Nearly every organization’s network topology consists of multiple VLANs and subnets to support some level of network isolation. These boundaries are typically determined by tenant, business unit, location, or security compliance policies. Regardless of the reason for network isolation, the end goal is typically to keep assets and users in one network zone isolated from those in others. The challenge arises when common network resources such as storage must be accessed from across these boundaries.

An application load balancer (a common requirement for ObjectScale deployments) can provide the required access to the storage while still maintaining the highest level of security. Using the Connection Manager’s multi-interfaces or multi-VLAN capabilities, applications on isolated network segments can access the ObjectScale storage through a dedicated Virtual IP Address (VIP) that is local to each network without the need for creating additional routes or compromising security posture at the firewall level. Essentially, as long the Connection Manager has a network interface created in each client application subnet, a local published endpoint can be created that points to the same backend pool of ObjectScale resources. As shown in the below diagram, two Virtual Service endpoints for ObjectScale have been created, on different networks on a single Connection Manager, both pointing to the same backend ObjectScale pool.

As a basic Layer 4 firewall, the Connection Manager is designed to deny all connections and only permit explicitly allowed traffic to defined resources. Since it serves as a proxy and termination endpoint in most deployment scenarios, network routing is also not required between the client applications and the backend ObjectScale nodes, if not allowed based on security policies.

Additional security measures such as blocklisting and allowlisting can also be leveraged on deployed Connection Managers to further support a segmentation strategy.

With the use of multiple VIPs, each subnet will terminate storage connections locally to access the shared storage environment residing on a remote network segment. Each VIP or Virtual Service can be independently configured to allow for different configuration options. Some highly secure networks may require encryption end to end while other less secure networks allow for TLS offloading.