Skip to content

Overview

Private Network Support for Virtual Machines

Virtual Machine as a Service (VMaaS) is a cloud-based offering that enables Cloud Service Providers (CSPs) to provision and manage virtual machines (VMs) on demand. The reference architecture provides a standardized framework to implement VMaaS, ensuring consistent operations, scalability, and tenant isolation.

VMaaS includes support for creating private virtual networks on a per-tenant basis. This enables enterprises to operate in isolated network environments with dedicated resources and increased control over connectivity and security. Each tenant is allocated a unique VLAN/VxLAN and a dedicated Virtual Routing Function (VRF), providing logical separation and customized routing and firewall capabilities.

Key Capabilities

  • Virtual Private Networks (VPCs): Organizations can create one or more VPCs within their tenant. Each VPC operates in an isolated network space with its own CIDR range, enabling the reuse of CIDR blocks across different tenants or VPCs without conflict. Isolation is enforced through a dedicated VRF for each VPC.

  • Subnets: Subnets can be defined within a VPC to support logical network segmentation. Each subnet is mapped to a specific VLAN ID on the underlying infrastructure, providing traffic isolation and improved IP address management.

  • DHCP Support: Dynamic host configuration is integrated for automated IP address assignment and management within each VPC.

  • Source NAT Rules: Outbound traffic from a VPC is routed through a tenant-specific IP gateway using Source Network Address Translation.

  • Destination NAT Rules: Inbound traffic can be controlled using Destination NAT rules to expose selected resources to external systems.

  • Firewall Rules: Custom firewall rules can be configured to control traffic flow within and across VPCs, supporting granular access policies.

  • DNS Configuration: DNS traffic is forwarded to a default DNS server defined at the platform level. Optionally, tenants can configure their own private DNS zones if custom resolution is required.

  • Load Balancer Support: Layer 4 and Layer 7 load balancing is available to distribute traffic efficiently and improve application availability.

This network model provides a flexible, secure foundation for hosting virtual machines in isolated environments, supporting both development and production workloads.

Architecture Overview

The following diagram illustrates the high-level architecture of the platform. It showcases how tenants operate within isolated virtual machines and interact with key platform services such as VM-as-a-Service (VMaaS), PaaS, Inventory, and Monitoring. These services are managed by the Rafay Controller and run on an underlying infrastructure layer composed of servers, networking, and storage.

Create Project

Platform Setup

The platform team is responsible for the initial configuration and setup of the VM as a Service template. This setup includes defining the system template, configuring network parameters (such as VPC, subnets, and VRF), and sharing it with specific projects to enable end users to provision virtual machines securely within isolated networks.

The diagram below illustrates a typical network architecture for VM provisioning, including worker hosts, VRF host, bridges, and the virtual routing components used for secure connectivity and isolation.

The sequence diagram below outlines the high-level flow of how the platform team enables VM as a Service for end users.

sequenceDiagram
    participant Admin as NCP-Admin
    participant Infra as Infrastructure
    participant Rafay as Rafay Platform

    Admin->>Infra: Provision Physical ServerNodes and Install Linux OS
    Admin->>Infra: Configure Initial Networking and Setup Storage Clusters (e.g., Ceph)

    Admin->>Rafay: Provide VLAN and Public IP Pools
    Rafay-->>Admin: Initialize Tenant-Facing Network Resource Pools

    Admin->>Rafay: Setup Dedicated VMaaS Network Nodes
    Rafay->>Infra: Reserve Servers, Install Network Tools, Perform Resource Discovery

    Admin->>Rafay: Trigger Hypervisor Onboarding
    Rafay->>Infra: Reserve Servers for Hypervisors, Install Tools, Discover Resources, Download OS Images

    Admin->>Infra: Configure Hypervisor Uplink Interfaces for VLAN Trunking

    Admin->>Rafay: Manage Hypervisor Node Lifecycle (Init/Add/Remove)
    Rafay-->>Infra: Ensure Inventory Sync and Integration

Partner Onboarding Requirements

As part of the partner onboarding process for VM as a Service, specific network infrastructure requirements must be met. These configurations ensure that tenant workloads can be securely deployed, managed, and connected through isolated virtual networks.

This section outlines the expectations for the partner's environment, including network configuration for both NFV (Network Function Virtualization) hosts and workload hosts.

NFV Host Requirements

NFV hosts are responsible for managing per-tenant virtual networks, including DHCP, NAT, firewall, and routing functions.

  • VLAN Trunking: All VLANs assigned to tenant workloads must be allowed on the trunk port connected to the bonded NICs on the host.

  • Internet Bridge: Enables outbound traffic from tenant VMs. This can be configured via:

    • A dedicated interface connected to a public IP subnet, or
    • A designated VLAN carrying public IPs, which must also be allowed on the trunk port.

  • Management Bridge: Used for platform control plane access. Can be backed by:

    • A dedicated access port, or
    • A designated management VLAN, which must also be trunked and mapped to the bridge interface.

    Note: In environments lacking routable management subnets, non-routable static IPs (e.g., 169.254.x.x) may be used for the management interface. These subnets can differ between interfaces.

Workload Host Requirements

Workload hosts run the actual tenant virtual machines. These hosts must be configured to allow traffic segmentation and management.

  • VLAN Trunking: All tenant VLANs must be allowed on the trunk port connected to the host’s bonded network interface.
  • Management Interface: Required for operational visibility and monitoring. This can be configured via:
    • A dedicated access port, or
    • A designated management VLAN, which must also be allowed on the trunk port and attached to the management interface.

Network Configuration Inputs

The following network inputs must be provided by the partner to support VM provisioning and management:

  • VLAN Ranges: Each tenant subnet is mapped to a VLAN. One or more VLAN ranges must be configured using the NCP (Network Control Plane) VLAN Range API. The specified ranges must be allowed on trunk ports for all NFV (Network Function Virtualization) and workload hosts.
  • Public IP CIDR(s): Public IP CIDRs must be configured via the NCP IPAM API to enable dynamic allocation of public IPs for tenant VMs and VRFs (Virtual Routing and Forwarding).
    • Public IPs are assigned to the north-south (N-S) interface of each VRF for SNAT and port forwarding.
    • Public IPs can also be assigned to VMs that request static public IPs.
    • Optionally, a subset of the CIDR can be specified using Start IP and Stop IP.
  • Management IP CIDR: A static management IP CIDR must be configured via the NCP IPAM (IP Address Management) API. These addresses are used for the management interface of each VRF, enabling platform-level control and monitoring.

ℹ️ Note: These configurations must be in place before VM provisioning can begin. Contact the support representative for detailed setup or validation instructions.