The management plane architecture establishes a trusted foundation for isolating management functions from the rest of the Operator’s network. When the management plane is architected to enhance security, it is segmented into discrete zones, prevents movement across the plane, and restricts access to and exfiltration of network data. Management functions are critical security functions that require additional security controls. Operators must scan the management network to detect anomalies in configurations and operations.

With the VMware telco stack, you can manage the higher-level virtualization fabric through VMware Telco Cloud Automation (a central orchestration tool) that is integrated with VMware Telco Cloud Infrastructure. You can manage lower-level aspects of the management plane using a VIM from VMware and the management interface for vSphere.

VMware architectures for CSPs isolate the management plane. The components and resources of the management plane, including vCenter Server and NSX Manager, are isolated from the virtualization plane. vCenter Server provides the infrastructure for fine-grained allocation and partitioning of compute and storage resources.

VMware Telco Cloud Infrastructure also provides abstraction layers for multi-tenancy. The concept of tenancy introduces shared administrative ownerships. A CSP administrator can allocate a resource pool and overlay networking for a tenant. With a VIM from VMware, multiple tenants can be defined with assigned RBAC privileges to manage resources and VNF onboarding.

The networking model of NSX isolates traffic paths across workloads and the tenant switching and routing fabric. Advanced security policies and rules can be applied at the VM boundary to further control access to the management plane. NSX Data Center uses a two-tiered routing architecture that manages networks at the provider (Tier-0) and tenant (Tier-1) tiers. The provider routing tier is attached to the physical network for north-south traffic, while the tenant routing can connect to the provider Tier-0 and manage east-west communications.

Tier-0 provides traffic termination to the cloud physical gateways and existing CSP underlay networks for inter-cloud traffic communication. Each organization in a virtual data center have a single Tier-1 distributed router that provides intra-tenant routing capabilities. The router can also deliver stateful services such as firewall and NAT. VMs belonging to a tenant can be connected to multiple logical interfaces for layer 2 and layer 3 connectivity.

By using these and other constructs of NSX such as firewalls, micro-segmentation, and VLANs, you can segregate the management plane by device type and function. For example, VNF element managers can be separated with micro-segmentation and blocked from communicating with one another and with elements that they do not manage to prevent man-in-the-middle attacks.

VMware provides a reference architecture for building, isolating, and protecting the management plane. For more information, see the management pod and three-pod deployment sections in the VMware Telco Cloud Reference Architecture Guide.