Skip to content

Galactic VPC - Phase 1 Scope #17

Open
Open
Galactic VPC - Phase 1 Scope#17
Assignees
privateip
@scotwells

Description

@scotwells
scotwells
opened on Apr 8, 2026

This issue outlines the work required to integrate Galactic VPC into the Datum Cloud platform and bring it to consumers.

Dependencies (In Progress)

  • Machine Accounts - Non-human identity for connectors, gateways, and service components to authenticate to the platform
  • IPAM Platform Capability - Address pool allocation system
  • BGP Infrastructure - GoBGP deployment, route reflector topology

Control Plane & Routing

  • Migrate from MQTT to BGP VPNv6 - Replace galactic-router MQTT-based distribution with BGP route reflectors for scalable, standards-based route distribution
  • Deploy route reflector topology - HA route reflector cluster with peering to galactic-agents on each node
  • Implement BGP-based VPN signaling - Use MP-BGP for VPNv4/VPNv6 route exchange with RT/RD for VPC isolation
  • Network services integration - Connect to existing network services operator for programming VPC networks

Ingress & Gateways

  • Envoy Gateway VPC attachment - Attach Envoy Gateway pods to VPC networks for HTTP ingress from internet
  • MASQUE gateway integration - Deploy MASQUE gateways as VPC ingress points for connector tunnels
  • Gateway API resource mapping - Map HTTPRoute/TCPRoute to VPC backend services

Egress & NAT

  • Egress gateway design - Architecture for outbound internet connectivity from private VPC networks
  • NAT gateway implementation - Source NAT for private VPC traffic with IPAM-allocated public IPs
  • Egress policy controls - Define what destinations VPC workloads can reach

Connectors & Client Access

  • Iroh + MASQUE client update - Update desktop app to use Iroh transport with MASQUE tunneling
  • Headless datum-connect - Server-deployable connector for private network integration
  • Connector authentication via Machine Accounts - Connectors authenticate to platform using machine identity
  • ConnectorAdvertisement registration - Register reachable networks through each connector instance
  • ConnectorAttachment for VPCs - Associate connectors with specific VPC networks

Security & Policy

  • Network Policy enforcement - VPC-level traffic control via galactic-agent (eBPF)
  • Security Groups - Stateful firewall rules per VPC attachment
  • IAM integration - Role-based access for VPC/attachment/route operations
  • Audit logging - Activity records for all VPC mutations (depends on Activity system)

IPAM Integration

  • VPC CIDR allocation - Allocate VPC network ranges from IPAM AddressPools
  • Subnet allocation - Subdivide VPC CIDRs into subnets via hierarchical IPAM
  • Public IP allocation - IPAM-managed public IPs for egress gateways and load balancers

User Interface

  • VPC management console - Create/manage VPCs, view topology and connectivity
  • Connector dashboard - Status, advertisements, tunnel health
  • Gateway management - HTTP routes, certificates, scaling configuration
  • Network visualization - Topology graph showing VPCs, routes, peering

Operational Maturity

  • Deployment automation - Kustomize manifests, FluxCD GitOps, multi-cluster rollout
  • Observability stack - Prometheus metrics, distributed tracing, log aggregation for all components

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions