http://github.com/dylang/node-rsssite-lib/media/favicon.pngWebpage HTML Export plugin for ObsidianTue, 19 May 2026 23:18:32 GMTTue, 19 May 2026 23:18:22 GMT60 Welcome to the FMJ Systems Capstone Documentation. For my capstone project, I was tasked to create a fictional business and business case for a deployment of IT Infrastructure. I decided to build a Multi-Tenant Private Cloud Reference Implementation under the banner of FMJ Systems, an IT consulting company specializing in private cloud deployments. The idea is to showcase the capabilities of a private cloud to offer implementation services to potential clients and customers. The reference implementation is modeled after a Managed Service Provider offering isolated cloud environments to clients. Each tenant is provisioned with dedicated compute, networking and storage resources. The reference implementation contains a management node for FMJ Systems and a 3-node tenant cluster to provide isolated environments for clients. In a full production deployment, this would include a dedicated storage and backup cluster, redundant networking hardware, and multiple datacenters across the country to provide availability zones across regions and is adaptable to a range of deployment contexts including academic institutions, government agencies, and enterprise environments. FMJ systems believes companies data is the most important thing to them, so it should be on hardware they own and manage. Utilizing the Private Cloud Reference Implementation, FMJ Systems plans on demonstrating how a private cloud could benefit a wide range of different organizations. FMJ Systems offers companies private cloud deployments where FMJ Systems works with the client to scope out their needs and builds an implementation. FMJ Systems would plan the building out and managing of the private cloud infrastructure for the client for a fixed monthly cost, depending on the size of the organization and private cloud requirements. the client is also welcome to manage their infrastructure themselves, post deployment. An overview on how FMJ Systems would be structured as a Managed Service Provider with this reference architecture. Covers the division of responsibilities for FMJ Systems and the tenants, a basic overview of how billing would be structured in a production deployment, as well as what is required for tenants to be onboardedThe architecture and design of the private cloud reference implementation. An overview of the topology, design, scope and adaptability of the architecture to other deployment contexts such as academic institutions or government agencies The networking implementation of the architecture. Overview of the addressing scheme, isolated network design, and a detailed topology of the reference implementationThe implementation of tenant isolation through RBAC, Resource Pools, Networking and Storage configuration, and Access Control List rules to enforce private subnet restrictionsDocumentation for deployed shared services and simulated internet deployment such as: DNS, Reverse Proxy, VPN, Web Servers, and Simulated Internet Certificate AuthorityThis is only a reference implementation, this architecture can be adapted for different use cases to provide benefits to different styles of organizationsThis document covers my reflection on the implementation for this capstone and looks at the limitations and considerations of turning this architecture into a production deploymentThis document covers how to connect to the environment to connect to resources such as what URLs and credentials to use, and the method of administering cloud resources as a clientThis document covers my reflection on implementing this capstone, presenting at the IT expo as well as navigating design and implementation choices.]]>main-page.htmlMain Page.mdTue, 19 May 2026 23:17:05 GMT<figure><img src="."></figure>NetworkingEach tenant is provided with a dedicated ZFS dataset created on the appropriate cluster node, with a storage quota to prevent any single tenant from consuming disproportionate resources. These datasets are registered in Proxmox as separate storage pools scoped to the tenant's resource pool, meaning a tenant's disk images are physically separated on the underlying storage from other tenants.zfs create LocalZFS/Adatum zfs set quota=100G LocalZFS/Adatum To isolate access to resources on the tenant cluster, each tenant has been provisioned with a resource pool that contains their VMs, Containers, and Storage. Permissions have been set for the tenant to use the allocated VMs and CTs. In the Shared Services isolated environment, there is a reverse proxy running Nginx Proxy Manager. there are user accounts set up for each tenant in the reverse proxy with scoped access to only items that are created by the respective tenants. Nginx Proxy Manager does not allow for integration with Active Directory unfortunately so tenants are required to use Nginx Proxy Manager accounts setup under ITAdmin@Tenant.comeach tenant is provided with a web server and VPN located in their public subnet, as well as a Active Directory Domain Controller in the private subnet for AD authentication. In the implementation of this reference architecture, the AD DC is only for authentication with Proxmox, in a production deployment of an architecture like this, existing AD or other identity providers can be used for authentication with Proxmox and a standard DNS server can be deployed in place.]]>tenant-isolation-and-environment.htmlTenant Isolation and Environment.mdTue, 19 May 2026 23:15:44 GMTRouter Configuration File and Switch Configuration Filebelow is the assigned network and VLAN for each tenant / use case
Note - for a full look at the addressing scheme for all networks, please refer to - Addressing Scheme

For a better look at the topology, please refer to - private cloud.drawio.pngThis topology diagram provides a comprehensive overview of the network topology, including the core networking equipment, Proxmox cluster nodes, resource pools, replication and HA failover overview
Due to the resource limitations for this capstone, I wasn't able to implement some things I was intending to, one of them is a cluster for FMJ Systems and their workloads as well as a backup cluster, I touch on this more in Limitations and ConsiderationsIn a full production environment, the previously mentioned additions would be made as well as multiple locations to offer availability across regions and a proper web portal for clients to provision resources within agreed limitations in a self-service model. Off site backups could be hosted across multiple regions or encrypted and hosted in a public cloud. ]]>networking.htmlNetworking.mdTue, 19 May 2026 23:15:27 GMT<figure><img src="."></figure>limitations-and-considerations.htmlLimitations and Considerations.mdTue, 19 May 2026 23:14:30 GMTadaptations-of-the-architecture.htmlAdaptations of the Architecture.mdTue, 19 May 2026 23:14:00 GMTUnder Datacenter > SDN > Zones create a VLAN zone for the tenant
Under Datacenter > SDN > VNets create a VNet for the tenants public and private subnet and add the respective network in the respective VNet.
