Heat/VPC Resources Support
OpenStack Networking was integrated in the Folsom release and as there is a good fit between OS Networking and Virtual Private Cloud, the Heat team decided to implement of the AWS VPC resources during the Grizzly release.
The following table describes the current support of VPC in Heat but be aware that it may be out of date as the Heat team is bridging the gaps :-)
|CloudFormation resource||Heat implementation||Comment|
|AWS::EC2::VPC||Partial|| Creates a network and a router.
The internal id of the network is used for the VpcId attribute.
No support for the CidrBlock attribute, it is accepted but unused.
No support for the InstanceTenancy attribute. It defines the tenancy mode of instances launched in the VPC: default (=shared or dedicated hardware) or dedicated (=only dedicated hardware).
|AWS::EC2::Subnet||Partial|| Creates a subnet and associates the subnet to the network's router.
No support in Networking for the AvailabilityZone attribute.
|AWS::EC2::NetworkInterface||Partial|| Creates a port.
The GroupSet attribute maps to an existing security group in OpenStack Networking.
No support in OpenStack Networking for the Description attribute.
No support in OpenStack Networking for the SourceDestCheck attribute. By default, An EC2 instance doesn't receive traffic which isn't destined to one of its private IP address. This flag must be turned off for NAT instances.
|AWS::EC2::InternetGateway||Ok|| Associates all routers of the network to an external network.
The creation generates no additional Networking resource but one (and only one) network with attribute 'router:external' must exist first.
|AWS::EC2::CustomerGateway||None||No equivalent yet.|
|AWS::EC2::VPNGateway||None||No equivalent yet.|
|AWS::EC2::VPNConnection||None||No equivalent yet.|
|AWS::EC2::VPCGatewayAttachment||Partial|| AWS::EC2::VPCGatewayAttachment creation associates all VPC network's routers to the external network.
No support for the VpnGatewayId attribute yet.
|AWS::EC2::RouteTable||Partial||Creates a new router which gets added to the Neutron network associated to the VpcId.|
|AWS::EC2::SubnetRouteTableAssocation||Partial||Associates the subnet (SubnetId attribute) with the given router (RouteTableId attribute).|
|AWS::EC2::Route||None||No equivalent yet.|
|AWS::EC2::DHCPOptions||None||Not supported but subnets have a 'DNS nameservers' attribute.|
|AWS::EC2::VPCDHCPOptionsAssociation||None||There is a mismatch between OpenStack Networking (DHCP options apply to a subnet) and VPC (DHCP options apply to a network).|
|AWS::EC2::NetworkAcl||None||No equivalent yet.|
|AWS::EC2::NetworkAclEntry||None||No equivalent yet.|
|AWS::EC2::SubnetNetworkAclAssocation||None||No equivalent yet.|
|AWS::EC2::SecurityGroup||Partial|| Maps to Nova security groups.Creates a security group if no group with the same name already exists.
Should be updated to create/modify Neutron security group when the VpcId attribute is passed (see https://blueprints.launchpad.net/heat/+spec/quantum-security-group).
|AWS::EC2::SecurityGroupIngress||Partial||Partial Resource wrapped inside the AWS::EC2::SecurityGroup resource. It should be a standalone resource for full support.|
|AWS::EC2::SecurityGroupEgress||None||No equivalent yet.|
|AWS::EC2::EIP||Partial|| The creation of the floating IP address relies on Nova which proxies the request to OpenStack Networking.
The name of the network allocating the floating IP addresses is defined by the default_floating_pool parameter in nova.conf (default value: "nova")
Like for all AWS resources exposed in Heat, there is no support of the Tags attribute but this is first a Nova & Networking limitation but a blueprint exists to track the issue.
Existing VPC/Heat gaps:
Instance resource should implement the SubnetId propertyFix released
Instance resource should implement the SecurityGroupIds propertyFix released
Use quantum security groups when a VpcId is specified in AWS::EC2::SecurityGroupImplemented
AWS::EC2::EIP resource should implement the InstanceId propertyFix released
- AWS::EC2::EIPAssociation resource should implement the AllocationId attribute
- AWS::EC2::EIPAssociation resource should implement the NetworkInterfaceId attribute
AWS::EC2::Subnet resource cannot reference an existing VPCFix released
AWS::EC2::NetworkInterface cannot reference an existing SubnetFix released
AWS::EC2::VPCGatewayAttachment cannot reference an existing VPCFix released
AWS::EC2::RouteTable cannot reference an existing VPCFix released
AWS::EC2::SubnetRouteTableAssocation cannot reference an existing SubnetFix released
The SecurityGroups property of an Instance resource doesn't get appliedFix released
- Stack deletion failed because the VPCGatewayAttachment resource cannot be deleted
Creation of NetworkInterface resource failed because GroupSet attribute is invalidFix released
Finally remember that using AWS resources in Heat templates is not mandatory as you still have the opportunity to use the Networking resources (in the OS::Neutron::* namespace for now). If you don't care about AWS CloudFormation compatibility, it is even recommended to stick with these native resources as they map perfectly with the Neutron components.