Skip to main content
Versa Networks

Configure Multitenancy

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Multitenancy is a mode of software operation in which multiple independent instances of one or multiple applications operate in a shared environment. The instances, which are called tenants, are logically completely isolated, but they are physically located on the same device. The Versa Operating SystemTM (VOSTM) software support of multitenancy allows a tenant or a tenant organization to share common access to the software instance, with each tenant having its own specific privileges. An example is system resources that are shared among tenants but that still retain their own independent configuration.

VOS software multitenancy provides each tenant a dedicated share of resources based on the license and services to which the tenant is subscribed.

Multitenancy allows service providers to optimize the utilization of the networking assets, provide cost-effective solutions, and achieve economies of scale. VOS multitenancy provides complete isolation among the tenants on a device.

For Versa SD-Security, multitenancy secures traffic from multiple tenants, as illustrated in the following figure. You can create multiple service definitions, with a unique device group and template for each service definition per tenant.
 

pasted image 0.png

Multitenancy allows resources and costs to be shared across tenants, which provides the following benefits:

  • Resource optimization—You can centralize infrastructure in locations with lower costs for things such as real estate, electricity, and infrastructure.
  • Ease of management—You can increase peak load capacity without having to engineer and pay extra for the resources and equipment to achieve peak load levels.
  • Improved device utilization—Zervice providers can increase efficiency and reduce capital expenditure (capex).

To configure multitenancy on VOS devices, first, you configure the individual tenants, and then you associate tenants with a parent organization.

Note the VOS software, the terms organization and tenant are often used interchangeably. However, the term organization is generally used to describe a service provider or other type of parent tenant that owns and is responsible for subtenants, which are just called tenants and which can be branch or other types of devices. a distinction is made between a parent organization and the tenants, or subtenants. The parent organization can view all VRFs and other parameters of its subtenants, while subtenants can only view the VRFs, routing tables, and ports that belong to their organization. Note that only one parent organization can be present on a device.

On VOS devices, you can configure multiple tenants on a single system in any form-factor deployment. For Releases 21.1.4 and later releases of Release 21.1, and for Releases 21.2.2 and later, you can configure up to 1024 tenants per Versa Director and 256 tenants on any VOS device.

For each tenant, you can enable or disable multiple capabilities separately. For example, a single VM or bare-metal deployment could support the following:

  • Stateful firewall for Tenant 1
  • NGFW for Tenant 2
  • Unified threat management (UTM) for Tenant 3

Note that NGFW and stateful firewall services are mutually exclusive and you can enable any one of these services.

You can automatically configure multitenancy on any device by selecting the Workflows tab in Director view and then selecting Template > Templates in the left menu bar using the template workflow.

Configure Tenants

Note: While you can configure tenants manually, as described in this section, it is recommended that you configure them using VOS workflows. To do this, in Director view, select the Workflows tab in the top menu bar, and then select Template in the left menu bar. For more information, see Create and Manage Staging and Post-Staging Templates.

To configure tenants manually:

  1. In Director view, select the Administration tab in the top menu bar.
  2. Select organizations-icon.PNG Organizations in the left menu bar.
  3. In the main pane, click the add-icon.png Add icon.

    organizations-mainpage.PNG
     
  4. In the Confirm Add Organization popup window, click OK.

    multitenancy-add-organization-warning1.png
     
  5. In the Add Organization popup window, enter information for the following fields.

    multitenancy-add-organization.png
     
    Field Description
    Name Enter a name for the tenant organization
    Description Enter a text description for the tenant organization.
    Tags Enter a keyword or phrase that allows you to filter tenants. This is useful when you have many tenants and want to view those that are tagged with a particular keyword.
    Global Organization ID Autopopulated with the next available global organization ID. The global organization ID uniquely identifies an organization in the network. You can change this ID to another available value between 1 and 255.
    Organization Label Enter a label to identify the organization. This label is used for mapping organizations.
    Parent Organization Select the parent organization for the tenant. The parent organization can be either a provider or a customer. Note that for a provider organization, this field is blank.
    Subscription Profile

    Select the subscription plan. A subscription plan is a way to measure/price the networking services. It contains a list of service node groups (SNGs), Versa service node (VSNs) types, and elasticity settings (minimum and maximum number of VSNs available for VOS devices). The selected subscription plan becomes the superset for the tenant.

