On Thu, 09 Aug 2012 03:09:30 -0400, Hugo Trippaers
<htrippa...@schubergphilis.com> wrote:
I think I have the clear picture now. I think there is a valid use case
for having the option to create 'internal' networks (networks that have
no outside connectivity so no SourceNat service)
You "think"? Do people here not have practical experience running a
real-world (non-)virtualized environment of any decent complexity? It's
done all the time! The router simply doesn't have an interface on said
VLAN; qed non-routable and non-SNAT'able.
It might be more clear to use the term "isolated". It just means it can
not see any other host that isn't on the same VLAN and can't leave the
VLAN. I can't see why every such VLAN couldn't pull from the same set of
subnets. This ought to work across zones too so either we allocated the
same VLAN number in all zones on creation or we maintain an association
table: zoneA+vlanX == zoneB+vlanY. Naturally they'll have to be a layer2
VPN between zones and the subnets will have to be different on either end.
However, I'm pretty sure a VPN (eg. GRE) tunnel won't work if there are
duplicate or differing combinations of left vs right subnets even if their
originating interface device names are different since those decisions are
based on routes. So unfortunately these isolated subnets have to be unique
across all zones, or otherwise isolation can only be local to a zone.
Though if the virtual router (aka VPN endpoint) was unique to each
customer|Account (?domain?), that should let us do it.
