When I provision VMs in a secure multi-tenant environment where layer network isolation is required between tenants, does this mean that each tenant needs their own dns domain? If lookups and forwarding and so on need to happen between DNS servers, then I have to create a dedicated DNS infrastructure for every tenant. What is the standard way for approaching this issue that is both manageable and enforces isolation? Are there special DNS infrastructure solutions that are especially virtualization/cloud/multitenant friendly?
Hello,
I would set up a DNS Zone per tenant and let the tenant manipulate the zone as necessary. This is what most organizations do. DNS is fairly robust as it is and you can lock zone updates within DNS to specific zones or even systems. Do not over think this one too much, use what is built into DNS.
Some tenants will want their own DNS server controlled by them that forwards to your main DNS but for those who need you to manage their DNS, DNS is pretty capable already.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
I think you should check vShield solution http://www.vmware.com/pdf/vshield_55_admin.pdf it's available as part of vCloud Suite 5.5 if I'm correct.
Hello,
I would set up a DNS Zone per tenant and let the tenant manipulate the zone as necessary. This is what most organizations do. DNS is fairly robust as it is and you can lock zone updates within DNS to specific zones or even systems. Do not over think this one too much, use what is built into DNS.
Some tenants will want their own DNS server controlled by them that forwards to your main DNS but for those who need you to manage their DNS, DNS is pretty capable already.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
ok great thanks