The goal of this document is to provide an umbrella blueprint defining how to add support for VPC in Openstack.
A VPC is defined as an entity providing resources access boundaries with the goal of building a logically isolated infrastructure assigned to a tenant.
There are multiple options to implement this entity, either as a formal node in the openstack container hierarchy (domain, projects), or as a tag used to define access policies.
[hide]
1 - The administrator of a domain can create a VPC composed of network resources. A generic VPC can look like:
Within the VPC, the administrator can :
1.1 - create a shared network. A shared network in the VPC is equivalent to a Neutron public network (it's a public network with a restricted scope).
1.2 - create a transit or external network that can be connected to a remote datacenter through, for MPLS or a VPN or to the internet.
1.3 - define specific flavors, images or other openstack resources restricted to be used within this VPC (e.g. DNS Zone, LB Resources, …).
1.4 - define quota for resources available to a given VPC.
2 - The domain administrator can delegate the management of the VPC to a user or group of the domain
3 - A user of a domain, can create a project within a given VPC. Within this project, the user can
3.1. create a private network using the VPC external or shared network as the next hop. VMs can get a floating IP from the shared or external network
3.2 create a VM within a project attached to a shared network exposed by the VPC.
The above model is showing a relationship between VPC and Project assuming a containment relationship. However, as shown below, depending on the implementation, it could be a more loose relationship.
手机扫一扫
移动阅读更方便
你可能感兴趣的文章