add transit IPs to NIC create

david-crespo · david-crespo · commit c4b5fb4aa7cf · 2025-08-18T14:05:00.000-05:00
diff --git a/nexus/db-model/src/network_interface.rs b/nexus/db-model/src/network_interface.rs
@@ -321,6 +321,7 @@ pub struct IncompleteNetworkInterface {
     pub ip: Option<std::net::IpAddr>,
     pub mac: Option<external::MacAddr>,
     pub slot: Option<u8>,
+    pub transit_ips: Vec<IpNetwork>,
 }
 
 impl IncompleteNetworkInterface {
@@ -334,6 +335,7 @@ impl IncompleteNetworkInterface {
         ip: Option<std::net::IpAddr>,
         mac: Option<external::MacAddr>,
         slot: Option<u8>,
+        transit_ips: Vec<IpNetwork>,
     ) -> Result<Self, external::Error> {
         if let Some(ip) = ip {
             subnet.check_requestable_addr(ip)?;
@@ -380,6 +382,7 @@ impl IncompleteNetworkInterface {
             ip,
             mac,
             slot,
+            transit_ips,
         })
     }
 
@@ -389,6 +392,7 @@ impl IncompleteNetworkInterface {
         subnet: VpcSubnet,
         identity: external::IdentityMetadataCreateParams,
         ip: Option<std::net::IpAddr>,
+        transit_ips: Vec<IpNetwork>,
     ) -> Result<Self, external::Error> {
         Self::new(
             interface_id,
@@ -399,6 +403,7 @@ impl IncompleteNetworkInterface {
             ip,
             None,
             None,
+            transit_ips,
         )
     }
 
@@ -420,6 +425,7 @@ impl IncompleteNetworkInterface {
             Some(ip),
             Some(mac),
             Some(slot),
+            vec![], // Service interfaces don't use transit_ips
         )
     }
 
@@ -440,6 +446,7 @@ impl IncompleteNetworkInterface {
             ip,
             mac,
             None,
+            vec![], // Probe interfaces don't use transit_ips
         )
     }
 }
diff --git a/nexus/db-queries/src/db/datastore/vpc.rs b/nexus/db-queries/src/db/datastore/vpc.rs
@@ -4018,6 +4018,7 @@ mod tests {
                         description: "A NIC...".into(),
                     },
                     None,
+                    vec![],
                 )
                 .unwrap(),
             )
diff --git a/nexus/db-queries/src/db/queries/network_interface.rs b/nexus/db-queries/src/db/queries/network_interface.rs
@@ -1204,8 +1204,19 @@ impl QueryFragment<Pg> for InsertQuery {
         } else {
             select_from_cte(out.reborrow(), dsl::slot::NAME)?;
         }
+        out.push_sql(" AS ");
+        out.push_identifier(dsl::slot::NAME)?;
         out.push_sql(", ");
+
         select_from_cte(out.reborrow(), dsl::is_primary::NAME)?;
+        out.push_sql(", ");
+
+        // Add transit_ips field
+        out.push_bind_param::<sql_types::Array<sql_types::Inet>, Vec<IpNetwork>>(
+            &self.interface.transit_ips,
+        )?;
+        out.push_sql(" AS ");
+        out.push_identifier(dsl::transit_ips::NAME)?;
 
         Ok(())
     }
diff --git a/nexus/src/app/network_interface.rs b/nexus/src/app/network_interface.rs
@@ -93,6 +93,7 @@ impl super::Nexus {
             db_subnet,
             params.identity.clone(),
             params.ip,
+            params.transit_ips.iter().map(|ip| (*ip).into()).collect(),
         )?;
         self.db_datastore
             .instance_create_network_interface(
diff --git a/nexus/src/app/sagas/instance_create.rs b/nexus/src/app/sagas/instance_create.rs
@@ -610,6 +610,7 @@ async fn create_custom_network_interface(
         db_subnet.clone(),
         interface_params.identity.clone(),
         interface_params.ip,
+        interface_params.transit_ips.iter().map(|ip| (*ip).into()).collect(),
     )
     .map_err(ActionError::action_failed)?;
     datastore
@@ -682,6 +683,7 @@ async fn create_default_primary_network_interface(
         vpc_name: default_name.clone(),
         subnet_name: default_name.clone(),
         ip: None, // Request an IP address allocation
+        transit_ips: vec![], // Default interfaces don't use transit IPs
     };
 
