Home > Blogs > VMware Telco Cloud Blog


Multi-Tenancy with vCloud Director and NSX-T

This blog post walks through the steps on how to achieve secure multi-tenancy with vCloud Director and NSX-T.  The below reference topology is used to show the network resource isolation. For example, as shown below we will create 2 Tenants, Tenant A with two VMs and Tenant B with one VM.

Network isolation is achieved with the advanced networking capabilities of NSX-T Data Center that provides a fully-isolated and secure traffic paths across workloads and tenant switch and routing fabric. As described in Multi-Tenancy Design Objectives, NSX-T Data Center introduces a two-tiered routing architecture enabling the management of networks at the provider (Tier-0) and tenant (Tier-1) tiers. As shown in reference topology above, a provider routing tier is attached to the physical network for North-South traffic, while the tenant routing context can connect to the provider Tier-0 and manage East-West communications. In vCloud Director, each Organization VDC will have a single Tier-1 distributed router that provides the intra-tenant routing capabilities.

 

Step1: From vCloud Director Admin Portal create two Organizations one for each Tenant, Tenant A and Tenant B.

Step 2: Create two Organization VDCs one for each Tenant, Tenant A and Tenant B using the wizard as follows:

Step 3: Create two Logical switches using overlay networks and two uplink logical switches using VLAN on NSX-T one for each Tenants, Tenant A and Tenant B.

Step 4: Create two Tier-0 routers on NSX-T one for each Tenants, Tenant A (High-availability Mode as Active-Active) and Tenant B (High-availability Mode as Active-Standby).

 

Step 5: Create two Tier-1 routers on NSX-T one for each Tenants, Tenant A & Tenant B.

Step 6: Create uplink router ports on NSX-T for each of the Tier-0 routers, for both Tenants, Tenant A and Tenant B virtual machines to connect using the uplink logical switches created earlier.

Step 7:  Enable Route-Redistribution and create a new redistribution-criteria to allow the T0 & T1 sources for each of the Tier-0 routers, for both Tenants, Tenant A and Tenant B.

Step 8: Create downlink ports for each of the Tier-1 routers which will be used as gateway for both Tenants, Tenant A and Tenant B virtual machines using the logical switches created earlier.

Step 9: From the vCloud Director Tenant portals of each Tenants import the logical networks corresponding to each Tenant created in NSX-T and add static IP Pools in that subnet.

Step 10: Create a new vApp for Tenant A by adding two virtual machines for each Tenants as per reference topology.

Step 11: Add the networks imported from NSX-T into vApp.

Step 12: For each VM in vApp, edit the Network settings for VM-1 in Tenant A to select the newly added network and Static IP pool we created earlier.

Step 13: Power on the vApp and repeat steps 9 -12 for Tenant B.

Step 14: Now verify the connectivity between virtual machines in Tenant-A. Results show a successful ping between VM-1 and VM-2 in Tenant-A.

Step 15: Now verify the connectivity between virtual machines in Tenant-A and Tenant-B. Results show that ping between VMs in Tenant-A and VM in Tenant-B fails confirming secure multi-tenancy between the Tenants.

Detailed step by step demos can be found on the Telco YouTube channel:

 

Leave a Reply

Your email address will not be published. Required fields are marked *