VMware Cloud Community
scale21
Enthusiast
Enthusiast
‎12-15-2017 11:06 AM

Design question about Multi-Tenant customers

I have a solution i want our web team to provide separate customers from vcloud.

The tenant/customer may or may not ever login to vcloud to manage these provided servers. To start it would just be me and my web team managing it for the customers.

I am reading the vmware vcloud director for service providers document here.

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vcloud/vmware-vcd-architecture-ove...

I have created my Organization for this solution as "Web Team". Where i am stuck is should i be creating 1 VDC and putting all my customers in it? I notice i can have many edge gateways deployed off of one VDC. This is good as i want each customer to have its own ESG.

Organization VDCs get put under the organization. This makes sense. I want our web team to be an organization providing its "service" to all tenants under it.

The guide states:

An Organization Virtual Datacenter (Org vDC) is a subgrouping of compute and storage resources allocated from a provider VDC and assigned to a single organization. An organization VDC is provisioned resources using vCloud Director resource allocation models. These are represented in vSphere by “resource pools,” defined in Table 2.

Does that verbage mean then i should be creating a single VDC with 100s of customers / vapps and an ESG for each customer attached to this one VDC .........or should i create a vDC for each customer/tenant and put their vAPPs in it....and attach a single edge to each vcd for each customer?

It think the second option of a VDC per tenant sounds the most correct for my use case but i could be thinking about this wrong.

1 Reply
jonathanw
Enthusiast
Enthusiast
‎12-17-2017 01:33 AM

Typically in vCD-SP you create an Organization for each tenant/customer and then 1 or more VDCs for each Organization to provide their resources.

In your use-case where tenants may or may not need to log in there are a number of ways you could achieve this, the main ones being:

1) Single Organization / 1 VDC - shared by every tenant

2) Single Organization / VDC for each tenant

3) Organization per tenant / 1 (or more) VDCs each

Worth noting that:

- Storage is allocated per VDC, so if you split each tenant into its own Org/VDC you'll need to administer storage allocations for each separately.

- OrgVDC networks can only be shared between VDCs inside a single Organization, so if you need the hosted VMs to share an internal network they need to be in the same Organization.

- External networks can be used by multiple tenants/Organizations (e.g. the 'uplink' interface on your Edges).

You may have issues allowing a customer to administer 'just their own' Edge Gateway in 1) and 2) since the edge gateway roles assignment in the security model will apply to ALL edges in the VDC.

I would also strongly advise you not to do 2), setting security permissions in this scenario will be awkward since the 'Organizational Administrator' role will see all Org VDCs and you will need to create custom roles to limit scope to a single VDC.

It sounds like the 'best' fit for your requirement would be option 3, if your web team are 'system' level administrators they will automatically be able to see and administer all the tenant Organizations and VDCs, but tenants will only ever see their own resources (VMs and Edge Gateway). Doing it this way also allows your tenants to federate access back to their own directory service (e.g. ADFS) if they want to.