Table of Contents
Welcome to part-5 of the multi-tenancy series. The last post of this series discussed distributed security in NSX Projects and how to implement DFW rules to allow inbound/outbound connection for the project workloads. In this post, I will discuss NSX Virtual Private Clouds (VPCs).
If you are not following along, you can read the earlier parts of this series from the below links:
1: NSX Multitenancy Introduction
4: Distributed Security in NSX Project
NSX Virtual Private Clouds (VPCs)
NSX VPC is an abstraction layer that makes it easier to create self-contained virtual private cloud networks within an NSX Project so that networking and security services may be used in a self-service model.
This feature allows each tenant to define its own subnets, networking services, and firewall rules (DFW/Gateway). This simplifies network and security management, giving users a self-service model similar to public cloud environments. NSX VPCs implement strict workload separation and RBAC settings, thus, allowing the safe adoption of a self-service consumption model.
NSX VPC Benefits
NSX VPC is a robust solution for isolating, protecting, and controlling network resources in a private cloud environment and provides the following benefits:
- Simplified Network Consumption: Remove complex physical network settings. Virtual private clouds (VPCs) make it easier to deploy and configure virtual networks.
- Self-Service Model: Empower application owners with self-service network provisioning capabilities, allowing network administrators to focus on more strategic duties.
- Network Isolation: VPCs provide strong isolation between tenants, resulting in secure and independent network environments.
- Enhanced Security: Application owners gain the ability to create DFW rules for their applications only and enforce strict security by implementing micro-segmentation policies.
- Operational Efficiency: NSX Enterprise Admin enforces networking and security controls and monitors all VPCs from a centralized location. They also control networking resources through quotas for various projects or tenants.
NSX VPC Architecture
VPC adds a second level of tenancy to an NSX project, allowing for the creation of a hierarchical tenancy model. Multiple apps can be deployed and assigned to separate VPCs inside a project, allowing application owners to access infrastructure as needed.
NSX Multi-tenancy uses a two-tier data model under the hood: Infra and Org
- Infra-Tier: It is referred to as the Default space. This is a provider-controlled space that contains objects such as the tier-0 gateway, services, etc.
- Org Tier: Serves as a space for multi-tenancy objects. Tenants provision their resources in this tier.
To implement multi-tenancy, the NSX Enterprise Admin creates NSX Projects and Projects Admin initially. The Project Admins then in turn create VPCs and other networking objects (subnets/gateways etc). To administer VPCs, the Project Admin creates VPC Admins and maps the admins to their respective VPCs.
The below diagram taken from official Broadcom docs shows the high-level architecture of NSX VPC
Why Introduce VPCs in the NSX Multi-tenancy Framework?
The key to success in infrastructure delivery is the ability to automate the components required to deliver an application quickly and securely to cater to the demands of a fast-paced modern day business. NSX VPC solves this challenge by enabling application owners to deploy networking, security, and services in a self-service manner as per the architecture and policies established by the infrastructure team.
The simplified NSX VPC management approach enables easier onboarding to the platform for a wider range of users, allowing them to fully experience the private cloud environment. For example, an application owner can now have a significant impact on the networking and security of his or her application by managing subnets, external connectivity, and both East-West and North-South protection.
Relationship Between NSX Project & VPC
NSX Project & VPC share a very tight relationship. The NSX Project serves as a container for resources and services, whereas VPCs are hierarchical object models that consist of child objects of projects. A VPC is a virtual environment that provides a safe and isolated place for workloads to run. A Project can contain one or more VPCs and the resources within a Project can be shared amongst several VPCs.
Note: A Project can also contain zero VPC and still run workloads.
The following diagram taken from official Broadcom docs shows two projects in the org. Project 1 contains 4 VPCs whereas Project 2 contains no VPCs.
And that’s it for this post. In the next post of this series, I will discuss VPC networking. Stay tuned!!!
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.