Connect a host behind NAT to Front-End?

Just dipping my toes in to ON, I’ve setup a front-end on a VPS with a public IP. However the bare-metal/onprem hosts I want to provision are in various locations behind NAT for their access to their internet and I don’t have control of the router to do port forwarding etc.

Can you have a host connect outbound to the front-end for the purpose of provisioning or the front-end must be able to connect directly to the host through the internet? If the latter, does this mean I will likely need to implement some kind of VPN solution between the front-end and these hosts to provide that direct connectivity?

The connectivity requirement itself is described here. How you accomplish it doesn’t really matter, the frontend just really needs to be able to run remote s commands on the KVM hosts as the onadmin user without being asked for a password.

So, the answer is that yes, you need the front-end instance to be able to access the hosts using SSH (connections will be initiated from the front-end instance). Unfortunately there is no pull-based architecture in the design where host instances call to fetch latest state. In your case I would consider having a VPN tunnel for this.