Welcome to part-5 of the multi-tenancy series. The last post of this series discussed distributed security in NSX Projects and how to implement DFW rules to allow inbound/outbound connection for the project workloads. In this post, I will discuss NSX Virtual Private Clouds (VPCs).

If you are not following along, you can read the earlier parts of this series from the below links:

1: NSX Multitenancy Introduction

2: Multitenancy Design Models

3: Creating NSX Projects

4: Distributed Security in NSX Project

NSX Virtual Private Clouds (VPCs)

NSX VPC is an abstraction layer that makes it easier to create self-contained virtual private cloud networks within an NSX Project so that networking and security services may be used in a self-service model.

This feature allows each tenant to define its own subnets, networking services, and firewall rules (DFW/Gateway). This simplifies network and security management, giving users a self-service model similar to public cloud environments. NSX VPCs implement strict workload separation and RBAC settings, thus, allowing the safe adoption of a self-service consumption model.

NSX VPC Benefits

NSX VPC is a robust solution for isolating, protecting, and controlling network resources in a private cloud environment and provides the following benefits:

• Simplified Network Consumption: Remove complex physical network settings. Virtual private clouds (VPCs) make it easier to deploy and configure virtual networks.
• Self-Service Model: Empower application owners with self-service network provisioning capabilities, allowing network administrators to focus on more strategic duties.
• Network Isolation: VPCs provide strong isolation between tenants, resulting in secure and independent network environments.
• Enhanced Security: Application owners gain the ability to create DFW rules for their applications only and enforce strict security by implementing micro-segmentation policies.
• Operational Efficiency: NSX Enterprise Admin enforces networking and security controls and monitors all VPCs from a centralized location. They also control networking resources through quotas for various projects or tenants.

NSX VPC Architecture

VPC adds a second level of tenancy to an NSX project, allowing for the creation of a hierarchical tenancy model. Multiple apps can be deployed and assigned to separate VPCs inside a project, allowing application owners to access infrastructure as needed.

NSX Multi-tenancy uses a two-tier data model under the hood: Infra and Org

• Infra-Tier: It is referred to as the Default space. This is a provider-controlled space that contains objects such as the tier-0 gateway, services, etc. 
• Org Tier:  Serves as a space for multi-tenancy objects. Tenants provision their resources in this tier. 

To implement multi-tenancy, the NSX Enterprise Admin creates NSX Projects and Projects Admin initially. The Project Admins then in turn create VPCs and other networking objects (subnets/gateways etc). To administer VPCs, the Project Admin creates VPC Admins and maps the admins to their respective VPCs. 

The below diagram taken from official Broadcom docs shows the high-level architecture of NSX VPC

Why Introduce VPCs in the NSX Multi-tenancy Framework?

The key to success in infrastructure delivery is the ability to automate the components required to deliver an application quickly and securely to cater to the demands of a fast-paced modern day business. NSX VPC solves this challenge by enabling application owners to deploy networking, security, and services in a self-service manner as per the architecture and policies established by the infrastructure team. 

The simplified NSX VPC management approach enables easier onboarding to the platform for a wider range of users, allowing them to fully experience the private cloud environment. For example, an application owner can now have a significant impact on the networking and security of his or her application by managing subnets, external connectivity, and both East-West and North-South protection.

Relationship Between NSX Project & VPC

NSX Project & VPC share a very tight relationship. The NSX Project serves as a container for resources and services, whereas VPCs are hierarchical object models that consist of child objects of projects. A VPC is a virtual environment that provides a safe and isolated place for workloads to run. A Project can contain one or more VPCs and the resources within a Project can be shared amongst several VPCs. 

Note: A Project can also contain zero VPC and still run workloads. 

The following diagram taken from official Broadcom docs shows two projects in the org. Project 1 contains 4 VPCs whereas Project 2 contains no VPCs.

 

And that’s it for this post. In the next post of this series, I will discuss VPC networking. Stay tuned!!!

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.