This is responsible for 10.x instance IPs being visible outside of the labnet hosts.
Use cases I can think of that are beneficial or necessary:
- NFS sessions for shared storage
- Labsdb use auditing and potentially policing
Use cases I'm not sure if they are intentional or a side-effect:
- All instance traffic to 220.127.116.11/22 public addresses are sourced from 10.x instance IPs. This is potentially awkward and I'm fairly certain I have seen spam/bot mitigation effort difficulty in accounting for this one special case where an rfc1918 address is valid from outside of production.
- 10.x address handling outside of the instance VLAN that is incidental to general 10/8 address allowances
My belief atm is this was intentional for labs-support use cases but that wouldn't necessarily explain the 18.104.22.168/22 NAT exemption. Potentially moving to a 172.16/12 address space will highlight the difficulties being addressed here. I'm not sure yet if Neutron has a native direct equivalent.