Background - A service provider hosts per client web service instances which are accessed remotely through a private link. The incoming traffic will traverse a firewall and connect to a client specific load balancer IP. The load balancer will distribute the web traffic across client specific VM's. Each web service VM communicates with a backend client specific database listener. Each web service VM may also need to communicate with additional client specific application services, or with applications services that are shared across all client specific VM's. Firewall rules are in place to allow only required traffic going across subnets. However, for simplicity/ease of scale, each server resides in a "service shared" network segment (no east/west segmentation).
Load Balancer Segment: 10.1.0.0 /23
Web Server Segment: 10.10.0.0 /22
Database Segment: 10.20.0.0/23
Client Specific Application Service Segment: 10.30.0.0/23
Client Shared Application Service Segment: 10.40.0.0/24
LB VIP IP: 10.1.0.1
Web Servers: 10.10.0.1, 10.10.0.2, 10.10.0.3
Database Listener: 10.20.0.1
Client Specific App: 10.30.0.1, 10.30.0.2
Client Shared App: 10.40.0.1, 10.40.0.2
LB VIP IP: 10.1.0.10
Web Servers: 10.10.0.4, 10.10.0.5, 10.10.0.6
Database Listener: 10.20.0.2
Client Specific App: 10.30.0.3, 10.30.0.4
Client Shared App: 10.40.0.1, 10.40.0.2, 10.40.0.3
Goal: Provide additional network security by implementing east/west segmentation.
Assumptions: Existing hardware firewall and load balancer will not be replaced by NSX.
Some database servers may be physical; every other server in the environment is a VM.
New subnets will be defined to replace the existing - new build outs will be staged on NSX platform; existing installs will be migrated over time.
There are 2 ESXi clusters, legacy without NSX and new with NSX.
Most "multi tenant" NSX design documentation I have reviewed suggests carving out small tenant specific subnets; make sense since you will need to route the traffic in and out the appropriate path. I was wondering if it's even possible to use a shared subnet layout like the one above? I suppose it could be accomplished by using /32 routes on both VM guests and the NSX layer but that would get very messy. The reason I ask is the additional work of allocating client specific subnets will change the service provider's provisioning process and add more work they were not anticipating. Also just to note the "multi tenancy" is slightly different here in the sense clients can only access their web services; they are not for example provisioning their own machines or IP addresses - this is all done by the service provider.