4.4.1 Per-Customer Partial Mesh-Access

If a provider offers customers the ability to choose any combination of service locations, the provider must provide the customer a bespoke “global” access capability, or have the customer manually select one of the sites in which they have service for their initial login. If a provider chooses the manual selection option, after the user is logged in to their chosen site, vCloud Director multisite associations allow them to switch between the other provider sites in which they have associated organizations. This option does not represent a poor user experience, and remains the most straightforward to implement, requiring only service design effort to make sure each customer knows which sites their users can log into.

An alternative choice is to embed intelligence into the global access model to identify the appropriate sites in which the user’s organization is present. Unfortunately, because the user’s identity is not known until they attempt to log in, this method is limited to organization-level validation. This approach only works with the traffic-based method described earlier, because the full URL is available to the site selection server. In this model, the global site selection logic is enhanced to examine the full URL, including the tenant / organization name elements when the connection is received. The following figure shows the sequence of events in this process.

1. The full URL is passed to the global site selection system.

2. The tenant is identified from the organization name at the end of the URL, and this is matched in a site lookup table.

3. The sites which are valid for that tenant/organization are returned.

4. The site selection logic chooses a vCloud Director instance from within the returned set, using the appropriate business logic.

While it is not possible to employ this approach in the exact manner of the DNS-based site selection model, you can combine the two approaches. As the DNS query only contains the FQDN, the organization name is not available to the intelligent DNS server, and so it cannot identify the tenant or sites at which there are organizations present. However, depending on the technology deployed, it might be possible to utilize the local site load balancer, which does receive the full URL, to identify the tenant in question and issue a redirection to a valid site if it determines that the user does not have an organization configured at the local site. This represents a distributed version of the traffic load sharing model and imposes the need to provide an updated list of Tenants (organizations) and associated sites whenever there are changes.