neutron VPC

The goal of this document is to provide an umbrella blueprint defining how to add support for VPC in Openstack.

A VPC is defined as an entity providing resources access boundaries with the goal of building a logically isolated infrastructure assigned to a tenant.

There are multiple options to implement this entity, either as a formal node in the openstack container hierarchy (domain, projects), or as a tag used to define access policies.

Contents

 [hide] 

• 1 Relationship with other blueprint
• 2 Use cases
• 3 Resource Model
• 4 Implementation options
  • 4.1 Project Based
  • 4.2 Hierarchical Container
  • 4.3 Policy Based
• 5 Resulting Blueprints

Relationship with other blueprint

• Hierarchical Multitenancy [1] defines a hierarchical model for resource ownership and containment. This blueprint can be used to implement the VPC concept by considering each VPC as a node in the hierarchy.
• AWS VPC API support [2] aims at providing an EC2 VPC equivalent API on openstack. This blueprint uses a special project to group the VPC resources, however, it doesn't address the needed changes in scoping of different resource to implement a true isolated VPC.
• Hierarchical Administrative Boundaries [5] defines a model similar to [1] and is focusing on defining administrative delegation.

Use cases

1 - The administrator of a domain can create a VPC composed of network resources. A generic VPC can look like:

Within the VPC, the administrator can :

1.1 - create a shared network. A shared network in the VPC is equivalent to a Neutron public network (it's a public network with a restricted scope).

1.2 - create a transit or external network that can be connected to a remote datacenter through, for MPLS or a VPN or to the internet.

1.3 - define specific flavors, images or other openstack resources restricted to be used within this VPC (e.g. DNS Zone, LB Resources, ...).

1.4 - define quota for resources available to a given VPC.

2 - The domain administrator can delegate the management of the VPC to a user or group of the domain

3 - A user of a domain, can create a project within a given VPC. Within this project, the user can

3.1. create a private network using the VPC external or shared network as the next hop. VMs can get a floating IP from the shared or external network

3.2 create a VM within a project attached to a shared network exposed by the VPC.

Resource Model

The above model is showing a relationship between VPC and Project assuming a containment relationship. However, as shown below, depending on the implementation, it could be a more loose relationship.

http://blog.csdn.net/quqi99/article/details/41829605

https://wiki.openstack.org/wiki/Blueprint-VPC