Tenants
A tenant is a logical container for application policies that enables you to exercise domain-based access control by isolating the resources such as applications, databases, web servers, network-attached storage, virtual machines, firewalls, Layer 4 to Layer 7 services, and so on. Tenants can represent a customer in a service provider setting, an organization or domain in an enterprise setting, or just a convenient grouping of policies.
A fabric can contain anywhere from one tenant, which may be useful for a small commercial environment, to 64,000+ tenants, for a cloud service provider in which case you assign each company their own tenant. Another use case would be to have a Dev tenant and a Production tenant. In this case, you create network constructs, EPGs, and policies in Dev tenant first and then simply copy it to the Production tenant. It ensures that the dev and prod are the exact same and takes away the human error that comes along with manual copying of these objects.
Note |
Configure a tenant before you can deploy any Layer 4 to Layer 7 services. |
Tenant Types
The system provides the following four kinds of tenants:
-
User tenant—Defined by the administrator according to the needs of users. It contains policies that govern the operation of resources such as applications, databases, web servers, network-attached storage, virtual machines, and so on.
-
Common tenant—Provided by the system but can be configured by the fabric administrator. It contains policies that govern the operation of resources accessible to all tenants, such as firewalls, load balancers, Layer 4 to Layer 7 services, intrusion detection appliances, and so on.
-
Infrastructure tenant—It contains policies that govern the operation of infrastructure resources such as the fabric VXLAN overlay.
-
Management tenant—It contains policies that govern the operation of fabric management functions used for in-band and out-of-band configuration of fabric nodes.
Tenant Features
-
Tenants can be isolated from one another or can share resources.
-
Tenants do not represent a private network.
-
Entities in the tenant inherit its policies.
-
The primary elements that the tenant contains are filters, contracts, outside networks, bridge domains, Virtual Routing and Forwarding (VRF) instances, and application profiles that contain endpoint groups (EPGs).
Note |
In the APIC GUI under the tenant navigation path, a VRF (context) is called a private network. |
Setting up a Tenant
This procedure provides an overview of how to set up a tenant for an APIC account in Cisco UCS Director.You can also use the workflows provided in Cisco UCS Director Orchestration to complete a guided setup of tenants for various use cases. For more information, see Cisco UCS Director Orchestration Guide.
This procedure assumes that you have already completed the following prior to creating tenants:
-
The Day 0 setup of ACI fabric.
-
The nodes in ACI fabric are connected and discovered.
-
The APIC controller cluster has been configured.
-
Cisco UCS Director is configured and the ACI pod has been set up.
Procedure
Step 1 |
Create a Tenant. See Creating a Tenant. |
Step 2 |
Create a Virtual Routing and Forwarding (VRF) (also known as Private Network). See Creating a VRF. |
Step 3 |
Add Bridge Domain to the VRF. |
Step 4 |
Create Application Profiles. |
Step 5 |
Create EPGs. See Adding an EPG. |
Step 6 |
Add domain to EPGs. |
Step 7 |
Add Static path to EPGs. |
Step 8 |
Create Contracts. See Creating Contracts. |
Step 9 |
Add contracts to EPGs. |
Creating a Tenant
Before you begin
Verify that Tags, monitoring policy, and security domains for the objects in the APIC account are configured before adding a tenant.
Create users in ACI and assign a security domain to the users or user groups. See User Access, Authentication, and Accounting chapter in Cisco APIC Basic Configuration Guide.
Procedure
Step 1 |
Choose . |
Step 2 |
On the Network page, choose the account under Multi-Domain Managers. |
Step 3 |
Click the row with the APIC account and click View Details. |
Step 4 |
Click Tenant(s). |
Step 5 |
Click Add. |
Step 6 |
On the Add APIC Tenant screen, complete the fields, including the following: |
What to do next
Viewing Tenants
You can view a list of tenants that are onboarded in Cisco UCS Director and its details.
Procedure
Step 1 |
Choose . |
||
Step 2 |
On the Resource Groups page, click Tenant. |
||
Step 3 |
Click the row with the tenant for which you want to view details. |
||
Step 4 |
Click View Details to view the service offerings of the tenant. |
||
Step 5 |
Click the row with the service offering and click View details to view the resource groups of a tenant.
|
||
Step 6 |
Click the row with the resource group and click View details to view the following information:
|