Under Datacenter > Permissions > Users create a Admin User for the tenant in the PVE realm. Admin user is created in case there is an issue with their identity provider
Under Datacenter > Permissions > Groups create a group for the tenant. Add the tenant admin user created previously
Under Datacenter > Permissions > Pools create a resource pool for the tenant
Under Datacenter > Permissions create permissions for the tenants resource pool. the permissions that tenants require are:/pool/tenant - PVEVMUser /sdn/zones/tenant - PVESDNUser Virtual machines and Containers that are required by the tenant can be created at this point. when the VMs and CTs are being created, the storage must be places in the tenants storage as well as the VM/CT must be placed in the respective tenants resource poolUnder Datacenter > Permissions > Realms add the tenants Active Directory, LDAP, or OpenID Connect Server to authenticate against the tenants identity provider. Tenant may chose to host Active Directory in their private subnet or utilize pre existing identity infrastructure and have a DNS server in their private subnet insteadon npm.fmjsystems.com a tenant account needs to be made with permissions set so they are only to see items that are created by their account. this is one of the options that can be set when the account is made. Once the base environment for the tenant is created, listings for the created services need to be made for example, the web server and the VPN]]>tenant-onboarding-process.htmlTenant Onboarding Process.mdTue, 19 May 2026 23:13:22 GMT<figure><img src="."></figure>services-and-infrastructure.htmlServices and Infrastructure.mdTue, 19 May 2026 23:13:10 GMTTenant Onboarding ProcessIn a production deployment, the process of onboarding tenants would be automated through the Proxmox REST API, allowing FMJ Systems to onboard new clients quickly and consistently without manual configuration steps. the API supports full control over VM and container creation, resource pool management, SDN Zone creation, and permission assignments. Router and switch configuration can be achieved through an SSH based scripting. Tenant networks could also be implemented through Proxmox Software Defined Networking to eliminate the need for SSH based scripting for the router and switch, as tenant networking would all be handled through Proxmox.Billing implemented with a fixed monthly charge is well suited to a reference implementation, but a production implementation would benefit from usage based billing. The Proxmox REST API exposes CPU, RAM, and network utilization on a per VM basis. Implementing a way to poll the API for resource usage per VM then aggregating the data by tenant resource pool could be used to track usage for billing purposes. this would enable FMJ systems to bill customers based on usage rather than a fixed monthly cost, which would be more practical at scale For the demonstration of this architecture, I have only implemented the base environment for each tenant with isolated compute, networking and storage on the tenant cluster. This includes a web server and VPN in their public subnet, and an Active Directory environment for Proxmox authentication located in their private subnet. The active directory environment can be swapped out to use the tenants existing identity provider for authentication, and a DNS server can be put in place. These are the names of the 3 tenants I have implemented Adatum Contoso Fabrikam ]]>fmj-systems-and-the-msp-model.htmlFMJ Systems and the MSP Model.mdTue, 19 May 2026 23:11:14 GMTreflection.htmlReflection.mdTue, 19 May 2026 23:05:16 GMT]]>assets/capstone-image-solo-1.htmlAssets/Capstone Image SOLO 1.pngSat, 09 May 2026 21:34:09 GMT<figure><img src="."></figure>configuration-files/router-configuration-file.htmlConfiguration Files/Router Configuration File.mdThu, 02 Apr 2026 18:53:47 GMTFMJ Systems and the MSP ModelThe reference implementation consists of FMJ Systems management infrastructure, that is hosted on its own dedicated node, and a tenant cluster that hosts all tenant workloads as well as the shared services isolated environment. the simulated internet isolated environment is also hosted on the tenant cluster, but this would not be included in a production environment at all, the simulated internet environment is only to provide a certificate authority and external DNS since the environment is not connected to the internet. Tenant isolation is enforced at multiple layers such as networking, storage, and access control, ensuring that no tenant can access or interfere with another tenants resources. Each Tenant is provisioned with a dedicated publica and private subnet, isolated ZFS storage datasets, and Proxmox access restricted to only their resources pool The inclusion of shared services serves a DNS server that forwards DNS requests for internal.tenant.com to each tenants AD DC and to sere internal DNS records as well as a reverse proxy for web connections to FMJ Systems and tenants.The reference implementation consists of the following physical hardware:Tenant Environments - Each of the three tenants (Adatum, Contoso, Fabrikam) is provisioned with a dedicated public and private subnet, isolated storage, scoped Proxmox access, and their own web server, Active Directory environment, and WireGuard VPN that is reachable from the simulated internet network.Shared Services - A shared services network hosts infrastructure that all tenants consume, including the Nginx Proxy Manager reverse proxy and the BIND9 recursive DNS resolver. The Nginx Proxy Manager has user accounts for scoped tenant management, the DNS server is fully managed by FMJ Systems.FMJ Systems Infrastructure — The FMJ node hosts anything related to FMJ Systems, including the FMJ Systems web server, Active Directory Environment, VPN and Management VPN. This is logically and physically separated from the tenant cluster.Simulated Internet — An isolated VLAN (10.99.99.0/24) simulates a public internet environment for the purposes of the demo. It hosts an authoritative BIND9 DNS server and a StepCA Certificate Authority operating as a fictional public CA called Certzone, enabling realistic HTTPS certificate issuance and public DNS resolution without requiring actual internet connectivity.
