Another approach would be to use a single IP address per router
per compute
node. This avoids the multi-tenant issue mentioned above, at the
cost of
consuming more IP addresses, potentially one default SNAT IP
address for each
VM on the compute server (which is the case when every VM on the
compute node
is from a different tenant and/or using a different router). At
that point
you might as well give each VM a floating IP.
Hence the approach taken with the initial DVR implementation is to
keep
default SNAT as a centralized service.
In contrast to moving service to distributed CN, we should take care
of keeping them as centralized, especially FIP and FW. I know a lot of
customer prefer using some dedicated servers to act as network nodes,
which have more NICs(as external connection) than compute nodes, in
these cases FIP must be centralized instead of being distributed. As
for FW, if we want stateful ACL then DVR can do nothing, except that
we think security group is already some kind of FW.
+1, I had another email to discuss about FW (FWaaS) and DVR integration.
Traditionally, we run firewall with router so that firewall can use
route and NAT info from router. since DVR is asymmetric when handling
traffic, it is hard to run stateful firewall on top of DVR just like a
traditional firewall does . When the NAT is in the picture, the
situation can be even worse.
Yi
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev