Per group/VDC private networks with vxlan

I’m trying to give users their own private RFC1918 (vxlan) networks on VMs by default, with the option for them to add a NIC if they want a public address (or better yet, use vrouter etc). It seems impossible to hide these networks from users in unrelated groups and VDCs if they share the same cluster, though - is this something that can be done, and if so, how?

More generally I wonder if anyone else is using a pattern like this, to avoid users in different groups having to share RFC1918 ranges so they can establish VPNs etc with simple routing. Is this sensible, or is there a better way?

It’s a pretty old thread, so don’t know if you’ve found a solution, but I decided to share my experience.

Besides internal service networks I have one public network (Internet connected) and create a vxlan vnet for every customer. This vnet has Ethernet type leases, I put 65500 hosts to every one. Each customer has its own group which has deleted from Default VDC, and its own VDC. This dedicated VDC has all hosts, two vnets (public and the customer’s one), all datastores and no connected clusters.

So each customer has its own internal dedicated network he can use in a way he wants (for example, he can just set ip addresses manually or use a virtual router).

Thanks for responding! I eventually reached the same conclusion as you: I’m going to have a bridged, public network that is shared, and a per-tenant VXLAN.

I hadn’t considered the approach of having no clusters connected to the VDC - that might solve my issue with having vnets appearing in accounts I didn’t want them in. Is there a way to keep the host list up to date automatically doing it that way?


yes, it definitely solves your problem with all networks listed for all customers, because this was the reason I came to this solution :slight_smile:

And you can have ‘All’ checkbox marked, this mean that all current hosts and all feature hosts you will add to the same zone later be joined to the VDC (check the hint on the question mark on the right of this checkbox). But I believe this approach will not work properly if you’d want to assign different host sets (for ex., with different host types) to different customers.


For fine tunning, you should use ACL, which are generated after group/vdc creation…so sometimes you need to remove some ACL and create new more strict one

1 Like

Is there no way to specify ACLs for a resource created in a call? If not, consider this a feature request :sunglasses: