There are multiple ways to create isolation within the Avi Load Balancer. This section discusses the difference between tenants and SE groups and their relationship to data plane isolation and control plane isolation.
Isolation |
Tenant: Provider Context |
Tenant: Tenant Context |
SE Group |
---|---|---|---|
Control Plane |
Yes |
Yes |
No |
Data Plane |
No |
Yes |
Yes |
Service Engine Groups
SE groups are an inherent method of grouping SEs to provide data plane isolation. A single tenant can have one or more SE groups. Multiple tenants can also point to one or more SE Groups. Only one SE group can serve a virtual service. If one of its SEs fails, another SE can take over within the same SE group. SEs in other SE groups cannot be pulled in to provide capacity for another SE group. This ensures data plane isolation.
Example 1:
An administrator manages an application in both test and production environments. The virtual service of each application must be deployed on a different SE group. For ease of management, both applications can be in the same tenant (tenant 2 in the diagram), though arguments can be made for separating these different environments into two separated tenants (such as tenant 1 and 3 in the diagram).
Example 2:
A cloud service provider manages multiple customer applications. Each customer is assigned to a unique tenant, ensuring complete configuration isolation. The service provider can allow all tenants to have isolated SEs, or they can choose to place multiple tenants in the same SE group to reduce idle resources.