Multi-Tenancy with vCloud Director and NSX-T

Leave a reply

This blog post walks through the steps on how to achieve secure multi-tenancy with vCloud Director and
NSX-T.  The below reference topology is used to show the network resource isolation. For example, as
shown below we will create 2 Tenants, Tenant A with two VMs and Tenant B with one VM.

Network isolation is achieved with the advanced networking capabilities of NSX-T Data Center that provides a
fully-isolated and secure traffic paths across workloads and tenant switch and routing fabric. As described
in Multi-Tenancy Design Objectives, NSX-T Data Center introduces a two-tiered routing architecture enabling
the management of networks at the provider (Tier-0) and tenant (Tier-1) tiers. As shown in reference topology
above, a provider routing tier is attached to the physical network for North-South traffic, while the tenant
routing context can connect to the provider Tier-0 and manage East-West communications. In vCloud
Director, each Organization VDC will have a single Tier-1 distributed router that provides the intra-tenant
routing capabilities.

 
Step1: From vCloud Director Admin Portal create two Organizations one for each Tenant, Tenant A and
Tenant B.

Step 2: Create two Organization VDCs one for each Tenant, Tenant A and Tenant B using the wizard as
follows:
Step 3: Create two Logical switches using overlay networks and two uplink logical switches using VLAN on
NSX-T one for each Tenants, Tenant A and Tenant B.
Step 4: Create two Tier-0 routers on NSX-T one for each Tenants, Tenant A (High-availability Mode as
Active-Active) and Tenant B (High-availability Mode as Active-Standby).

Step 5: Create two Tier-1 routers on NSX-T one for each Tenants, Tenant A & Tenant B.
Step 6: Create uplink router ports on NSX-T for each of the Tier-0 routers, for both Tenants, Tenant A and
Tenant B virtual machines to connect using the uplink logical switches created earlier.

Step 7:  Enable Route-Redistribution and create a new redistribution-criteria to allow the T0 & T1 sources for
each of the Tier-0 routers, for both Tenants, Tenant A and Tenant B.
Step 8: Create downlink ports for each of the Tier-1 routers which will be used as gateway for both Tenants,
Tenant A and Tenant B virtual machines using the logical switches created earlier.

Step 9: From the vCloud Director Tenant portals of each Tenants import the logical networks corresponding to
each Tenant created in NSX-T and add static IP Pools in that subnet.
Step 10: Create a new vApp for Tenant A by adding two virtual machines for each Tenants as per reference
topology.

Step 11: Add the networks imported from NSX-T into vApp.
Step 12: For each VM in vApp, edit the Network settings for VM-1 in Tenant A to select the newly added
network and Static IP pool we created earlier.

Step 13: Power on the vApp and repeat steps 9 -12 for Tenant B.

Step 14: Now verify the connectivity between virtual machines in Tenant-A. Results show a successful ping
between VM-1 and VM-2 in Tenant-A.

Step 15: Now verify the connectivity between virtual machines in Tenant-A and Tenant-B. Results show that
ping between VMs in Tenant-A and VM in Tenant-B fails confirming secure multi-tenancy between the
Tenants.
Detailed step by step demos can be found on the Telco YouTube channel:

This entry was posted in NFV Deployments, Telco, Telco NFV, VMware vCloud NFV on May 15, 2020 by mmahmoodi.