Proper VM isolation for multitenancy

[bogesman]

First Is there a best practice to achieve this?
I can't find any good source to read on the matter.

What I'm trying to achieve is to have network1, network2, etc being on the same bridge, but to be isolated from each other. I know that i can achieve that if i create different bridge for each network, but that would also require different vlans on switches. So i'm trying to avoid that. I'm trying to get things configured in a way, that creating a new VM would require only pm API call. I hope I'm explaining it well.

What i tried to do is create a ovs bridge and put each VM within it's own vlan there. So far it works, but only within the same physical switch. So I'm wondering if my approach is correct or there is a better way.

Here is my OVS config. I'm using vlan 20 for transport. Each VM tags it's packets for the network it's assigned to. So for all VMs from network 1 i would put vlan tag 100 in it's options. For VMs from network 2 - vlan tag 101, etc.

auto vmbr20
allow-ovs vmbr20
iface vmbr20 inet manual
        ovs_type OVSBridge
        ovs_ports enp2s0.20

auto enp2s0.20
allow-vmbr20 enp2s0.20
iface enp2s0.20 inet manual
        ovs_bridge vmbr20
        ovs_type OVSPort

 

[spirit]

what you want to do, if I understand, is vlan stacking (QinQ). I'm not sure, but I think that your physical switches need to support it.

your configuration seem to be ok.
(Never tried it with ovs, but it should be ok with linux brige)

Also, some older switches support 802.1Q vlan stacked with 802.1Q vlan,

and newer switches use the standard 802.1Q vlan (vm vlan) stacked with 802.1ad vlan (transport vlan).
in this case, 802.1ad need to be configured in ovs. I'm don't known the syntax, maybe look in the proxmox forum about QinQ.