Tiered Multi-Tenancy to Maximize the Potential of VMware Telco Cloud Platform: Part 1

As CSPs expand their physical footprint, the total cost of ownership of the physical infrastructure they manage rises, which makes sharing resources such as compute, storage and networks a primary requirement. A multi-tenant solution lets CSPs maximize  resource efficiency while enhancing security. This blog explores how CSPs can use multi-tenancy in VMware Telco Cloud Platform Advanced  to address the multifaceted requirements of a telecommunications network.

VMware Telco Cloud Platform Advanced allows CSPs to spin up unique services for each customer using the same physical infrastructure through the use of multi-tenancy. This allows for:

1. Flexible resource provisioning – Allocating and scaling resources to tenants based on changing requirements ensuring application availability.

2. Improved resource utilization – By using the same physical infrastructure for multiple tenants, CSPs can utilize their physical resources more optimally, thus helping reduce CapEx and improve efficiency.

3. Enhanced security posture – By ensuring logical separation of each tenant and making use of separate users for each tenant with Role-Based Access Control (RBAC) to restrict access to specific tenants, CSPs can improve their security posture.

VMware Telco Cloud Platform Advanced delivers modular, multi-vendor, multi-domain, and hybrid execution environments, coupled with orchestrating the deployment, management, and operation of network functions and services. Two of the components of the platform that deliver multi-tenancy capabilities are VMware Telco Cloud Automation, the platform’s orchestrator and VMware Cloud Director, the platform’s virtual infrastructure manager. 

By using logical constructs called “Tenants” in VMware Telco Cloud Automation and “Organizations” in VMware Cloud Director, a CSP ensures  the logical isolation of different customer network functions or in some cases, logical isolation of different customers.  

The use-case considered for this blog is that there are 2 customers A and B that are availing the CSP’s platform service to host their network functions. The CSP starts by creating the networking constructs required for each customer in VMware NSX, then moves to creating “Organizations” in VMware Cloud Director. This is followed by creating “Tenants” in Telco Cloud Automation and finally onboarding and instantiating a 3-tier application as the network function in the form of Virtual Network Functions (VNFs) and Cloud-Native Network Functions (CNFs). Figures 1 and 2 showcase the multi-tenancy architecture used in this example.

Figure 1: CNF Multi-Tenancy using VMware Telco Cloud Automation

Figure 2: VNF Multi-Tenancy using VMware Telco Cloud Automation and VMware Cloud Director

Procedure

We assume that the following has already been completed for this demo:

1. VMware vSphere cluster has been set up with 2 clusters using ESXi hosts with vSAN enabled that serve as the infrastructure layer for hosting network functions.
2. VMware NSX, VMware Cloud Director, VMware Telco Cloud Automation and RabbitMQ have been installed. 
3. VMware vCenter has been onboarded to VMware NSX and the basic requirements such as onboarding the ESXi cluster, creating transport zones, edge nodes, edge clusters and required segments has already been set up.
4. RabbitMQ has been installed and added to VMware Cloud Director to allow VMware Telco Cloud Automation to integrate with VMware Cloud Director.
5. VMware vSphere has been onboarded as a Virtual Infrastructure Manager (VIM) on VMware Telco Cloud Automation and a VMware Tanzu Kubernetes Grid management cluster is in place.

Figure 3 below shows a representation used to complete the VMware NSX and VMware Cloud Director multi-tenancy configuration for customers A and B.

Figure 3: VMware Cloud Director and VMware NSX Multi-Tenancy

Networking setup

VMware NSX configuration required for a multi-tenant setup is demonstrated below: 

1. Once the basic setup is ready, the CSP starts by logging in to VMware NSX and creates a common Tier 0 gateway. Tier 0 gateway can be configured by navigating to Networking > Tier 0 Gateway > Add Gateway > Tier 0 and adding the name and selecting the edge cluster and clicking on save. 

Figure 4: Create common Tier-0 Gateway

2. The Tier 0 gateway is edited to add 2 External and Service Interfaces (one for each customer) by providing the VLAN segment along with an IP address from that VLAN. These are the IP addresses used as next-hop IP addresses for the connected Tier-1 gateways and the external network when routing traffic to and from the network functions.

Figure 5: Add service interfaces to Tier-0 gateway

3. This is followed by creating a VRF Tier 0 gateway for each customer to route customer specific traffic allowing separate routing tables for each customer using the same Tier 0 gateway by navigating to Add Gateway > VRF, adding the name and selecting the common Tier 0 gateway. 

Figure 6: Create VRF Gateway

4. The CSP then creates the external interfaces on the VRF gateway using a VLAN segment ensuring the VLAN used on Tier 0 gateway interfaces does not overlap with the VRF Gateway interface VLANs. A unique VLAN for each VRF gateway ensures each customer’s traffic is isolated to their specific VLAN segment.

Figure 7: Add service interfaces to VRF Gateway

5. A static route is added to the VRF gateway for routing traffic outbound by providing the VRF gateway as the next-hop IP address.

Figure 8: Static route for outbound traffic

The above steps are performed once for customer A and once for customer B as shown in Figure 9. Optionally, NAT can be configured on the VRF gateways based on the networking setup in the environment.