     // Lookup authz objects, used in the call to actually create the NIC.
@@ -704,6 +706,7 @@ async fn create_default_primary_network_interface(
         db_subnet.clone(),
         interface_params.identity.clone(),
         interface_params.ip,
+        interface_params.transit_ips.iter().map(|ip| (*ip).into()).collect(),
     )
     .map_err(ActionError::action_failed)?;
     datastore
diff --git a/nexus/tests/integration_tests/endpoints.rs b/nexus/tests/integration_tests/endpoints.rs
@@ -709,6 +709,7 @@ pub static DEMO_INSTANCE_NIC_CREATE: LazyLock<
     vpc_name: DEMO_VPC_NAME.clone(),
     subnet_name: DEMO_VPC_SUBNET_NAME.clone(),
     ip: None,
+    transit_ips: vec![],
 });
 pub static DEMO_INSTANCE_NIC_PUT: LazyLock<
     params::InstanceNetworkInterfaceUpdate,
diff --git a/nexus/tests/integration_tests/instances.rs b/nexus/tests/integration_tests/instances.rs
@@ -2244,6 +2244,7 @@ async fn test_instance_create_saga_removes_instance_database_record(
         vpc_name: default_name.clone(),
         subnet_name: default_name.clone(),
         ip: Some(requested_address),
+        transit_ips: vec![],
     };
     let interface_params =
         params::InstanceNetworkInterfaceAttachment::Create(vec![
@@ -2325,6 +2326,7 @@ async fn test_instance_create_saga_removes_instance_database_record(
         vpc_name: default_name.clone(),
         subnet_name: default_name.clone(),
         ip: Some(requested_address),
+        transit_ips: vec![],
     };
     let interface_params =
         params::InstanceNetworkInterfaceAttachment::Create(vec![
@@ -2367,6 +2369,7 @@ async fn test_instance_with_single_explicit_ip_address(
         vpc_name: default_name.clone(),
         subnet_name: default_name.clone(),
         ip: Some(requested_address),
+        transit_ips: vec![],
     };
     let interface_params =
         params::InstanceNetworkInterfaceAttachment::Create(vec![
@@ -2476,6 +2479,7 @@ async fn test_instance_with_new_custom_network_interfaces(
         vpc_name: default_name.clone(),
         subnet_name: default_name.clone(),
         ip: None,
+        transit_ips: vec![],
     };
     let if1_params = params::InstanceNetworkInterfaceCreate {
         identity: IdentityMetadataCreateParams {
@@ -2485,6 +2489,7 @@ async fn test_instance_with_new_custom_network_interfaces(
         vpc_name: default_name.clone(),
         subnet_name: non_default_subnet_name.clone(),
         ip: None,
+        transit_ips: vec![],
     };
     let interface_params =
         params::InstanceNetworkInterfaceAttachment::Create(vec![
@@ -2665,6 +2670,7 @@ async fn test_instance_create_delete_network_interface(
             vpc_name: "default".parse().unwrap(),
             subnet_name: "default".parse().unwrap(),
             ip: Some("172.30.0.10".parse().unwrap()),
+            transit_ips: vec![],
         },
         params::InstanceNetworkInterfaceCreate {
             identity: IdentityMetadataCreateParams {
@@ -2674,6 +2680,7 @@ async fn test_instance_create_delete_network_interface(
             vpc_name: "default".parse().unwrap(),
             subnet_name: secondary_subnet.identity.name.clone(),
             ip: Some("172.31.0.11".parse().unwrap()),
+            transit_ips: vec![],
         },
     ];
 
@@ -2901,6 +2908,7 @@ async fn test_instance_update_network_interfaces(
             vpc_name: "default".parse().unwrap(),
             subnet_name: "default".parse().unwrap(),
             ip: Some("172.30.0.10".parse().unwrap()),
+            transit_ips: vec![],
         },
         params::InstanceNetworkInterfaceCreate {
             identity: IdentityMetadataCreateParams {
@@ -2910,6 +2918,7 @@ async fn test_instance_update_network_interfaces(
             vpc_name: "default".parse().unwrap(),
             subnet_name: secondary_subnet.identity.name.clone(),
             ip: Some("172.31.0.11".parse().unwrap()),
+            transit_ips: vec![],
         },
     ];
 
@@ -3472,6 +3481,7 @@ async fn test_instance_with_multiple_nics_unwinds_completely(
         vpc_name: default_name.clone(),
         subnet_name: default_name.clone(),
         ip: Some("172.30.0.6".parse().unwrap()),
+        transit_ips: vec![],
     };
     let if1_params = params::InstanceNetworkInterfaceCreate {
         identity: IdentityMetadataCreateParams {
@@ -3481,6 +3491,7 @@ async fn test_instance_with_multiple_nics_unwinds_completely(
         vpc_name: default_name.clone(),
         subnet_name: default_name.clone(),
         ip: Some("172.30.0.7".parse().unwrap()),
+        transit_ips: vec![],
     };
     let interface_params =
         params::InstanceNetworkInterfaceAttachment::Create(vec![
diff --git a/nexus/tests/integration_tests/internet_gateway.rs b/nexus/tests/integration_tests/internet_gateway.rs
@@ -373,6 +373,7 @@ async fn test_setup(c: &ClientTestContext) {
             ip: None,
             subnet_name: "default".parse().unwrap(),
             vpc_name: VPC_NAME.parse().unwrap(),
+            transit_ips: vec![],
         },
     ]);
     let _inst = create_instance_with(
diff --git a/nexus/tests/integration_tests/subnet_allocation.rs b/nexus/tests/integration_tests/subnet_allocation.rs
@@ -47,6 +47,7 @@ async fn create_instance_expect_failure(
                 vpc_name: "default".parse().unwrap(),
                 subnet_name: subnet_name.parse().unwrap(),
                 ip: None,
+                transit_ips: vec![],
             },
         ]);
     let new_instance = params::InstanceCreate {
@@ -134,6 +135,7 @@ async fn test_subnet_allocation(cptestctx: &ControlPlaneTestContext) {
             vpc_name: "default".parse().unwrap(),
             subnet_name: SUBNET_NAME.parse().unwrap(),
             ip: None,
+            transit_ips: vec![],
         },
     ]);
 
diff --git a/nexus/tests/integration_tests/vpc_routers.rs b/nexus/tests/integration_tests/vpc_routers.rs
@@ -510,6 +510,7 @@ async fn test_vpc_routers_custom_delivered_to_instance(
                     vpc_name: vpc.name().clone(),
                     subnet_name: subnet_name.parse().unwrap(),
                     ip: Some(format!("192.168.{i}.10").parse().unwrap()),
+                    transit_ips: vec![],
                 },
             ]),
             vec![],
diff --git a/nexus/types/src/external_api/params.rs b/nexus/types/src/external_api/params.rs
@@ -923,6 +923,10 @@ pub struct InstanceNetworkInterfaceCreate {
     pub subnet_name: Name,
     /// The IP address for the interface. One will be auto-assigned if not provided.
     pub ip: Option<IpAddr>,
+    /// A set of additional networks that this interface may send and
+    /// receive traffic on.
+    #[serde(default)]
+    pub transit_ips: Vec<IpNet>,
 }
 
