Currently we have two options to link two PODs, using VLAN Spanning (which allows secondary IP addresses to be created on servers to bypass VLAN separation on Vyatta), or using a VPN over public interface (which makes DDOS attacks possible).
I would like to propose that Transit VLAN spanning be developed, to allow spanning between all transit VLANs in the account. This would enable connection between Vyatta gateways, but all other servers would only be able to access other VLANs via the Vyatta managing the traffic. This should be possible to automate, as Bluemix Infrastructire already knows which VLANs are transit VLANs (can have only Vyatta gateways on them) and which are not (can have servers on them).
This would avoid diffcult questions with Enterprise customer security, who currently have to choose between ability for administrators to bypass security, or using public interfaces for communication. It is hard to ascertain how many users are impacted, as this affects instead whole accounts, and I've certainly had to have this conversation with a dozen or so accounts in the last year.
NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "firstname.lastname@example.org" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions