We simplified managing firewall rules for FITS Classic networking for our tenants by splitting the MPLS network manually into pieces:
mpls-nbg-w8101-a MPLS Network for nbg-w8101 nbg-w8101 true 100.127.130.0/24 ●
mpls-nbg-w8101-b MPLS Network for nbg-w8101 nbg-w8101 true 100.127.131.0/24 ●
mpls-nbg-w8101-c MPLS Network for nbg-w8101 nbg-w8101 true 100.127.129.0/24 ●
FI-TS
mpls-nbg-w8101-d MPLS Network for nbg-w8101 nbg-w8101 true 100.127.132.0/28 ●
This is quite a static approach and it is to be expected that this will become hard to manage for us. For example, we have to prevent that tenant A can start firewalls in the tenant B network. But how can we decide this when there are no projects related to these networks? (only static config mappings come to my mind to achieve this)
The idea is to use the existing IPAM child prefix acquisition to enable users to dynamically carve out subnetworks of the MPLS network. These subnetworks would be smaller and belong to a project, therefore we could make a decision if acquiring IPs in this network is allowed or not.
We simplified managing firewall rules for FITS Classic networking for our tenants by splitting the MPLS network manually into pieces:
This is quite a static approach and it is to be expected that this will become hard to manage for us. For example, we have to prevent that tenant A can start firewalls in the tenant B network. But how can we decide this when there are no projects related to these networks? (only static config mappings come to my mind to achieve this)
The idea is to use the existing IPAM child prefix acquisition to enable users to dynamically carve out subnetworks of the MPLS network. These subnetworks would be smaller and belong to a project, therefore we could make a decision if acquiring IPs in this network is allowed or not.