Figure 9: Tier-0 Gateway UI showcasing 1 T0 and 2 VRF Gateways

6. The CSP then creates 2 Tier-1 gateways responsible for isolating East-West traffic, ensuring one customer’s traffic remains contained to their specific Tier-1 Gateway domain. This can be achieved by navigating to Networking > Tier-1 Gateways > Add Tier-1 Gateway and providing the name, selecting the VRF Tier 0 Gateway along with the edge cluster, and enabling route advertisement to ensure the network functions have the required routes populated in their routing table.

Figure 10: Create Tier-1 Gateway for each customer

Figure 11: Tier-1 Gateway UI showing 2 Tier-1 Gateways

7. The CSP creates a segment for each customer and the segment gets associated with the network functions to provide the customers with network connectivity by navigating to Networking > Segments > NSX > Add Segment and providing the name, associating the Tier 1 gateway for the specific customer, selecting the overlay transport zone and providing an internal subnet. Optionally, DHCP can be set up based on the network function requirements.

Figure 12: Create Segment for each customer

Figure 13: Segment UI showing Overlay Segments created for each customer

Configure VMware Cloud Director

VMware Cloud Director aggregates physical data center resources and presents them as multiple logical data centers to customers. This allows a CSP to serve each of these logical data centers as a stand-alone environment for their customers and allocate the resources on demand. 

VMware Cloud Director provides multi-tenancy using a logical construct called “Organization” that allows creating logical separation for each customer and provides them with access to physical resources either using separate resource pools within the same physical cluster or using separate clusters. For this demo, we assume that VMware vCenter and VMware NSX have already been integrated with VMware Cloud Director.

1. The CSP starts by logging in to VMware Cloud Director and creates a network pool for the provider VDC (Virtual Data Center) that is Geneve-backed, selecting the integrated NSX and selecting the overlay Transport Zone by navigating to Resources > Cloud Resources > Network Pools > New.

Figure 14: Creating a new Network Pool in VMware Cloud Director

2. This is followed by creating a provider VDC for each customer backed by a separate vSphere Cluster to ensure each customer’s network functions run on its physical cluster. 

The provider VDC is a virtual data center that is created using the physical resources offered by a single resource pool of a vCenter with the storage resources of one or more data stores connected to that resource pool. A CSP creates provider VDCs that serve as sources of physical resource access for different customers. 

This can be achieved by navigating to Resources > Cloud Resources > Provider VDCs > New and providing the name, selecting the vCenter server that provides the physical resources, the available resource pool, the storage policy for the provider VDC followed by the network pool created in the previous step.

Figure 15: Create a new provider VDC

Figure 16: Provider VDC UI showing a provider VDC for each customer

While the provider VDCs act as the source from which the service providers allocate the resources, organizations in VMware Cloud Director represent the logical tenant that ensures logical network function isolation, and organization VDCs represent the virtual data centers being allocated to those organizations.

3. The CSP creates an organization for each customer by navigating to Resources > Cloud Resources > Organizations > New.

 Figure 17: Create a new Organization

Figure 18: Organizations UI showing an Organization created for each customer

The next step is to create an organization VDC. These organization VDCs are like the cloud–virtual data center resources carved out of a provider VDC resources and allocated to an Organization for use. 

4. Next step is performed by navigating to Resources > Cloud Resources > Organization VDCs > New and providing a name, associating the organization and provider VDC created for that customer, selecting the allocation model along with the allocated and guaranteed resource levels, the storage policy and the network pool.

Figure 19: Create a new organization VDC

Figure 20: Organization VDCs UI showing an Org VDC created for each customer

5. The overlay segment created for each customer in VMware NSX is then imported into the specific organization VDC to allow Virtual Network Functions (VNFs) to use that segment for network connectivity. This is performed by navigating into the specific Organization followed by navigating to Networking > Networks > New and selecting the scope as the current organization VDC, network type as Imported > NSX-T logical switch, selecting the overlay segment created for that specific customer and providing a static IP pool that needs to be used to assign IP addresses to the network functions.

Figure 21: Import VMware NSX Segment into VMware Cloud Director Organization

This step is performed for each organization to ensure both customer organizations have a segment to use for their network functions.

6. Each customer then creates a catalog in their organization that is used to store VNF template OVA files used by VMware Telco Cloud Automation for instantiating VNFs. This is performed by logging in to the organization and navigating to Libraries > Catalog > New and providing the name for the catalog.

Figure 22: Create new catalog

7. This is followed by each customer uploading their VNF OVA files to the catalog as shown in Figure 23.

Figure 23: VNF OVA files uploaded to VMware Cloud Director catalog

8. This is followed by creating a user in each organization VDC by navigating to Administration > Users > New and providing the required details and selecting “Organization Administrator” as the role.

Figure 24: Create a user in organization VDC for the customer

Conclusion

In this post, we described the process of setting up a multi-tenant environment using VMware NSX and VMware Cloud Director. Through this process, we emphasize the use of “Organizations” in VMware Cloud Director for VNF lifecycle management in a multi-tenant setup. This allows a CSP to provide isolated physical resources to each customer, which helps enhance security and resource availability.

In the next part of this blog series, we intend to showcase the process of using VMware Cloud Director with VMware Telco Cloud Automation for a multi-tenant VNF and CNF lifecycle management setup. We will onboard and instantiate a sample VNF and CNF in the isolated environments of multiple customers and showcase the power of multi-tenancy through VMware Telco Cloud Platform.