Versa Networks supports a multi-tenant architecture, enabling a parent organization to manage multiple sub-tenants, each with its own set of firewall, traffic steering, QoS, and other policy configurations. Under normal circumstances, each sub-tenant deploys unique service templates tailored to its operational requirements.


In scenarios where multiple sub-tenants require identical configurations, creating separate but identical templates introduces unnecessary duplication and management overhead.


Shared Service Templates
To streamline operations and improve maintainability, Versa provides Shared Service Templates. These templates are defined at the top-level (parent) organization and can be assigned to a device template by any sub-tenant. This approach reduces configuration redundancy, ensures consistency across tenants, and simplifies policy updates.


This document describes the procedure to configure and verify a Shared Service Template in Versa Director.


Lab Setup


The lab setup below has a top-level organization called FRB (First Retail Branch), along with two sub-tenants, Tenant1 and Tenant2.  Although not shown, Tenant1 has a configuration and device template both named Tenant1. Likewise, Tenant2 also has a configuration and device template named Tenant2.

 

 

A screenshot of a computer AI-generated content may be incorrect.


Configuration

Worksteps:

 

Step 1) Under the top-level FRB (First Retail Branch) organization Shared Service Template tab, create a service template.  Name the template, select the template type, and click the cog symbol to parameterize the Organization.

In this example, a Stateful Firewall template is created and named SHARED-TENANT1-TENANT2


 

 

Step2) Configure the SHARED-TENANT1-TENANT2 shared service stateful firewall template with a custom ruleset.

A screenshot of a computer AI-generated content may be incorrect.

 

 

Step 3) Even though the SHARED-TENANT1-TENANT2 service template was created in the top-level FRB (First Retail Branch) organization, it is available through the Tenant1 Device Group, which is part of the Tenant1 organization.


A screenshot of a computer AI-generated content may be incorrect.

 

Step 4) The SHARED-TENANT1-TENANT2 service template is also able to be attached to device group Tenant2, which is part of the Tenant2 organization.


A screenshot of a computer AI-generated content may be incorrect.

 

As seen from above, Shared Service template created at the top-level organization are available for use in suborganizations.

 

Handling Zones in a Shared Service Template

To use zones in a Shared Service Template, just add the zone but make sure it has the same name as the zone in the top-level or sub-tenant.  Below a zone is added to the Shared Service Template with the same name as the LAN zone in the Tenant1 device template.  This is just a placeholder name.  Note only the name field is selected.


A screenshot of a computer AI-generated content may be incorrect.

 

 

Add all the zones needed for the Shared Service Template FW rule set.   


A screenshot of a computer AI-generated content may be incorrect.

 


The zones are available to use in the policy: