If you're getting an error during bootstrap about reaching port 17070 this is the Juju client you're running attempting to reach the controller machine that's come up. If it's a locked down VPC with no ingress from your client you'll get this issue.

I don't believe Juju expects public addresses for all machines. It *does* expect a public address for the controller, because you need external access to be able to connect for things like "juju status" from your machine.

I don't know how you would have been able to bootstrap and 'ssh' into the machine, but not be able to connect to port 17070. That sounds like you have a firewall in your own network that doesn't let you connect to remote hosts on ports that aren't SSH (22) or HTTP(s) (80/443).

For machines other than controllers, the requirement is that they be able to reach the controller, but not that they are accessible externally, or even accesible from the controller (all agents initiate the connection to the controller, the controller doesn't initiate to the agents).

Obviously if you want to "juju ssh unit/3" you need to have a route to that unit (either a VPN into the VPC or a public address on that machine).

This bug has not been updated in 2 years, so we're marking it Low importance. If you believe this is incorrect, please update the importance.