Updated Feb, 2021
With the release of vRealize Automation (vRA) 8.1, we are offering support for dedicated infrastructure multitenancy. This capability is enabled as a separate process in vRealize Suite Lifecycle Manager (LCM) once vRA is installed and configured. There is no requirement to enable tenancy. If tenancy is disabled, vRA 8.1 will operate exactly in the same way as 8.0 in terms of access and authorization. Organizations can choose whether or not to enable tenancy based on the their need for the logical isolation provided by multitenancy.
Enabling tenancy creates a new Provider (default) organization. The Provider Admin will create new tenants, add tenant admins, setup directory synchronization, and add users. Tenant admins can also control directory synchronization for their tenant and will grant users access to services within their tenant. Additionally, tenant admins will configure Policies, Governance, Cloud Zones, Profiles, access to content and provisioned resources; within their tenant. A single shared SDDC or separate SDDCs can be used among tenants depending on available resources. In addition to their other privileges, Provider Admins can also act as Tenant Admins.
Before enabling tenancy, there are a number of prerequisites covered in the product documentation. Once the prerequisites are out of the way, you will enable tenancy in LCM. The initial Provider (default) Organization will change the URL you use to access VMware Identity Manager (aka vIDM and VMware Workspace One Access). The process to enable tenancy in vIDM and vRA will take about 30 minutes.
Once Tenancy is enabled, you can now add tenants and allow logical separation within vRA from the Tenant Management portion of LCM. Clicking Add Tenant starts the tenant creation wizard. The tenant creation process includes naming the tenant, adding a tenant admin, and the option to sync users from an external directory. Each tenant will have its own unique configuration, including tenant admin and potentially directory DN to sync users from. Once the tenants are added, you can navigate back to Tenant Management and manage the configurations as shown in the screenshot below.
Clicking the Tenant Name opens the tenant management screen. Here you will have the option to add tenant admins either locally from the system directory or from an external directory such as Microsoft Active Directory. You can control product associations as well, although only vRA is supported currently.
As mentioned previously, tenancy allows admins to provide unique configurations on a per tenant basis. In the example below, different Projects have been created in each tenant to highlight the logical isolation available on a single installed vRA instance.
Provider administrators have the ability to share infrastructure by creating and assigning Virtual Private Zones to Tenant Organizations. VPZs can be used in a single tenant Organization as well. Today though, Cloud Zones and tags are the preferred method for carving up capacity, allocating resources, and provisioning in a single tenant Org. Logging in as the Provider Administrator, two options are present on the interface, Tenant Management and Virtual Private Zones (VPZs). Think of VPZs as a kind of container of infrastructure capacity and services which can be defined and allocated to a Tenant. The settings in each VPZ can only be changed by the Provider administrator. In the screenshot, we can see what’s included within the VPZ. You can add unique or shared cloud accounts, with associated compute, storage, networking, and tags to each VPZ. Each component offers the same configuration options you would see for a standalone configuration. If you’re familiar with setting up cloud zones and profiles in a typical vRA Organization, the experience is the same.
Clicking Tenant Management brings up a list of Tenant Organizations. Each Tenant can have one or more VPZs allocated.
Choosing a tenant displays allocated VPZs and allows you to allocate additional VPZs. Allocated VPZs can be disabled, preventing provisioning in a Tenant. Once disabled, VPZs can be de-allocated and removed from the Tenant.
Once the VPZ is allocated to a Tenant, the Tenant Administrator has the ability to add a VPZ to Projects within their assigned Tenant. At this point, the VPZ behaves in a similar manner to a Cloud Zone. You can even set resource limits just as you would with Cloud Zones.
The VPZ appears in the list of zones that have been configured and will be subject to the configurations and user permissions that are set within a Project.
Feb, 2021 Update
With vRA Cloud and vRA 8.3, Image and Flavor mappings are decoupled from a VPZ and allocated independently to Tenants under Tenant Management. If you have existing VPZs configured, the previous method of adding Images and Flavors will still work. The new configuration options allow the Provider Admin to assign Images and Flavors to a single Tenant or all Tenants. Tenant admins can then use those constructs within their Tenants for deployments. The setup of Images and Flavors within Tenant Management, mirrors the setup of the Images and Flavors under Infrastructure in vRA. The main difference in functionality between Images and Flavors, under Infrastructure and Tenant Management, is the allocation among tenants.
Summary
Tenancy offers the ability to create an additional layer of governance and isolation beyond what Projects have provided since the 8.0 release. The multitenancy capabilities in vRA 8.1 offers the flexibility and control organizations require, while maintaining the same user experience. With vRA 8.2, Provider Administrators can now share infrastructure with Tenant Admins, providing additional levels of logical isolation and control. For a deeper dive on how to install and configure multitenancy check out this blog from VMware SE Maher AlAsfar.
