There are multiple ways to create isolation within NSX Advanced Load Balancer. This article explores the difference between tenants and SE groups and their relationship to data plane isolation and control plane isolation.

Isolation

Tenant: Provider Context

Tenant: Tenant Context

SE Group

Control Plane

Yes

Yes

No

Data Plane

No

Yes

Yes

Service Engine Groups

SE groups are an inherent method of grouping Service Engines to provide data plane isolation. A single tenant can have one or more SE groups. Multiple tenants may also point to one or more SE Groups. Only one SE group can serve a virtual service. If one of its SEs fails, another SE can take over within the same SE group. SEs in other SE groups can not be pulled in to provide capacity for another SE group. This ensures data plane isolation.

Example 1:



An administrator manages an application in both test and production environments. The virtual service of each application should be deployed on a different SE group. For ease of management, both applications can be in the same tenant (tenant 2 in the image), though arguments could be made for separating these different environments into two separated tenants (such as tenant 1 and 3 in the image).

Example 2:



A cloud service provider manages multiple customer’s applications. Placing each customer in a unique tenant guarantees there will be complete configuration isolation. The service provider may choose to allow all tenants to have isolated Service Engines, or they may choose to place multiple tenants on the same SE group’s SEs to reduce idle resources.