IBM Cloud Orchestrator, Version 2.5

Network isolation

The segregation of tenants also requires the isolation of tenant networks.

IBM® Cloud Orchestrator supports the following technologies to manage the networks within the cloud:

OpenStack Nova network service
OpenStack Neutron network service

Details of the services can be found in the OpenStack documentation.

From a multitenancy perspective, the Neutron service provides the best capabilities, which allow tenants to manage their network topology in separate namespaces. This includes, overlapping IP scenarios, where two tenants can have two separate networks each having the same overlapping IP subrange. The isolation and separation is handled the Neutron service.

The Cloud Administrator is responsible to manage the network topology. It is the service provider and Cloud Administrator responsibility to provide the external connectivity to the tenants.

In IBM Cloud Orchestrator, network isolation happens on the project layer, not on the domain layer. A network is typically owned by a project, and a project can have multiple networks.

The Domain Administrator can create private networks for projects within its domain.

The End User, who requests virtual machines on behalf of the current project can add one or more network interfaces. This ensures connectivity to one or more networks of the project.

This means that a tenant can manage their internal connectivity and can define a multitier application environment with different networks for database and application traffic.

However, the external connectivity must be ensured by the Cloud Administrator.