The Openstack reference implementation supports two forms of NAT. One is referred to as floating IPs or 1:1 NAT which VPP and associated config seems to support adequately. The other in (openstack documentation) is referred to as SNAT and outside of openstack is typically called NAPT. The functionality is that all traffic (from any VM) on an internal/tenant network destined to the internet/wan gets source NATed to an address on the external network that was created in openstack and attached to that Openstack router. The configuration in Openstack to enable this is: "neutron router-gateway-set". As part of this command an specific address on the external network could be specified or Openstack will auto-assign from the external network range.

The are two use cases for this functionality. One use case has a single router per external network and thus the BVI and SNAT outside address (on the external network) can be in the same VRF (and possibly the global in the degenerate case).
The other use case shares the external network across multiple tenants and thus would require the tenants BVI be in one VRF while the SNAT's outside addresses (on the external network) be in the global VRF.
If desired these two use cases can be split into two different tickets (but the API used to configure the two cases should be consistent).

It is required in all use cases that VPP should have a means to respond to ARP requests for these SNAT addresses.

Notes: Figure are available if need to depict this pictorially