Networking
The networking behind this architecture is designed to provide fully isolated tenant environments with public and private networks as well as dedicated compute and storage resources. The architecture is designed with high availability in mind through the deployment of a cluster for tenant workloads. There are some differences than what would be implemented in a production environment, mainly the implementation of a multiple clusters, one for backup, one for tenant workloads and another for the provider workloads.
The reference implementation utilizes inter-VLAN routing to provide isolated networking for each tenant. A Cisco router handles all routing between VLANs through a Router-on-a-stick configuration, with sub interfaces defined for each network segment. A Cisco switch trunks all VLANS to the router as well as the required VLANS to each Proxmox node. Within Proxmox, Software Defined Networking VLAN Zones have been utilized in Proxmox to provide a network a bridge for each tenants public and private network, allowing Virtual Machines and Containers to be attached to required networks easily.
Access Control to each tenants respective private network has been implemented through SDN Firewall Rules in Proxmox directly. Since the management network is not added as a SDN Network like tenant networks, ACL Rules to restrict access to the management network have been applied on the router.
To see the router and switch configuration for each tenant, please refer to - Router Configuration File and Switch Configuration File
Network Assignments
below is the assigned network and VLAN for each tenant / use case
| Tenant / Use | Network | CIDR | VLAN | DHCP Range |
|---|---|---|---|---|
| hardware/infrastructure Management | 10.0.0.0 | /24 | 5 | N/A |
| FMJ Systems Public | 10.0.1.0 | /24 | 10 | .51 - .254 |
| FMJ Systems Private | 10.0.2.0 | /24 | 20 | .51 - .254 |
| Shared Tenant Services | 10.0.9.0 | /24 | 90 | .51 - .254 |
| Tenant A - Public - Adatum | 10.1.0.0 | /24 | 100 | .51 - .254 |
| Tenant A - Private - Adatum | 10.1.1.0 | /24 | 101 | .51 - .254 |
| Tenant B - Public - Contoso | 10.2.0.0 | /24 | 200 | .51 - .254 |
| Tenant B - Private - Contoso | 10.2.1.0 | /24 | 201 | .51 - .254 |
| Tenant C - Public - Fabrikam | 10.3.0.0 | /24 | 300 | .51 - .254 |
| Tenant C - Private - Fabrikam | 10.3.1.0 | /24 | 301 | .51 - .254 |
| Simulated Internet | 10.99.99.0 | /24 | 99 | .51 - .254 |
Note - for a full look at the addressing scheme for all networks, please refer to - Addressing Scheme
Topology
For a better look at the topology, please refer to - private cloud.drawio.png
This topology diagram provides a comprehensive overview of the network topology, including the core networking equipment, Proxmox cluster nodes, resource pools, replication and HA failover overview
Due to the resource limitations for this capstone, I wasn't able to implement some things I was intending to, one of them is a cluster for FMJ Systems and their workloads as well as a backup cluster, I touch on this more in Limitations and Considerations
In a full production environment, the previously mentioned additions would be made as well as multiple locations to offer availability across regions and a proper web portal for clients to provision resources within agreed limitations in a self-service model. Off site backups could be hosted across multiple regions or encrypted and hosted in a public cloud.