Public bug reported: This requirement came out during Manila-Neutron integration discussion to provide solution for multi-tenant environment to work with File Share store. The way to solve it is as following: A dedicated NAT based network connection should be established between a tenant's private network (where his VMs reside) and a data center local storage network. Sticking to IP based authorization, as used by Manila, the NAT assigned floating IPs in the storage network are used to check authorization in the storage backend, as well as to deal with possible overlapping IP ranges in the private networks of different tenants. A dedicated NAT and not the public FIP is suggested since public FIPs are usually limited resources. In order to be able to orchestrate the above use case, it should be possible to associate more than one subnet with 'FIP' range with the router (via router interface) and enable NAT based on the destination subnet. This behaviour was possible in Mitaka and worked for MidoNet plugin, but due to the https://bugs.launchpad.net/neutron/+bug/1556884 it won't be possible any more.
Related bug for security use case that can benefit from the proposed behavior is described here https://bugs.launchpad.net/neutron/+bug/1250105 ** Affects: neutron Importance: Undecided Status: Confirmed ** Tags: rfe ** Tags added: rfe -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1566191 Title: Allow multiple networks with FIP range to be associated with Tenant router Status in neutron: Confirmed Bug description: This requirement came out during Manila-Neutron integration discussion to provide solution for multi-tenant environment to work with File Share store. The way to solve it is as following: A dedicated NAT based network connection should be established between a tenant's private network (where his VMs reside) and a data center local storage network. Sticking to IP based authorization, as used by Manila, the NAT assigned floating IPs in the storage network are used to check authorization in the storage backend, as well as to deal with possible overlapping IP ranges in the private networks of different tenants. A dedicated NAT and not the public FIP is suggested since public FIPs are usually limited resources. In order to be able to orchestrate the above use case, it should be possible to associate more than one subnet with 'FIP' range with the router (via router interface) and enable NAT based on the destination subnet. This behaviour was possible in Mitaka and worked for MidoNet plugin, but due to the https://bugs.launchpad.net/neutron/+bug/1556884 it won't be possible any more. Related bug for security use case that can benefit from the proposed behavior is described here https://bugs.launchpad.net/neutron/+bug/1250105 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1566191/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp