Secure Multi-Tenancy and the VIM

vCenter Server, NSX Manager, and the VIM form a secure multi-tenant platform.

vCenter Server lets you allocate and partition compute and storage resources precisely
NSX creates the network virtualization layer with vSphere. The network virtualization layer is an abstraction between physical and virtual networks. NSX provides logical switches, firewalls, load balancers, and VPNs to isolate and secure network resources and services.
VIM lets you create additional abstraction layers by distributing pooled resources among tenants. These abstraction layers provide a secure multi-tenant environment to deploy and run VNFs.

Physical compute, storage, and network resources are mapped to NFVI virtual resources such as clusters for compute resources, datastores for storage resources, and virtual switches for network resources. The VIM lets you map the virtual resources to a provider data center, which is a logical construct that pools the NFVI virtual resources for consumption by tenants. You can then reserve and allocate resources for tenants by using an organizational-level virtual data center.

Every organizational VDC maps to an underlying resource pool within the parent provider cluster. The VIM manages the resource pool according to the allocation settings of the organizational VDC and set aside resources without exceeding the resource limits.

Tenant edge devices that are deployed from the VIM use a dedicated resource pool nested within the provider resource pool. VNFs are deployed in a separate and dedicated resource pool nested within the organizational VDC. This separation of edge devices and VNF workload prevents exhaustion of resource.

Separation of network access between NFVI tenants is important for a secure multi-tenancy on a horizontally shared platform. The VIM integrates with vCenter Server and NSX to manage the creation and consumption of isolated Layer 2 networks.

Connectivity to external networks, such as the CSP Multi-protocol label switching (MPLS) network, must be manually set during the VNF onboarding process. Networks that are internal to an NFVI tenant or a VNF instance can be created using the VIM’s user interface or API. BGP routing, ESG firewall rules, and additional services can be configured by the tenant administrator within the organizational VDC.