 /// Parameters for updating an `InstanceNetworkInterface`
diff --git a/openapi/nexus.json b/openapi/nexus.json
@@ -20586,6 +20586,14 @@
               }
             ]
           },
+          "transit_ips": {
+            "description": "A set of additional networks that this interface may send and receive traffic on.",
+            "default": [],
+            "type": "array",
+            "items": {
+              "$ref": "#/components/schemas/IpNet"
+            }
+          },
           "vpc_name": {
             "description": "The VPC in which to create the interface.",
             "allOf": [

Original file line number	Diff line number	Diff line change
`@@ -321,6 +321,7 @@ pub struct IncompleteNetworkInterface {`
`321`	`321`	`pub ip: Option<std::net::IpAddr>,`
`322`	`322`	`pub mac: Option<external::MacAddr>,`
`323`	`323`	`pub slot: Option<u8>,`
	`324`	`+ pub transit_ips: Vec<IpNetwork>,`
`324`	`325`	`}`
`325`	`326`
`326`	`327`	`impl IncompleteNetworkInterface {`
`@@ -334,6 +335,7 @@ impl IncompleteNetworkInterface {`
`334`	`335`	`ip: Option<std::net::IpAddr>,`
`335`	`336`	`mac: Option<external::MacAddr>,`
`336`	`337`	`slot: Option<u8>,`
	`338`	`+ transit_ips: Vec<IpNetwork>,`
`337`	`339`	`) -> Result<Self, external::Error> {`
`338`	`340`	`if let Some(ip) = ip {`
`339`	`341`	`subnet.check_requestable_addr(ip)?;`
`@@ -380,6 +382,7 @@ impl IncompleteNetworkInterface {`
`380`	`382`	`ip,`
`381`	`383`	`mac,`
`382`	`384`	`slot,`
	`385`	`+ transit_ips,`
`383`	`386`	`})`
`384`	`387`	`}`
`385`	`388`
`@@ -389,6 +392,7 @@ impl IncompleteNetworkInterface {`
`389`	`392`	`subnet: VpcSubnet,`
`390`	`393`	`identity: external::IdentityMetadataCreateParams,`
`391`	`394`	`ip: Option<std::net::IpAddr>,`
	`395`	`+ transit_ips: Vec<IpNetwork>,`
`392`	`396`	`) -> Result<Self, external::Error> {`
`393`	`397`	`Self::new(`
`394`	`398`	`interface_id,`
`@@ -399,6 +403,7 @@ impl IncompleteNetworkInterface {`
`399`	`403`	`ip,`
`400`	`404`	`None,`
`401`	`405`	`None,`
	`406`	`+ transit_ips,`
`402`	`407`	`)`
`403`	`408`	`}`
`404`	`409`
`@@ -420,6 +425,7 @@ impl IncompleteNetworkInterface {`
`420`	`425`	`Some(ip),`
`421`	`426`	`Some(mac),`
`422`	`427`	`Some(slot),`
	`428`	`+ vec![], // Service interfaces don't use transit_ips`
`423`	`429`	`)`
`424`	`430`	`}`
`425`	`431`
`@@ -440,6 +446,7 @@ impl IncompleteNetworkInterface {`
`440`	`446`	`ip,`
`441`	`447`	`mac,`
`442`	`448`	`None,`
	`449`	`+ vec![], // Probe interfaces don't use transit_ips`
`443`	`450`	`)`
`444`	`451`	`}`
`445`	`452`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4018,6 +4018,7 @@ mod tests {`
`4018`	`4018`	`description: "A NIC...".into(),`
`4019`	`4019`	`},`
`4020`	`4020`	`None,`
	`4021`	`+ vec![],`
`4021`	`4022`	`)`
`4022`	`4023`	`.unwrap(),`
`4023`	`4024`	`)`