This page covers the services that are implemented for each tenant as well as the shared services for all tenants to use. Tenants are welcome to provision their own software on the virtual machines and containers that are provided by FMJ Systems.

Tenants are provisioned with a web server that they are able to customize to suit their online web presence. The web server that is installed is Nginx and tenants are provisioned with an account on npm.fmjsystems.com to manage requests for their domain.

Port 80 and 443 are forwarded from the simulated internet interface on the router to the Nginx Proxy Manager, enabling HTTP and HTTPS access to tenant web servers from the simulated internet network. HTTPS is handled at the reverse proxy level using wildcard certificates issued by the simulated internet Certificate Authority (Certzone).

Note — To establish a trusted HTTPS connection, the root CA certificate from the simulated internet CA must be installed in the trusted certificate store of the connecting machine.

Tenants are provisioned with a WireGuard VPN that is able to be configured through vpn.tenant.com. The VPN enables tenants to connect to their public subnet and thus allowing them to access resources in their private subnet remotely. The VPN is configurable through a web dashboard at vpn.tenant.com, for example vpn.adatum.com. Tenant credentials for the VPN dashboard follow the same format as other tenant services, with a username of TenantAdmin and password of P@ssw0rd.

An Active Directory Environment has been created for each tenant. There is a basic staff setup with multiple departments: HR, IT, IT-Admin, Admin, and Sales. The active directory environments are integrated with Proxmox authentication for tenants to access the admin portal. when the AD environments are linked to Proxmox, only the IT-Admin group and users are added.

The shared reverse proxy is Nginx Proxy Manager (NPM), running inside a Docker container hosted in an LXC container on the shared services network. NPM handles all inbound HTTP and HTTPS traffic for tenant and FMJ Systems domains, routing requests to the appropriate backend based on the requested hostname.

NPM is reachable at npm.fmjsystems.com.

Port 80 and 443 are forwarded from the simulated internet interface on the router to the reverse proxy, enabling HTTPS access to tenant web servers from the simulated internet network.

Tenant accounts are provisioned with scoped access, restricting them to only the proxy host entries created under their account. Tenants use these accounts to manage forwarding rules for their hosted web services. Accounts follow the format [email protected].

Access to the Proxmox web interface at admin.fmjsystems.com is load balanced across all three nodes in the tenant cluster, providing redundancy in the event that a node becomes unavailable.

The shared services DNS server is a BIND9 instance hosted at 10.0.9.10. to manage the DNS server at all, it is reachable through dns.fmjsystems.com. All tenant networks are configured to use this server as their DNS resolver. The shared services DNS sits in the middle of a three-tier DNS hierarchy:

FMJ Systems has full administrative control over this DNS server. Tenants do not have access to manage or modify any records on the shared services DNS.

The simulated internet is an isolated network (10.99.99.0/24, VLAN 99) that acts as a stand-in for the public internet. Since I was unsure of the network connectivity at the IT Expo, the environment has no real internet connectivity. The simulated internet provides the two things that would normally come from the public internet: authoritative DNS resolution for tenant domains and a trusted Certificate Authority for issuing HTTPS certificates.

In a production implementation of this architecture. this would not be included and a authoritative public DNS provider and certificate authority would be used.

The simulated internet DNS is a BIND9 instance hosted at 10.99.99.5, managed through Webmin at 10.99.99.5:10000. It acts as the authoritative name server for all public tenant domains, functioning similarly to a public DNS provider like Cloudflare.

The following zones are hosted on the simulated internet DNS:
adatum.com
contoso.com
fabrikam.com
fmjsystems.com

These zones contain records pointing tenant domains toward the simulated internet default gateway which has port forwarding enabled for the Nginx Proxy Manager reverse proxy, which handles routing to the appropriate backend. This is what allows a machine connected to the simulated internet network to browse to adatum.com and reach Adatum's web server.

The simulated internet Certificate Authority is a StepCA instance hosted at 10.99.99.6, operating under the fictional public CA name Certzone. Its hostname is ca.certzone.com. The purpose of this CA is to simulate a public Certificate Authority like Let's Encrypt, enabling realistic HTTPS certificate issuance across all tenant domains without requiring real internet connectivity.

StepCA was chosen to be the certificate authority as it is a self hosted certificate authority and serves the purposes of providing web certificates in this reference implementation. In a production environment, an authoritative CA, like Lets Encrypt, would be used.