For VMware administrators, managing multiple teams, departments, or customers in a private cloud has always required careful planning and extra licensing. The challenge you wanted to solve is finding a balance between isolation and flexibility without adding operational complexity or costs.
vSphere has no native equivalent for true multi-tenancy. Folders and resource pools provide organizational grouping, but they don’t enforce quotas across compute, storage, and networking together, and they don’t provide self-service portals. Getting that level of tenant isolation and governance in VMware required Aria Automation (formerly vRealize Automation) and additional licensing.
Wondering how to streamline your VMware to Private Cloud Migration while managing multi-tenancy and identity? Let’s understand it step by step.
Platform9: Multi-Tenancy by Design
Private Cloud Director builds upon these familiar logical constructs while introducing a cloud-native, multi-tenant approach that aligns with more modern infrastructure patterns. The key constructs are:
- Domains: The highest level of organizational isolation. A domain owns its own infrastructure (hosts, clusters, networks) and users. Most single-organization deployments operate entirely within the default domain. Additional domains are for true organizational isolation where infrastructure, tenants, and users must be completely separate, such as MSPs serving multiple customers or large enterprises with autonomous business units.
- Regions: Represent physical locations (data centers) where compute resources are located. Regions are deployed during onboarding; adding regions requires working with Platform9.
- Tenants: The base unit of ownership and resource governance within a domain. Tenants define who can use resources and how much they can consume, with enforced quotas across compute, storage, and networking. Administrators can create tenants from the UI.
- Clusters: Virtualized clusters are groupings of hypervisor hosts within a region. Each cluster presents its CPU, memory, and GPU resources as a single pool and provides cluster-level features like VM High Availability (VM HA) and Dynamic Resource Rebalancing (DRR). Multiple clusters can exist within a single region.
An important relationship to understand: tenants and regions are parallel constructs under a domain, not nested. A tenant is not “inside” a region. A tenant can operate across all regions within its domain. Regions define where infrastructure lives; tenants define who can use it and how much.
Private Cloud Director brings these capabilities into a unified private cloud platform that delivers the multi-tenancy VMware users have been asking for without requiring third-party extensions or additional licensing costs.
Multi-Tenancy in Private Cloud Director
Private Cloud Director enforces multi-tenancy through three core identity constructs:
- Domains: The root organizational boundary. Each domain has its own infrastructure, authentication policies, and security boundaries. Hosts, clusters, and networks in one domain are invisible to other domains. Tenants don’t cross domain boundaries. A new deployment comes with a single “default” domain, which is sufficient for most organizations.
- Tenants: Isolated resource boundaries within a domain. Each tenant has its own quotas (compute, storage, networking), users, and RBAC policies. Tenants are self-service: administrators create them directly from the Private Cloud Director UI. Think of tenants as the construct you’ll use to separate departments, teams, or application environments.
- Regions: Physical data center locations within a domain. A tenant can deploy workloads in any region available to its domain. Regions are set up during onboarding; adding regions requires contacting Platform9.
- Clusters: Within each region, one or more virtualized clusters group hypervisor hosts together. Clusters are the fault domain and resource boundary for features like VM HA and DRR. You might create separate clusters for different hardware types (GPU-enabled hosts, high-memory hosts) or to isolate workloads at the infrastructure level.
You have flexibility with how you choose to define your tenants. A well-structured multi-tenancy model helps you ensure:
- Clear separation of workloads – Prevents cross-tenant data exposure and accidental access.
- Resource efficiency – Enables fair distribution and prevents performance bottlenecks.
- Compliance alignment – Supports industry regulations requiring strict tenant separation.
Private Cloud Director allows administrators to implement strict RBAC policies while maintaining the flexibility that you’ve grown used to in a VMware environment.
Private Cloud Director Identity Service: Access & Control
At the core of Private Cloud Director’s multi-tenancy capabilities is its Identity Service. This service provides your user, group, role, and tenant options. Private Cloud Director Identity Service will manage your authentication and authorization.
Authentication Methods Supported by Private Cloud Director
- Local User Accounts – Built-in authentication managed within Private Cloud Director.
- Enterprise Single Sign-On (SSO) via SAML 2.0 – Seamlessly integrates with corporate identity providers such as Okta and Microsoft Entra ID.
