Antoine, I hop you get your design right. I'm sure I would not help a lot except for confusing things, but let me try:
You could install a dedicated set of resources (zone/pods/clusters/hosts) per department/institution and assign resource admin role to a local guru to instantiate networks. You could create VPCs for lower level organisational units and let people organise themselves in tiers/guestnetworks. installing an IPv6 environment will be your way forward, but this is not yet supported by all parts of cloudstack. please let us know if you succeed in designing something acceptable and let us know if there are any features you need/miss. On Wed, Jan 19, 2022 at 7:09 PM Antoine Boucher <[email protected]> wrote: > Hello, > > We have been slowly migrating our various customer VMs to ACS configured > with Advanced Networking (without Security Group enabled) configured with > multiple KVM and XCP-NG clusters with great success. After experimenting > with Open Nebula and Open Stack for most of last year we are impressed with > ACS. > > In addition to our traditional enterprise customers, we also have > education institutions using our infrastructure for classes and training. > What would be the best way to support a Domains with 200+ accounts with > their respective isolated network and some shared networks in ACS? > > We can assign new hosts, external gateways, vlan, vxlan, etc., but one > public ipv4 per account would be undesirable. > > We our current knowledge, the out-of-the-box networking scalability seems > to be a limiting factor for us. We have been experimenting with different > permutations for a few weeks. > > We've also tried using hardware routers for gateway and VPN termination. > As such, we dedicated a router for VPNs with 200 predefined VLANs and > subnets. 200 L2 networks are then defined with each VLAN-id and assigned to > an account as their "isolated" network (with Source NAT). A domain shared > network is also defined for intra-account communication. However, the root > admin can only do the network definition and association to the account. > Ideally, the use case would be for the domain admin to define and assign or > the account to create the "isolated" network. > > We could always deploy a new zone with different networking configuration > if it would help. > > Any suggestion would be appreciated. > > Regards, > Antoine > > -- Daan