    • Default-ADC-Plan—Include an ADC.
    • Default-ADC-SFW-Plan—Include an ADC for a stateful firewall.
    • Default-All-Services-Plan—Include all services, such as ADC, CGNAT, IPsec, and firewall.
    • Default-CGNAT-Plan—Include CGNAT.
    • Default-CGNAT-SFW-Plan—Include stateful firewall and CGNAT.
    • Default-IPSEC-Plan—Include IPsec.
    • Default-NextGen-FW-Plan—Include next-generation firewall (NGFW).
    • Default-NextGenFW-CGNAT-Plan—Include NGFW and CGNAT.
    • Default-SFW-IPSEC-CGNAT-Plan—Include stateful firewall, IPsec, and CGNAT.
    • Default-SFW-IPSEC-Plan—Include stateful firewall and IPsec.
    • Default-Stateful-FW-Plan—Include stateful firewall.
    • Default-DPI-Plan—Include deep packet inspection.
    • Default NextGenFW NextGenVPN Plan—Include NGFW and next-generation VPN.
    • Default NextGenVPN-Plan—Include next-generation VPN.
    • Default StatefulFW NextGenVPN Plan—Include stateful firewall and next-generation VPN.
    • Default-Stateful-FW-Plan—Include stateful firewall.
    CPE Deployment Type

    Select the CPE deployment type:

    • SD-WAN—Use for the Prime SD-WAN, Prime Secure, Premier Secure, and Premier Elite SD-WAN solution tiers.
    • vCPE—Use for routing tiers (ProNet, Net Pro, Advanced Routing) or security tiers (NGFW, UTM)
    Shared Control Plane Click to share this control plane across the organization.
    IDP Connector Select the name of the IDP connector for Versa Director single sign-on (SSO).
    Secure Access Portal For users provisioned in the local database, enter the FQDN to include in email notifications for newly provisioned users.
    Inactivity Interval

    Enter how long to wait, in hours, to remove the configuration of an inactive tenant from SD-WAN branches.

    Default: 48 hours
    Block Inter-Region Routing For tenants in geographical isolated regions, block routing between regions.
    Authentication (Tab)  
    • Authentication Connector
    		 Select the authentication connector to use to connect to external servers hosting users who connect with the Versa Director. You can select the authentication type created either for the organization or for the provider. You can select an LDAP or a RADIUS directory server. You can define the desired authentication type for each organization.
    • CPE Authentication (Group of Fields)

    Select the authentication type:

    • PKI—Use IKE public key infrastructure.
    • PSK—Use a preshared key.
    • Staging CA Agent
    		 Enter the certificate authority to use during the organization's staging stage.
    • Post-Staging CA Agent
    		 Enter the certificate authority to use during the organization's post-staging stage.
    CMS Connector (Tab) For a virtual organization, select an AWS or Azure connector configured for the organization
    CMS Organization (Tab) Select the Controller node to associate with the organization from the Available pane, and click it to add it to the Selected pane.
    Analytics Cluster (Tab) Select the Versa Analytics cluster to associate with the organization.
    Supported User Roles (Tab) Select the roles for the provider or tenant. For more information, see Configure AAA.
  6. Click OK.

Supported Software Information

Releases 20.2 and later support all content described in this article, except:

  • For Releases 21.1.4 and later releases of Release 21.1, and for Releases 21.2.2 and later, you can configure up to 1024 tenants per Versa Director and 256 tenants on any VOS device.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Director
  2. Tags
    This page has no tags.