- Multi-Factor Authentication (MFA) – Adds an additional layer of security to user authentication.
Role-Based Access Control (RBAC)
Private Cloud Director enforces least-privilege access using predefined roles:
- Administrator – Full control over domains, tenants, and infrastructure.
- Self-Service User – Permissions are limited to what has been granted in the tenant.
- Read Only User – Can view configurations but cannot make changes.
Example: Assigning Role-Based Access in Private Cloud Director
A DevOps engineer needs access to both the Development and QA tenants. To assign scoped permissions:
- From the Private Cloud Director dashboard, click the Settings icon, and then choose Tenants and Users.
- Select and edit the user, then assign the necessary tenant roles.
- Verify that the assigned permissions prevent unauthorized access.
We designed Private Cloud Director identity management to be intuitive while making sure that you get comprehensive access control you need. It’s about making every part of the workflow smoother to reduce the friction to getting applications deployed.
Multi-Tenancy Use Case: Enterprise Departmental Cloud
Let’s run through a quick scenario. You are the administrator for a global enterprise that needs to isolate workloads across HR, Finance, and Engineering. All three departments are part of the same organization, so they operate within the default domain. The isolation happens at the tenant level.
Private Cloud Director provides a straightforward way for you to get the logical isolation and organization you need.
Step 1: Define Tenants
- HR Tenant – Restricted to HR personnel, ensuring employee data remains secure.
- Finance Tenant – Dedicated to financial applications, preventing unauthorized access.
- Engineering Tenant – A sandbox for developers to test and deploy without impacting production.
Each tenant gets its own quotas for compute (cores, RAM, VMs), storage (volumes, capacity), and networking (networks, routers, floating IPs). This prevents any single department from consuming more than its share of resources.
If the enterprise also operates in multiple data center locations, those would be represented as regions. Each tenant can deploy workloads in any available region, so the Engineering tenant could have VMs in both US-East and US-West without needing separate configuration.
Step 2: Assign Users & Teams with Role-Based Access
- HR, Finance, and Engineering teams have Self-Service access within their respective tenants, with access to OS images and networks as defined by an administrator.
- The Engineering tenant has increased quotas and a VM lease policy enabled, allowing a larger number of workloads but restricting their lifecycles through a lease.
Step 3: Enforce Security & Compliance Policies
- RBAC – Ensures users can only access assigned tenants with built-in and customizable roles.
- SAML 2.0 SSO – Strengthens authentication consistency and integrates to your enterprise directory service.
- Network Segmentation – Prevents unauthorized cross-tenant traffic and maintains logical separation of resources.
Identity Service provides you with a cloud tenancy model with enterprise authentication integration so you can scale your private cloud while maintaining compliance, security, and control.
Additional Private Cloud Director Identity Capabilities
Beyond tenant isolation, Private Cloud Director offers granular controls to enhance security and governance. Some of the key capabilities that you gain include:
- Federated Authentication (SAML 2.0) – Integrates with enterprise identity providers like Okta and Microsoft Entra ID.
- Multi-Factor Authentication (MFA) – Adds a second factor to user login.
- Built-in Network Segmentation – Ensures strict tenant traffic isolation.
- Quotas & Limits – Prevents resource monopolization by any single tenant, with enforcement across compute, storage, and networking.
- VM Leases – Automatically delete VMs after a configurable time period, useful for dev/test environments.
- Audit Logging – Tracks API events across Identity, Compute, and Networking services for compliance and troubleshooting.
Unlocking Multi-Tenancy for VMware Users
Private Cloud Director was built to provide a simple, flexible, and cost-effective private cloud. The goal is to extend capabilities while also providing a familiar experience for folks who are coming from VMware. There are also many features you’ve not had before with VMware vSphere and vCenter, like true cloud-native multi-tenancy with enforced quotas, self-service portals, and built-in identity management.
- Domains for organizational isolation, tenants for team-level resource governance
- Enterprise-ready identity and access management with SSO, MFA, and RBAC
- Enforced quotas across compute, storage, and networking per tenant
- Seamless tenant isolation and workload segmentation without additional licensing
Private Cloud Director empowers IT teams to modernize your infrastructure while maintaining the control and efficiency you expect.
Want to experience the benefits of multi-tenancy with Private Cloud Director? Start your journey today.