This simplified topology shows a high level representation of what has been implemented for the reference architecture for the demonstration. It includes the Proxmox cluster, FMJ Systems node, router, switch and demo PC. Tenant workloads are hosted on the Proxmox cluster and any FMJ Systems required infrastructure is hosted on the FMJ Systems node. the demo computer is typically accessing either VLAN 5 (management) or VLAN 99 (Simulated Internet) to demonstrate connectivity to resources depending on network connectivity.
Note - For a more detailed look at the topology, see - Networking
For more information on how tenants are isolated, see - Tenant Isolation and Environment
In a full production deployment, the architecture would expand to include: A dedicated storage cluster for tenant and provider data and backups Offsite backups Redundant networking hardware Multiple Availability Zones across geographic regions The reference implementation consolidates all of these roles into available hardware while maintaining the same logical separation that a production deployment would enforce. While this implementation is modeled after a MSP offering, the architecture is adaptable to other deployment contexts, with targeted modifications: Academic Institutions - Resource pools can be scoped per student or per course. Standardized environments can be made for different courses or labs and deployed to student resource pools Government Agencies - Can benefit from self hosting all services and data to ensure data sovereignty. Audit logging and more strict RBAC policies can be layered on top to provide more security Enterprise IT - Departments can be isolated the same way tenants are and the clusters can scale to support shared IT requirements. Integration into existing identity providers can also be utilized
Note - For more information on how the architecture could be adapted to other contexts, see - Adaptations of the Architecture]]>architecture-and-design.htmlArchitecture and Design.mdWed, 01 Apr 2026 19:43:28 GMT<figure><img src="."></figure>]]>assets/simplified-intended-topo.drawio.htmlAssets/Simplified INTENDED Topo.drawio.pngWed, 01 Apr 2026 04:02:05 GMT<figure><img src="."></figure>accessing-resources-for-demonstration.htmlAccessing Resources for Demonstration.mdTue, 31 Mar 2026 22:02:20 GMT]]>assets/private-cloud.drawio.htmlAssets/private cloud.drawio.pngSat, 28 Mar 2026 16:09:54 GMT<figure><img src="."></figure>addressing-scheme.htmlAddressing Scheme.mdTue, 17 Mar 2026 23:13:47 GMT]]>assets/pasted-image-20260316134737.htmlAssets/Pasted image 20260316134737.pngMon, 16 Mar 2026 17:47:37 GMT<figure><img src="."></figure>]]>assets/pasted-image-20260316134655.htmlAssets/Pasted image 20260316134655.pngMon, 16 Mar 2026 17:46:55 GMT<figure><img src="."></figure>]]>assets/pasted-image-20260316133722.htmlAssets/Pasted image 20260316133722.pngMon, 16 Mar 2026 17:37:22 GMT<figure><img src="."></figure>]]>assets/pasted-image-20260316133411.htmlAssets/Pasted image 20260316133411.pngMon, 16 Mar 2026 17:34:11 GMT<figure><img src="."></figure>]]>assets/pasted-image-20260316133133.htmlAssets/Pasted image 20260316133133.pngMon, 16 Mar 2026 17:31:33 GMT<figure><img src="."></figure>]]>assets/pasted-image-20260316132115.htmlAssets/Pasted image 20260316132115.pngMon, 16 Mar 2026 17:21:15 GMT<figure><img src="."></figure>configuration-files/switch-configuration-file.htmlConfiguration Files/Switch Configuration File.mdSun, 15 Mar 2026 00:21:10 GMT]]>assets/simplified-topo.drawio.htmlAssets/Simplified Topo.drawio.pngSat, 14 Mar 2026 23:46:54 GMT<figure><img src="."></figure>