Saravanan V is a consultant in VMware, serving the Telco Industry, focusing on Kubernetes and VMware solutions. He has 11 years of experience in multiple technologies, including: NFV, Virtualization/Cloud, and SDN. In those 11 years, Saravanan has held several different roles: system administration, technical support, & Telco consultant
What is Multi Tenancy?
When multiple customers are requesting multiple services, each customer is treated as a tenant and multi-tenant concepts are evolved to serve the multiple customers. It’s all about sharing the infrastructure in the Data center. To be more specific, tenants can be different customers, or different teams in the same organization (Sales team, HR team, Development team, Production team, etc).
A multi-tenant architecture is based on central administration, and involves a common code application, operating common instance(s) of applications for multiple tenants. In addition, it also secures the private data of each tenant from others.
Why Multi Tenancy?
The purpose of multi-tenancy came into the picture when we want to share the resources between different parties. That can be infrastructure like hardware (Server, storage, and networks), software, services, etc in the data center.
What happens if we don’t follow a multi-tenant approach? - Obvious result is to maintain multiple infrastructure locations which lead to complexity in maintenance, end up spending too much for each party (customer/team/..).
How Multi Tenancy?
For simple understanding, In the below picture, a server is virtualized and made a hypervisor to share the CPU, and memory with multiple customers. Virtual machines (VM's) from different customers are deployed on the Hypervisor with proper orchestration. In this way, we achieve the optimum utilization of the server resources (CPU/RAM) and it helps to reduce the cost and complement the CAPEX and OPEX of the organization.
Multi Tenancy for VMware Telco Customers:
Telco providers demand for resource isolation when it comes to network functions from different vendors. Service providers need a solution to isolate the resources in a shared environment.
In the below example, let's say Nokia and Huawei are sharing the resources and at the same time, it no two tenants can access each other by default.
In the above scenario, the respective customer will use its VNF-Manager to deploy the network functions without the intervention of the data center admin.
In another instance, let's say a single customer wants to isolate the resources between the network functions as per the demand of the network functions. In this case, the Telco vendor can go with tenant creation as per the requirements.
Multi tenancy with VMware VCD [vCloud Director]:
vCloud Director (vCD) provides multitenancy with the entity called “Organization” and represents a single logical security unit. A vCD organization typically maps to a Vendor or a VNF. Organizations can use local accounts or distributed directory service accounts for user authentication via LDAP.
In the above scenario, the physical resources are configured with two different clusters (one for each vendor) and the cluster settings are applied based on vendor requirements. Each cluster is prepared with VCD's pVDC (Provider Virtual Data Center) and each pVDC is associated with respective tenants.
VCD Organization manages the authentication and authorization along with roles for the tenant users. So the users will access their tenant portal during NF life cycle management.
An organization can consist of one or more OrgVDCs (Organization Virtual Data Center), The resources for OrgVDC will be allocated from pVDC and the respective resources pool will be created on vCenter.
Multi tenancy with VIO:
VMware Integrated Openstack (VIO) provides multi tenancy with the entity called “Projects”. Projects in OpenStack are equal to tenants in Telco Cloud Infrastructure. A project is an administrative container where telco workloads are deployed and managed.
Tenant VDCs (VIO):
A Tenant VDC allows creation of virtual data centers for tenants under different compute nodes that offer specific SLA levels for each telco workload. While quotas on projects set limits on the OpenStack resources, Tenant VDCs allow providing resource guarantees for tenants and avoid noisy neighbour scenarios in a multitenant environment.
The above diagram illustrates how a fully integrated VMware Integrated OpenStack Compute Zone,
Project and Tenant vDC, NSX-T segments, and Tier-1 gateways can be leveraged to provide a
multitenant environment for deploying VNF in VIO
Multi tenancy with NSX-T:
Customers / Tenants are more concerned about the network security and network resource utilization. NSX-T provides proper isolation for the SDN (Software Defined Networking) solutions. East – West Tenant traffic is Isolated using the T1 routers in the NSX-T and North-South tenant traffic can be isolated with T0 routers including VRF-Lite.
VRF-Lite provides multiple VRF gateways and each tenant can use the dedicated VRF. Below are a few more benefits of VRF-Lite.
- Isolation of tenants with a single Tier-0
- Overcome network overlapping
In the above example, Tenant Nokia will send East-West traffic through Edge Gateway [EGW] of VCD where as it is connected to T1 (Blue) of NSX-T. Similarly, other T1 routers (Purple) will be used for Huawei Tenant.
North-South traffic will be handled a bit differently. T0 has the capability to host multiple VRF instances using the VRF-Lite feature in NSX-T. Each VRF-Lite is dedicated to a tenant. In this way, a single T0 can be used for multiple tenants to provide traffic isolation in North–South scenarios.
Multi tenancy with VCD & TCA:
The virtual Infrastructure is the key component in TCA to achieve multi-tenancy. The VCD with Multiple tenants will be integrated with the control plane of TCA and virtual infrastructure will be created for each tenant in TCA-Manager.
The above diagram illustrates, the VCD (vCloud Director) is integrated with TCA-CP (Telco Cloud Automation - Control Plane) using the system administrator account, and each tenant (VCD – Organization) is prepared as a Virtual Infrastructure in TCA Manager using an Organization Administrator account.
The user accounts for the NF operator are created in SSO of TCA and the roles will get assigned to their respective virtual endpoint (Ex. VCD-Nokia & VCD-Huawei).
In this scenario, each tenant user will access the TCA-Manager and execute NF Life cycle operation (Onboard, Instantiate, Scale & Terminate) within their virtual infrastructure (Ex. VCD-Nokia & VCD-Huawei) and TCA will perform the action (vAPP creation, modification & deletion) on vCloud Director (VCD).