Option Analysis in Multi Tenant Cloud Environment

While designing a multi-tenant virtual data center where network, security, storage and compute elements are shared across customers, we came across a unique use case:

 

Two customers have same IP addresses on their servers and cannot change them. Now on the network side, till layer 3, we have managed to segregate the data from the two customers using VRF. But few questions arrived from different people in this whole process and we have answered them very carefully.

 

1. Consider we are using blade servers, say HP C7000. How can we run two virtual machines with same ip addresses on same ESX host and route that traffic to upstream layer 3 switch where it can be channeled to respective VRF channels?

2. Is there any configuration that can be done on blade switch that can allow us to do that?

3. Is it also possible to run two blades with same ip addresses on same enclosure with the help of some config settings on the blade switch?

 

My answers are in line as below:

1 & 2. Well, we can use vShield Edge to provide that functionality for the VMs.  Or, we can logically separate them down to individual VLANs, so we separate out the broadcast domains, and have them go to different physical upstream switches.

3. As long as the hosts are in two different VLAN’s, sure.  But if they are on the same VLAN, we will have issue. Assuming we have blade 1 having vm1 and vm2 having the same ip address(say 10.10.10.1/24) but belong to different customers(customer1 and customer2), We can assign VLAN 10 to customer1 and VLAN20 to customer2 at our physical switch/router layer and use VRF to have two 10.10.10.0/24. One is under VLAN 10 which belongs to vrf customer1 and the other is under VLAN 20 which belongs to vrf customer2.

 

At virtual connect level, HP really don’t care about IP address. As long as there are two distinct VLANs for 2 customers(VLAN 10 and VLAN 20), In VC, we just config vnet-10-a/vnet-10-b and vnet-20-a/vnet-20-b (for VC active/active design) normally. Then VC will separate traffic from these two VLANs.

So, in a nutshell as long as we put two blades (I’m assuming they are for different customers) into two different VLANs, VC won’t mix the traffic between these two blades. Any layer 2 switch (including VC) doesn’t care what’s your layer 3 ip address. They only care about VLAN separation.

 

So if we have 2 customers, as long as we assign 2 different VLANs to them, each customer will have its broadcast domain inside its own VLAN. We can define same or different IP addressing for these two VLANs. When it reaches layer 3, vrf is the way to separate two ip networks if we don’t want two VLANs to talk with each other.

 

About Prasenjit Sarkar

Prasenjit Sarkar is a Product Manager at Oracle for their Public Cloud with primary focus on Cloud Strategy, Oracle Openstack, PaaS, Cloud Native Applications and API Platform. His primary focus is driving Oracle’s Cloud Computing business with commercial and public sector customers; helping to shape and deliver on a strategy to build broad use of Oracle’s Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings such as Compute, Storage, Java as a Service, and Database as a Service. He is also responsible for developing public/private cloud integration strategies, customer’s Cloud Computing architecture vision, future state architectures, and implementable architecture roadmaps in the context of the public, private, and hybrid cloud computing solutions Oracle can offer.