VMware NSX provides security and networking solutions for virtual data centers and cloud environments. The NSX product helps strengthen application and data security, further enabling the shared vCenter Server model to improve visibility and control, and accelerate IT compliance efforts across the tenants’ organization. This allows NSX to be used by the service provider to create a multitenant topology by segmenting networks, providing isolation of network resources, logical routing, network security policies, firewalling, and advanced load balancing features.

As illustrated in the following figure, through appropriate design, high-scale multitenancy is enabled with multiple tiers of VMware NSX Edge™ devices interconnected through VxLAN transit uplinks. Two tiers of NSX Edge devices support the required scaling, while maintaining a level of administrative control, with top-tier NSX Edge devices acting as a provider edge managed by the service provider administrator, and a second tier of NSX Edge devices provisioned and managed by the tenants.

The provider edge can scale up to 8 ECMP edges for scalable routing. Depending on the tenants’ requirements, the tenant edges can be ECMP or stateful. In addition, as discussed in the next section, this architecture supports overlapping IP addresses between tenants connected to different first-tier NSX Edge devices, and NSX distributed firewall (DFW) rules in a multitenancy environment.

As the preceding figure shows, in this example each tenant’s virtual network consists of VxLAN logical switches, a NSX distributed logical router (DLR), and an NSX Edge services gateway.

The per-tenant DLR is predominantly employed to improve the efficiency of east-west routing within the tenant’s segments (web and DB segments in this example). Each tenant employs an edge services gateway (ESG) for north-south routing and for the tenant to leverage other network services such as NAT, firewall, and load balancers.

The provider edge will employ a “trunk” interface to allow the creation of many sub-interfaces on the single NSX Edge device, and establish peering with separate DLR instances on each sub-interface.

The aggregation edge gateways must use route import policies to make sure the tenant edge gateways advertise only the appropriate routes.