MicrosoftDocs
diff --git a/‎articles/operator-nexus/TOC.yml
Lines changed: 13 additions & 2 deletions b/‎articles/operator-nexus/TOC.yml
Lines changed: 13 additions & 2 deletions
diff --git a/‎articles/operator-nexus/concepts-isolation-domain.md
Lines changed: 50 additions & 0 deletions b/‎articles/operator-nexus/concepts-isolation-domain.md
Lines changed: 50 additions & 0 deletions
diff --git a/‎articles/operator-nexus/media/isolation-domain-multidomain-tenant-networking.png
116 KB b/‎articles/operator-nexus/media/isolation-domain-multidomain-tenant-networking.png
116 KB
diff --git a/‎articles/operator-nexus/reference-isolation-domain-configuration-examples.md
Lines changed: 257 additions & 0 deletions b/‎articles/operator-nexus/reference-isolation-domain-configuration-examples.md
Lines changed: 257 additions & 0 deletions
@@ -22,8 +22,17 @@
           href: concepts-network-fabric-controller.md
         - name: Network Fabric Services
           href: concepts-network-fabric-services.md
-        - name: Access Control Lists
-          href: concepts-access-control-lists.md
+    - name: Isolation Domains
+      expanded: false
+      items:
+        - name: Isolation Domains overview
+          href: concepts-isolation-domain.md
+        - name: Isolation Domain configuration
+          href: reference-isolation-domain-configuration.md
+        - name: Technical requirements for Isolation Domains
+          href: reference-isolation-domain-technical-requirements.md
+    - name: Access Control Lists
+      href: concepts-access-control-lists.md
     - name: Nexus Kubernetes
       href: concepts-nexus-kubernetes-cluster.md
     - name: Observability
@@ -101,6 +110,8 @@
           items:
             - name: Isolation Domain
               href: howto-configure-isolation-domain.md
+            - name: Isolation Domain Configuration Examples
+              href: reference-isolation-domain-configuration-examples.md
             - name: Network Fabric Route Policy
               href: how-to-route-policy.md
             - name: Network Packet Broker
 
@@ -0,0 +1,50 @@
+---
+title: Azure Operator Nexus Isolation Domains
+description: Overview of Isolation Domains for Azure Operator Nexus.
+author: joemarshallmsft
+ms.author: joemarshall
+ms.reviewer: jdasari
+ms.date: 01/29/2024
+ms.service: azure-operator-nexus
+ms.topic: conceptual
+---
+
+# Isolation Domain Overview
+
+An Isolation Domain resource enables the creation of layer-2 and layer-3 networks that your network functions can connect to. This enables inter-rack and intra-rack communication between the network functions. The Operator Nexus Network Fabric (NNF) Service enables three types of isolation domain:
+
+-   **Layer-2 isolation domain** - provides layer-2 networking capabilities within and across the racks for workloads running on servers. Workloads can take advantage of the isolated layer-2 network to establish direct connectivity among themselves at layer 2 and above.
+
+-   **Layer-3 isolation domain with Internal Networks** - provides workloads the ability to connect across a layer 3 (IP) network.
+
+-   **Layer-3 isolation domain with External Network** - provides workloads the ability to connect across a layer 3 network, and provides connectivity to the operator's network outside of the Operator Nexus network fabric.
+
+An isolation domain offers:
+
+-   Unified network capabilities with full integration with your compute resources, enabling connectivity between your Operator Nexus platform workloads.
+
+-   Northbound connectivity with customer routers using BGP peering sessions between the Operator Nexus network fabric and the operator's external network.
+
+-   Southbound connectivity with telco workloads using internal networks.
+
+-   API driven unified layer 2 and layer 3 configuration for North-South and East-West traffic.
+
+- Full isolation between isolation domains - packets from one domain aren't sent to workloads in another isolation domain on the same Operator Nexus Network Fabric. Services in one domain are invisible to services in another.
+
+- The ability to create flexible network topologies by adding or removing workloads to an isolation domain as needed.
+
+## Layer 2 Isolation Domains
+
+A layer 2 isolation domain provides L2 networking capabilities between workloads within across racks. Workloads can use the isolated layer-2 network to establish direct connectivity among themselves.
+
+The NNF enables operators to provision and manage layer 2 isolation domains below resource level. Each layer-2 isolation domain has an associated VLAN ID. If a workload needs connectivity to multiple VLANs, multiple layer-2 isolation domains must be created. A separate NIC resource is required for each layer-2 domain that the workload connects to.
+
+## Layer 3 Isolation Domains
+
+A layer 3 isolation domain provides workloads with the ability to exchange layer-3 routing information through the Operator Nexus network fabric and with external networks.
+
+Layer-3 isolation domains can provide two types of network:
+
+-   **Internal Network** - a Layer 3 Isolation Domain Internal Network enables east-west layer 3 communication between workloads on the Operator Nexus Network fabric. An internal network is a complete solution for layer-3 inter and intra-rack communication for compute workloads. Each workload can connect to multiple internal networks.
