Are you ready to provide services on VMware Cloud on AWS to smaller sized customers? VMware Cloud Director service’s Initial Availability launched on May 28, 2020, comes with offerings of asset-light VMware Cloud infrastructure to attract smaller customers. VMware Cloud Director service enables the provisioning of multiple Compute Gateways (CGW) in a single VMware Cloud on AWS SDDC instance. This capability allows the Cloud Director service to provide consistent, secure, isolated, and efficient multi-tenancy in VMC on AWS.
Achieving Multi-tenancy on VMware Cloud on AWS
Let’s review the Edge gateway types and networks, which creates network isolation for Cloud Director service within an SDDC instance and the workflows for actions you can perform to provide the tenant’s Edge gateway and its services. Then we’ll cover networking and security capabilities from the tenant portal of a VMware Cloud Director service instance.
Architecture
When you first deploy an SDDC instance on VMware Cloud on AWS, it comes with the following three gateways:
- Internet Gateway – The connectivity to AWS VPC, Internet, or Direct Connect passes through the internet gateway backed by an NSX-T Tier-0 Gateway.
- Management Gateway (MGW) – This gateway provides north-south connectivity for the management appliances running in the SDDC (such as vCenter Server, NSX, HCX, vRealize operations). These management appliances are connected through the management network.
- Compute Gateway (CGW) – The default Compute Gateway provides north-south connectivity for the workload virtual machines that are running in the provider infrastructure in SDDC. The network used to provide this connectivity is called the compute network.
Cloud Director service can deploy a new type of gateway in an SDDC instance called a Tier1 gateway. You can provision a unique Tier1 gateway from the VMware Cloud Director’s provider portal for each customer.
- Tier1 Gateway – These are the Edge Gateways in CDs provisioned by a provider enabling network isolation for the tenants. Each Tier1 gateway creates a separate routing domain for each tenant, thereby allowing Cloud Providers to host customers having overlapping IP subnets in the same SDDC instance. It assumes the role of the Edge gateway in the VMware Cloud Director’s provider portal.
FIGURE 1: Multi-gateway feature in VMware Cloud on AWS
From a management perspective, you can manage the internet, compute, and management gateways from the SDDC’s Networking and Security services page in the VMware Cloud on the AWS console. You can manage the Edge gateway from the Cloud Director service’s VCD provider portal.
FIGURE 2: VMware Cloud Director service architecture diagram for multi-tenancy
The customer creates and manages the organization VDC network (network 172.28.8.0/24 for Tenant A in the diagram) via the networking section in the tenant portal.
The customer can also create a DHCP service or define Static IP pools for an Organization VDC network. Edge gateway NAT (SNAT and DNAT) rules can be created to map external network IPs to Organization VDC network IPs. Edge firewall rules allow or block north-south traffic. Figure 2 and Figure 3 exemplifies each service with IP addresses.
FIGURE 3: Provider and Customer workflows in Cloud Director service
Another service the tenant can configure is the DNS forwarding service. When this is enabled, a DNS listener IP is assigned to the internal network segment of the Edge gateway. The tenant can use this IP as a DNS server IP address. An additional SNAT rule in the Tier1 gateway’s NAT table is created with an internal IP as DNS server IP and upstream server IP as an external IP address.
Ready to learn more about multi-tenant networking in VMware Cloud Director service? Download the white paper here.
To find out more information please head over to https://cloud.vmware.com/cloud-provider-hub/cloud-director-service
