This use case provides each tenant with one or more private networks that connect to the outside world through an OpenStack Networking router. When each tenant gets exactly one network, this architecture maps to the same logical topology as the VlanManager in Compute (although of course, Networking does not require VLANs). Using the Networking API, the tenant can only see a network for each private network assigned to that tenant. The router object in the API is created and owned by the cloud administrator.
This model supports assigning public addresses to VMs by
using floating IPs; the router maps
public addresses from the external network to fixed IPs on
private networks. Hosts without floating IPs can still
create outbound connections to the external network
because the provider router performs SNAT to the router's
external IP. The IP address of the physical router is used
as the gateway_ip of the external
network subnet, so the provider has a default router for
Internet traffic.
The router provides L3 connectivity among private networks. Tenants can reach instances for other tenants unless you use additional filtering, such as, security groups). With a single router, tenant networks cannot use overlapping IPs. To resolve this issue, the administrator can create private networks on behalf of the tenants.
