Together, the vCenter Server, NSX Manager, and vCloud Director form the secure multitenant platform of the vCloud NFV design. vCenter Server provides the infrastructure for fine grained allocation and partitioning of compute and storage resources, while NSX for vSphere creates the network virtualization layer. The network virtualization layer is an abstraction between physical and virtual networks. NSX for vSphere provides logical switches, firewalls, load balancers, and VPNs.

vCloud Director provides an additional abstraction layer, dividing pooled resources among tenants. This section describes how the vCloud Director abstraction layers, PvDC and OvDC, are leveraged to provide a secure multitenant environment to deploy and run VNFs.

Figure 1. vCloud Director Multitenant Networking in a Two-Pod Design

vCloud Director Multi-Tenant Network

Physical compute, storage, and network resources are first mapped to NFVI virtual resources - clusters for compute resources, datastores for storage resources, and virtual switches for network resources. The CSP then maps these to vCloud Director by creating a PvDC. A PvDC is the logical construct that pools the NFVI virtual resources for consumption by tenants

The CSP allocates and reserves resources for tenants using OvDCs. Every OvDC maps to an underlying resource pool within the parent PvDC cluster. The resource settings of the resource pool are managed from vCloud Director according to the allocation settings of the OvDC. This ensures that every OvDC is allocated the resources to which they are entitled, while not exceeding the resource limits

Figure 2. vCloud Director Resource Partitioning in a Two-Pod Design

vCloud Director Resource Partitioning in a Two-Pod Design

Tenant edge devices that are deployed from vCloud Director use a dedicated resource pool nested within the PvDC resource pool. VNFs are deployed in a separate and dedicated resource pool nested within the OvDC. This separation of edge devices and VNF workload resources prevents one from starving the other.

Separation of network access between NFVI tenants is important for supporting secure multitenancy on a horizontally shared platform. vCloud Director integrates with vCenter Server and NSX for vSphere to manage the creation and consumption of isolated Layer 2 networks. Connectivity to external networks, such as the CSP MPLS network, must be manually set during the VNF onboarding process. Networks that are internal to an NFVI tenant, or to a VNF instance, can be created using the vCloud Director user interface or API. As described in the Virtual Networking Design Using VMware NSX Manager section of this document, BGP routing, ESG firewall rules, and additional services, can be configured by the tenant administrator from within the OvDC.