+
+-   **External Network** - a Layer 3 Isolation Domain External Network enables workloads to communicate with external services via the operator network. An external network creates a communication channel between Operator Nexus workloads and services hosted outside of the Operator Nexus network fabric. Each Layer 3 isolation domain supports one external network.
@@ -0,0 +1,257 @@
+---
+title: Azure Operator Nexus Isolation Domain configuration examples
+description: Isolation domain configuration examples.
+author: joemarshallmsft
+ms.author: joemarshall
+ms.reviewer: jdasari
+ms.date: 02/02/2024
+ms.service: azure-operator-nexus
+ms.topic: reference
+---
+
+# Configuration examples for creating an isolation domain
+
+This article gives examples of how to configure isolation domains in various scenarios.
+
+## Create an L2 isolation domain
+
+In this example, we create a layer 2 isolation domain with the following properties:
+
+- Name: `l2domain1`
+- Resource group: `rg1`
+- Location: `eastus`
+- Network fabric ID: `nf1`
+- VLAN ID: 600
+
+**Command**:
+
+```azurecli
+az networkfabric l2domain create \
+--resource-group rg1 \
+--name l2domain1 \
+--location eastus \
+--network-fabric-id nf1 \
+--vlan-id 600
+```
+
+**Expected output:**
+
+```
+{
+"administrativeState": "Enabled",
+"id": "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxx-xxxxxx/resourceGroups/rg1/providers/Microsoft.ManagedNetworkFabric/l2IsolationDomains/l2domain1",
+"name": "l2domain1",
+"networkFabricId": "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxx-xxxxxx/resourceGroups/NFResourceGroupName/providers/Microsoft.ManagedNetworkFabric/NetworkFabrics/nf1",
+"provisioningState": "Succeeded",
+"resourceGroup": "rg1",
+"systemData": {
+"createdAt": "2023-XX-XXT12:34:56.789012+00:00",
+"createdBy": "[email protected]",
+"createdByType": "User",
+"lastModifiedAt": "2023-XX-XXT12:34:56.789012+00:00",
+"lastModifiedBy": "[email protected]",
+"lastModifiedByType": "User"
+},
+"type": "microsoft.managednetworkfabric/l2isolationdomains",[^2^][2]
+"vlanId": 600
+}
+```
+
+## Create an L3 isolation domain.
+
+To create an L3 isolation domain, you can follow these steps:
+
+-   Use the `az networkfabric l3domain create` command to create an L3 isolation domain. You must specify the required parameters:
+
+    - Resource group
+    - Resource name
+    - Location
+    - Network fabric ID.
+
+    You can also specify optional parameters, such as:
+    - Redistribute connected subnets
+    - Redistribute static routes
+    - Aggregate route configuration
+    - Connected subnet route policy.
+
+-   Use the `az networkfabric internalnetwork create` command to create one or more internal networks for the L3 isolation domain. You need to provide:
+
+    - The VLAN ID
+    - Connected IPv4 or IPv6 subnets
+    - BGP configuration for each internal network.
+
+    You can also specify optional parameters, such as:
+
+    - MTU
+    - Static route configuration
+    - Extension.
+
+-   Use the `az networkfabric externalnetwork create` command to create an external network for the L3 isolation domain. You need to choose the peering option (Option A or Option B) and provide the corresponding properties, such as peer ASN, VLAN ID, primary and secondary IPv4 or IPv6 prefixes, and route targets.
+
+-   Use the `az networkfabric l3domain update-admin-state` command to enable the L3 isolation domain. You must enable the isolation domain to push the configuration to the network fabric devices.
+
+**Example** :
+
+In this example, we create an L3 isolation domain with the following properties:
+
+- Name: `example-l3domain`
+- Network fabric ID `/subscriptions/xxxxxx-xxxxxx-xxxx-xxxx-xxxxxx/resourceGroups/NFResourceGroupName/providers/Microsoft.ManagedNetworkFabric/NetworkFabrics/NFName`.
