...

[2]https://cwiki.apache.org/confluence/display/CLOUDSTACK/Region+level+VPC+and+guest+network+spanning+multiple+zones

[3]http://blog.scottlowe.org/2012/11/27/connecting-ovs-bridges-with-patch-ports/

Glossory & Conventions

Bridge: bridge in this document refers to a OpenVswith bridge on XenServer/KVM

Host: host refers to hypervisor hosts and can be XenServer/KVM

Conceptual model 

This section will describe conceptually how distributed routing and network ACL's are achieved in an example VPC deployment with three tiers with VM's spanning three hosts. Further sections builds on the concepts/design principles introduced in this section to elaborate the architecture and design on how CloudStack and OVS plug-in can orchestrate setting up VPC's with distributed routing and network ACL's. 

Here is an example VPC deployment with three tiers, with VM's spanning 3 hypervisor hosts. VPC VR still needed to be deployed for north-south traffic. In this example VPC VR is deployed on host 3. A logical router which is nothing but a OVS bridge is provisioned on the rest of the hosts (excluding the host running VPC VR) in which VPC spans. On the host on which VPC VR is running there is no need for a logical router (bridge). Irrespective of weather a host has VM's belonging to a tier or not, a bridge is setup on each host for each tier on the all of the hosts on which VPC spans. For e.g. host 1, does not have any tier 2 VM's still a bridge is created and is in full-mesh topology with the bridges created for tier 2 on host 2 and 3. Each of the logical router on the host is connected with patch ports [3. ] to the bridges corresponding to tiers. This setup of logical router is done to emulate a VPC VR with nics connected to bridges corresponding to each tier.

sadas