Open Stack

> We currently have a cloud infrastructure meeting our own requirements.
> Let's focus on some Networking features (firewall, instances isolation, spoofing control). We are thinking about moving to OpenStack and when we focus on these Networking features, Neutron comes into play
> We are currently using Vyattas for these networking features (firewall, instance isolation, spoofing control) and we would like to keep it as it is right now. 
Well, the spoofing and instance isolation is not done by the FWAAS but by the security groups usually.
This is applied directly at the instance level through iptables so it does not even get on your network instead of filtering it at the edge (fwaas)

> Therefore, if we move to OpenStack we would like Neutron to orchestrate these Vyattas but these Vyattas would be installed/configured in an outter layer, out of OpenStack
Slightly related: at my previous job we also used vyattas but as l3 agents
IIRC We used vlans in the neutron config, did not run an l3 agent but instead  configured the vlans on the vyatta manually and made that the default gateway.
Not the nicest setup but we did that in the early OpenStack days and the vyatta did take of the HA for us (Neutron was still called Quantum at that time ;)

> A good comparison we find is Cinder. In Cinder you can configure your storage backend (this storage backend is an external "agent" to OpenStack) 
> and the idea with this networking features would be the same (being able to configure in Neutron our firewall backend).
I think the FWAAS is a neutron plugin so you should be able to write your own (but it has been a while since I looked at it)

Cheers,
Robert