+
+**Command:**
+
+```azurecli
+az networkfabric l3domain create \
+--resource-group "ResourceGroupName" \
+--resource-name "example-l3domain" \
+--location "eastus" \
+--nf-id "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxx-xxxxxx/resourceGroups/NFResourceGroupName/providers/Microsoft.ManagedNetworkFabric/NetworkFabrics/NFName"
+```
+
+## Create an Internal Network
+
+In this example, we create an internal network with the following properties:
+
+- VLAN ID: 1001
+- IPv4 subnet: 10.0.0.0/24
+- L3 isolation domain name: `example-l3domain`
+
+**Command:**
+
+```azurecli
+az networkfabric internalnetwork create \
+--resource-group "ResourceGroupName" \
+--l3-isolation-domain-name "example-l3domain" \
+--resource-name "example-internalnetwork" \
+--vlan-id 1001 \
+--connected-ipv4-subnets '[{"prefix":"10.0.0.0/24"}]' \
+--mtu 1500
+```
+
+This similar example uses an IPv6 address instead of IPv4:
+
+```azurecli
+az networkfabric internalnetwork create \
+--resource-group "ResourceGroupName" \
+--l3-isolation-domain-name "example-l3domain" \
+--resource-name "example-internalnetwork" \
+--vlan-id 1002 \
+--connected-ipv6-subnets '[{"prefix":"10:101:1::0/64"}]' \
+--mtu 1500
+```
+
+In this example, we add BGP configuration:
+
+```azurecli
+az networkfabric internalnetwork create \
+--resource-group "ResourceGroupName" \
+--l3-isolation-domain-name "example-l3domain" \
+--resource-name "example-internalnetwork" \
+--vlan-id 1003 \
+--connected-ipv4-subnets '[{"prefix":"10.1.2.0/24"}]' \
+--mtu 1500 \
+--bgp-configuration '{"defaultRouteOriginate": "True", "allowAS": 2, "allowASOverride": "Enable", "PeerASN": 65535, "ipv4ListenRangePrefixes": ["10.1.2.0/28"]}'
+```
+
+## Creating External Networks
+
+This example creates an external network using Option B with IPv4 and IPv6 route targets
+
+**Command:**
+
+```azurecli
+az networkfabric externalnetwork create \
+--resource-group "ResourceGroupName" \
+--l3domain "example-l3domain" \
+--resource-name "example-externalnetwork" \
+--peering-option "OptionB" \
+--option-b-properties "{routeTargets:{exportIpv4RouteTargets:['65045:2001'],importIpv4RouteTargets:['65045:2001'],exportIpv6RouteTargets:['65045:2002'],importIpv6RouteTargets:['65045:2002']}}"
+```
+
+**Expected output:**
+
+```
+{
+"administrativeState": "Enabled",
+"id": "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxx-xxxxxx/resourceGroups/NFResourceGroupName/providers/Microsoft.ManagedNetworkFabric/l3IsolationDomains/example-l3domain/externalNetworks/example-externalnetwork",
+"name": "example-externalnetwork",
+"optionBProperties": {
+"exportRouteTargets": [
+"65045:2001",
+"65045:2002"
+],
+"importRouteTargets": [
+"65045:2001",
+"65045:2002"
+],
+"routeTargets": {
+"exportIpv4RouteTargets": [
+"65045:2001"
+],
+"importIpv4RouteTargets": [
+"65045:2001"
+],
+"exportIpv6RouteTargets": [
+"65045:2002"
+\,
+"importIpv6RouteTargets": [
+"65045:2002"
+]
+}
+},
+"peeringOption": "OptionB",
+"provisioningState": "Succeeded",
+"resourceGroup": "ResourceGroupName",
+"systemData": {
+"createdAt": "2023-XX-XXT15:45:31.938216+00:00",
+"createdBy": "[email protected]",
+"createdByType": "User",
+"lastModifiedAt": "2023-XX-XXT15:45:31.938216+00:00",
+"lastModifiedBy": "[email protected]",
+"lastModifiedByType": "User"
+},
+"type": "microsoft.managednetworkfabric/l3isolationdomains/externalnetworks"
+}
+```
+
+This example creates an external network using Option A with IPv4 and IPv6 prefixes:
+
+```azurecli
+az networkfabric externalnetwork create \
+--resource-group "ResourceGroupName" \
+--l3domain "example-l3domain" \
+--resource-name "example-externalnetwork" \
+--peering-option "OptionA" \
+--option-a-properties '{"peerASN": 65026,"vlanId": 2423, "mtu": 1500, "primaryIpv4Prefix": "10.18.0.148/30", "secondaryIpv4Prefix": "10.18.0.152/30", "primaryIpv6Prefix": "fda0:d59c:da16::/127", "secondaryIpv6Prefix": "fda0:d59c:da17::/127"}'
+```
+
+**Expected output:**
+
+```
+{
+"administrativeState": "Enabled",
+"id": "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxx-xxxxxx/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/l3IsolationDomains/example-l3domain/externalNetworks/example-externalnetwork",
+"name": "example-externalnetwork",
+"optionAProperties": {
+"fabricASN": 65050,
+"mtu": 1500,
+"peerASN": 65026,
+"primaryIpv4Prefix": "10.18.0.148/30",
+"secondaryIpv4Prefix": "10.18.0.152/30",
+"primaryIpv6Prefix": "fda0:d59c:da16::/127",
+"secondaryIpv6Prefix": "fda0:d59c:da17::/127",
+"vlanId": 2423
+},
+"peeringOption": "OptionA",
+"provisioningState": "Succeeded",
+"resourceGroup": "ResourceGroupName",
+"systemData": {
+"createdAt": "2023-XX-XXT09:54:00.4244793Z",
+"createdAt": "2023-XX-XXT07:23:54.396679+00:00",
+"createdBy": "[email protected]",
+"lastModifiedAt": "2023-XX-XX1T07:23:54.396679+00:00",
+"lastModifiedBy": "[email protected]",
+"lastModifiedByType": "User"
+},
+"type": "microsoft.managednetworkfabric/l3isolationdomains/externalnetworks"
+}
+```