Building Multi‑Tenant VPC Container Networks with Kube‑OVN on Edge Computing

The presentation introduces the need for multi‑tenant VPC container networks, noting that early public‑cloud networks used a shared L2 model which exhausted address space and offered limited isolation, leading providers to adopt VPCs for better logical separation and address flexibility.

Key use cases driving multi‑tenant networking include public‑cloud container services that require isolated address spaces, enterprises delivering virtual‑machine workloads on Kubernetes, and financial scenarios demanding fine‑grained security, traffic control, and compliance.

Core tenant requirements are overlapping IP address spaces, independent network services per tenant (LB, NAT, EIP, DNS), and granular QoS, bandwidth, and billing controls.

Kubernetes faces several challenges for multi‑tenant networking: lack of a definitive multi‑tenant design in upstream SIGs, IP uniqueness checks, host‑to‑container communication issues with overlapping IPs, limitations of ClusterIP allocation, and the need to isolate tenant‑level services such as LB, DNS, and ACL.

In the edge‑computing context, resources are limited and a single‑cluster, hyper‑converged architecture is required. The team selected Kube‑OVN, an OVN‑based CNI, for its rich feature set and SDN capabilities, and extended it to support custom VPCs with independent three‑layer routing for strong tenant isolation.

Network isolation is enforced using Kubernetes NetworkPolicy for ACLs, while Ingress handles L7 traffic and MetalLB provides L4 load‑balancing with per‑tenant public IPs, though MetalLB cannot reuse the same IP for outbound traffic.

The enhanced solution adds VPC‑level routing, custom VPC creation, and containerized implementations of gateway, SLB, VPN, and dedicated IP services, enabling seamless migration of public‑cloud network capabilities to edge environments.

Overall, the Kube‑OVN‑based multi‑tenant VPC implementation demonstrates how cloud‑native networking can be adapted for edge scenarios, delivering strong isolation, flexible address management, and integrated load‑balancing while contributing improvements back to the open‑source project.