VMware Cloud Community
TheVMinator
Expert
Expert
‎02-13-2015 05:27 AM
Jump to solution

DNS and multitenancy

When I provision VMs in a secure multi-tenant environment where layer network isolation is required between tenants, does this mean that each tenant needs their own dns domain?  If lookups and forwarding and so on need to happen between DNS servers, then I have to create a dedicated DNS infrastructure for every tenant.  What is the standard way for approaching this issue that is both manageable and enforces isolation?  Are there special DNS infrastructure solutions that are especially virtualization/cloud/multitenant friendly?

0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎02-13-2015 06:10 AM
Jump to solution

Hello,

I would set up a DNS Zone per tenant and let the tenant manipulate the zone as necessary. This is what most organizations do. DNS is fairly robust as it is and you can lock zone updates within DNS to specific zones or even systems. Do not over think this one too much, use what is built into DNS.

Some tenants will want their own DNS server controlled by them that forwards to your main DNS but for those who need you to manage their DNS, DNS is pretty capable already.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
3 Replies
Netwrix
Enthusiast
Enthusiast
‎02-13-2015 05:55 AM
Jump to solution

I think you should check vShield solution http://www.vmware.com/pdf/vshield_55_admin.pdf it's available as part of vCloud Suite 5.5 if I'm correct.

Texiwill
Leadership
Leadership
‎02-13-2015 06:10 AM
Jump to solution

Hello,

I would set up a DNS Zone per tenant and let the tenant manipulate the zone as necessary. This is what most organizations do. DNS is fairly robust as it is and you can lock zone updates within DNS to specific zones or even systems. Do not over think this one too much, use what is built into DNS.

Some tenants will want their own DNS server controlled by them that forwards to your main DNS but for those who need you to manage their DNS, DNS is pretty capable already.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
TheVMinator
Expert
Expert
‎02-17-2015 07:24 AM
Jump to solution

ok great thanks

0 Kudos