Tenant isolation in this architecture is achieved through dedicated compute, storage and networking resources. Each tenant is allocated a public subnet that is reachable from the internet as well as a private subnet that is not reachable from the internet and is only accessible from the respective tenants public subnet. Role Based Access Controls have been implemented in Proxmox to restrict tenant access to only their resources in Proxmox.

Each tenant is provisioned with a dedicated public and private subnet, backed by a VLAN-tagged SDN zone in Proxmox. The public subnet is reachable from the simulated internet through NAT and port forwarding configured on the router. The private subnet is not directly reachable from the internet, and is restricted by SDN VNet Firewall rules that only permits traffic originating from the management network or the tenant's own public subnet.

For full VLAN and addressing detials, see Networking

Each tenant is provided with a dedicated ZFS dataset created on the appropriate cluster node, with a storage quota to prevent any single tenant from consuming disproportionate resources. These datasets are registered in Proxmox as separate storage pools scoped to the tenant's resource pool, meaning a tenant's disk images are physically separated on the underlying storage from other tenants.

To isolate access to resources on the tenant cluster, each tenant has been provisioned with a resource pool that contains their VMs, Containers, and Storage. Permissions have been set for the tenant to use the allocated VMs and CTs.

In the Shared Services isolated environment, there is a reverse proxy running Nginx Proxy Manager. there are user accounts set up for each tenant in the reverse proxy with scoped access to only items that are created by the respective tenants. Nginx Proxy Manager does not allow for integration with Active Directory unfortunately so tenants are required to use Nginx Proxy Manager accounts setup under [email protected]

each tenant is provided with a web server and VPN located in their public subnet, as well as a Active Directory Domain Controller in the private subnet for AD authentication. In the implementation of this reference architecture, the AD DC is only for authentication with Proxmox, in a production deployment of an architecture like this, existing AD or other identity providers can be used for authentication with Proxmox and a standard DNS server can be deployed in place.