QuantumCloudpipe
Cloudpipe in Quantum
Summary:
Cloudpipe support in Quantum will let external users create a secure tunnel into a tenant network.
Note:
CloudPipe is special use case for generalized L3 services. However, as a first step, we refactor the current cloudpipe effort into Quantum and obtain Nova parity. The design goal is to have a flexible mechanism for inserting this service.
Use Cases:
- Allow an external user to VPN into a network and get an IP address an internal (to the network she VPNs into) IP address for any network.
- Allow a TenantAdmin to create private network topologies and create VPN tunnels from the external network into these networks (which could be edges of a private topology).
- Allow a TenantUser to determine the tunnel details of every virtual network/edge (of the topology).
Target “Quantum:Admin” workflow:
- Allow CloudPipe/VPN access to this user.
Target “Quantum:TenantUser” workflow:
- Specify a cloudpipe image (it could be per network or a fixed cloudpipe image for the entire tenant)
- Retrieve credentials for the cloudpipe.
- Enable cloudpipe for a given network.
Implementation:
Changes to Quantum:
- API changes to Quantum would include adding attributes to a network upon creation for the cloudpipe. An alternative is to specify it separately (not during creation).
Changes to Nova
- During creation of a VM, pass the handle to a network. This is required because the VM creation process would include a script injection with the parameters that are specific to the network, before the network is even attached by Quantum.
- Hence we need API changes for the above.