Q: How does OpenMetal separate network traffic between infrastructure, storage, and tenant workloads?
OpenMetal architecturally separates three classes of network traffic: infrastructure and control-plane communication, Ceph storage replication, and tenant workload traffic.
Each operates on dedicated paths within the cluster, preventing any one traffic type from saturating the bandwidth used by another. This separation is a function of the dedicated bare metal architecture: because nodes are not shared with other customers, traffic paths can be physically isolated rather than logically partitioned on a shared fabric.
The Ceph storage cluster, which provides block and object storage for all OpenMetal clouds, runs its replication and recovery traffic independently of the network used by virtual machine workloads. OpenStack control-plane communication (API calls, scheduler traffic, heartbeats between services) similarly travels on its own path. Tenant VMs and containers interact with the network through OpenStack Neutron, which governs VLAN assignment, security group rules, and routing exclusively for workload traffic.
From a security standpoint, tenant workloads cannot observe or interfere with storage replication traffic or infrastructure communication. This architecture is particularly relevant for compliance-conscious workloads and regulated industries where network traffic segregation is a hard requirement, not just a best practice. The isolation is structural, enforced by how the platform is built, rather than a policy overlay applied after the fact.