CloudVPS is currently using a locally modified code base to toggle NAT on outbound traffic over the default gateway (cloud-instance-transport1-b-codfw)
We'd like to prototype using Neutron address scopes to eliminate our custom code and make the overall configuration more inline with upstream Neutron. To do this we'll need to create a second network and Neutron interface that will be dedicated to virtual machine traffic to our core services and RFC1918 addresses. Once this is in place, the existing cloud-instances-transport1-b-codfw network will remain in place but only for traffic behind the NAT.
This new network can be an exact mirror of cloud-instance-transport1-b-codfw's configuration on a different CIDR. It will only be used to route traffic between virtual machines and 10.0.0.0/8, 208.80.152.0/22 (with the same ACLs as cloud-instance-transport1-b-codfw)
I've done some local testing and I think this will provide us with the base requirements, in addition to easing the OpenStack configuration upgrade process. If it works well for everyone in CODFW we'll open a new ticket for EQIAD. Also, please note that this work is in parallel to the IPv6 and BGP CloudVPS tasks.