Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Brent Clements
on 26 July 2016

What is and Why Micro-Segmentation for multi-tenant big software?

Working with enterprises particularly those in health, financial services and government sectors who are required to be serious about security and who need to meet regulatory compliance requirements,  micro-segmentation has emerged as a hot security topic. It is currently the preferred method for securing big software deployments in multi-tenant environments through the use of security functionality implemented in SDN (Software Defined Networking) solutions. Let’s delve down into what micro-segmentation is, who it will benefit, and finally some examples of how it can be implemented within your organization to secure your OpenStack private cloud.

For those unfamiliar, this boils down to one thing: micro-segmentation is an automated way to apply tighter controls on who has access to what.

What is it?

Security requires a defense-in-depth approach that starts with network segmentation. As seen below, this can be done with hardware-based firewalls and at the switch layer using traditional VLANs today.

Unfortunately, this limits you to security which requires access to the physical layer and implementation at the data link layer (layers 1 and 2). This increases management complexity when dealing with multi-tenant big software systems running in cloud environments.  In multi-tenant cloud environments, there is a requirement for deploying and enforcing much more granular security policies at OSI levels 3 to 7, from data routing to individual virtual machines to workloads, and even the applications themselves. When big software is involved, the number and variety of bare metal servers, virtual machines and containers increase dramatically, as well as the sizes of the workloads and the complexity of segmenting them.

One Canonical partner with whom I and others work with regularly, PLUMgrid, explains that micro-segmentation provides:1

  • workload isolation both at the virtual and physical level (whether for compliance or simple separation of environments like Dev/Test)
  • segmentation of portions of the same logical tenant infrastructure (e.g web, app, DB tier) without having to rely on external security appliances
  • automation of definition of security segments and enforcement of policies

Who benefits from using Micro-Segmentation?

Most, if not all enterprises, will benefit from micro-segmentation; especially those that deal with PCI, SOX, HIPAA, FIPS 140-2, and other regulatory compliance requirements. Micro-segmentation allows enterprises to meet compliance & audit mandates, reduce infrastructure costs for applications, and avoid routine, expensive firewall upgrades. Ultimately, the business value of micro-segmentation is newly realized income from reduction of Capex and Opex expenditures as well as improved productivity due to controls compliance automation.

Implementing Micro-Segmentation within an OpenStack-based Cloud 

One of the nice things to me as an architect is that micro-segmentation gives us the ability to deploy security policies directly into virtualized environments without having to deploy a hardware-based firewall.  Security can be applied to all network layers (1-7) and the security policies can move with a big software stack in case of migration or changes to the network. These features work great due to the openness of OpenStack’s neutron API and integration of third-party SDN solutions.

OpenStack provides micro-segmentation functionality by way of Neutron security groups and ACL controls.  Unfortunately, this functionality is very limited thus third party solutions have provided complete micro-segmentation for big software workloads. One such solution is the PLUMgrid ONS SDN solution for OpenStack. PLUMgrid has built a rock-solid micro-segmentation solution for securing multi-tenant workloads.

PLUMgrid ONS micro-segmentation2 is based on a fully distributed solution that enforces security at the ingress and egress of the cloud infrastructure (e.g. in the kernel of each hypervisor).

  • Isolation is intrinsic to the Virtual Domain creation and onboarding of VMs into it. Isolation is implicit within the Virtual Domain as well as between tenants.
  • Packets are never punted to user space slow path nor to a central network node to enforce security. The security VNF is entirely in the dataplane in the kernel IO Visor and fully distributed.
  • Security policies are not IP, nor topology based and follow the VMs throughout a mobility event.
  • The solution is based on IO Visor, not on IP tables (which leads to better scalability properties).
    • Other solutions end up “compiling” security policies into ACL or flow-based entries. State explodes very quickly.
    • With IO Visor there is no rule compilation, no new flow redirects, no flow setup overhead.
  • PLUMgrid provides the ability to also establish and enforce security policies at the Service Virtual Domain level.

The first thing you will want to do is build your cloud with Canonical Cloud Tools. Using Juju and MAAS or Autopilot, you can easily deploy OpenStack and other big software bundles with ease.  To quickly get a cloud up and running with the PLUMgridONS platform, simply follow the instructions at

Note: I am assuming MAAS and Juju have been previously deployed and are working.

Once you have deployed the PLUMgrid ONS platform you can begin to create your tenants and secure your workloads by segmenting your network traffic.

More information on using PLUMgridONS to secure your projects can be found at


  1. Micro-segmentation for OpenStack Clouds [Abstract]. (n.d.). Micro-segmentation for OpenStack Clouds, Pg. 1. Retrieved July 21, 2016, from
  2.  Micro-segmentation for OpenStack Clouds [Abstract]. (n.d.). Micro-segmentation for OpenStack Clouds, Pg. 6. Retrieved July 21, 2016, from

Original article

Related posts

Andre Ruiz
17 May 2023

A brief history of MicroStack

Cloud and server OpenStack

OpenStack is no doubt a wonderful and successful piece of software. It allows you to create your own cloud infrastructure, and thanks to its open-source nature, it’s free to use for everyone. But as with many giant software projects, all that power comes with a challenge: it is reasonably complex to install and configure. A ...

Tytus Kurek
3 April 2024

OpenStack with Sunbeam as an on-prem extension of the OpenStack public cloud

Cloud and server OpenStack

One of the biggest challenges that cloud service providers (CSPs) face these days is to deliver an extension of the public cloud they host to a small-scale piece of infrastructure that runs on customers’ premises. While the world’s tech giants, such as Amazon or Azure, have developed their own solutions for this purpose, many smaller, ...

Michael C. Jaeger
23 February 2024

What is a Kubernetes operator?

Charms Article

Kubernetes is the open source, industry-standard platform for deploying, managing and scaling containerized applications – and applications on Kubernetes are easier with operators. ...