The journey from traditional VMware vSphere environments to cloud-native OpenShift Virtualization reaches its culmination when we tackle advanced networking scenarios. To me, the real test comes when deploying complex multi-tier applications that require sophisticated network architectures, security policies, and performance optimization.

Red Hat OpenShift on IBM Cloud ROKS now supports the OpenShift Virtualization operator so now you can run your Virtual machine (VM) workloads on ROKS. See Installing the OpenShift Virtualization Operator on Red Hat OpenShift on IBM Cloud clusters

ROKS on VPC provides a managed Kubernetes platform with integrated Red Hat OpenShift tooling. VPC-based clusters offer enhanced network isolation, multi-zone high availability, scalable infrastructure, and secure workload environments. This makes VPC an ideal foundation for running OpenShift Virtualization (Virt), which enables VM workloads alongside containers.

In this blog, it is time to get hands-on, and we build a ROKS cluster and then deploy a three tier application so we can see how all the networking works. The scripts are published in GitHub so you can see the code.

This is the fourth and final blog in our series covering OpenShift Virtualization from a VMware administrator's perspective:

• Storage - Understanding persistent volumes and OpenShift Data Foundation
• Networking - Basic connectivity and network policies 
• Migration - Moving workloads with Migration Toolkit for Virtualization
• Advanced Networking - Complex networking scenarios (this blog)

This blog leverages two GitHub repositories:

• The Demo 3-Tier App on ROKS contains files and scripts for deploying a complete solution consisting of a Red Hat OpenShift Kubernetes Service (ROKS) deployment on IBM Cloud and a 3-tier VM-hosted application on OpenShift Virtualization (OCP-V). The project provides end-to-end automation for both the ROKS infrastructure deployment and the three-tier application deployment, with proper network segmentation, security policies, and automated backup capabilities.
• The application VMs deployed via the scripts in the repo above, use the Three-Tier Java Web Applicationwhich contains a Java web application that demonstrates a complete three-tier architecture pattern. The application is specifically designed for deployment on IBM Cloud Red Hat OpenShift Kubernetes Service (ROKS) with OpenShift Virtualization.

These repositories provide a comprehensive reference implementation that teams can adapt for their specific networking requirements, creating a foundation for successful OpenShift Virtualization adoption in complex enterprise environments.

Building the Foundation: ROKS Deployment for Advanced Networking

Before diving into advanced networking concepts, we need a robust OpenShift environment that can support complex networking requirements. The ROKS deployment scripts provide an automated approach to building a test environment for this blog, and with a few tweaks, you could provision a production-ready environment optimized for OpenShift Virtualization workloads by deploying bare metal workers.

Infrastructure Prerequisites for Advanced Networking

The deploy_roks.sh script creates a comprehensive infrastructure foundation that goes far beyond basic OpenShift deployment. For advanced networking scenarios, this automated deployment establishes:

• VPC Network Architecture: The script provisions a Virtual Private Cloud with multiple subnets designed to  multi-zone clusters.
• OpenShift Data Foundation Integration: Advanced networking often requires high-performance storage for database workloads and persistent connections. The automated ODF installation ensures that network-intensive applications have access to high-IOPS storage that won't become a bottleneck in multi-tier architectures.
• OpenShift Virtualization Enablement: The script automatically installs and configures the OpenShift Virtualization operator.

Deploying the Three-Tier Application: Advanced Networking in Action

Once the ROKS foundation is established, the real networking complexity emerges when deploying multi-tier applications. The deploy_vms.sh script from the GitHub repository demonstrates how advanced networking concepts translate into practical deployments.

Network Architecture Planning

The three-tier application deployment showcases network architecture planning that VMware administrators will recognize but need to reimagine for OpenShift environments:

• Traditional VMware Approach: In vSphere, you would typically create separate port groups for web, application, and database tiers, configure VLAN tagging, and implement security policies through distributed firewall rules or physical network ACLs.
• OpenShift Virtualization Approach: The deployment script creates a network architecture using Kubernetes-native constructs. Instead of VLANs, we use namespaces and network policies. Instead of port groups, we use services and network attachment definitions. The result is more granular control with greater automation capabilities.

Automated Network Segmentation

The deploy_vms.sh script implements sophisticated network segmentation automatically. As the script executes, it creates:

• Namespace Isolation: The deployment begins by creating a dedicated namespace that provides the first layer of network isolation. This is equivalent to creating a new cluster or resource pool in VMware, but with built-in network boundaries.
• Tier-Based Policies: The script automatically implements network policies that control east-west traffic between application tiers. Unlike VMware's distributed firewall which requires manual rule creation, these policies are declared as code and automatically enforced.
• Service Discovery Configuration: Perhaps most impressive for VMware administrators is how the script configures automatic service discovery. Instead of relying on static IP addresses or manual DNS entries, the deployment creates services that provide stable network endpoints regardless of underlying VM migrations or restarts.

External Connectivity: Beyond Basic Ingress

One of the most significant differences between VMware and OpenShift Virtualization networking emerges in external connectivity patterns. The deployment scripts demonstrate two sophisticated approaches that provide flexibility for different enterprise requirements:

• Route-Based External Access.
• LoadBalancer Service Integration.

Route-Based External Access

The script configures OpenShift Routes that provide hostname-based external access with automatic SSL termination. For VMware administrators, this represents a significant improvement over traditional load balancer configuration:

• Automatic Certificate Management: Unlike VMware environments where SSL certificates require manual installation and renewal on load balancer appliances, OpenShift Routes integrate with Let's Encrypt or enterprise certificate authorities for automatic certificate lifecycle management.
• Path-Based Routing: The route configuration enables sophisticated traffic routing based on URL paths, headers, or other HTTP attributes—capabilities that would require expensive application delivery controllers in traditional VMware environments.

LoadBalancer Service Integration

For applications requiring direct IP access or non-HTTP protocols, the script also configures LoadBalancer services that integrate with IBM Cloud's VPC Load Balancer. This dual approach provides:

• Protocol Flexibility: While Routes excel at HTTP/HTTPS traffic, LoadBalancer services support any TCP protocol, making them ideal for database connections, messaging systems, or legacy applications with specific network requirements.
• Enterprise Integration: LoadBalancer services can integrate with existing enterprise load balancing infrastructure, providing migration paths for applications that depend on specific IP addresses or network configurations.

Summary

Networking in OpenShift Virtualization represents a fundamental shift from traditional VMware paradigms, but the practical deployment example provided by the automated script provides an ideal learning opportunity. Teams need time to adapt to Kubernetes-native networking concepts and troubleshooting approaches.

The script shows:

• Automation-First Approach: Infrastructure-as-code deployment eliminates configuration drift and provides consistent, repeatable network architectures.
• Integrated Security: Network policies provide fine-grained security controls that are automatically enforced and easily audited.
• Operational Simplicity: Declarative configurations and built-in monitoring reduce operational complexity while improving troubleshooting capabilities

The combination of ROKS automated deployment and sophisticated VM networking provides enterprise-ready networking capabilities that match or exceed traditional VMware environments while offering cloud-native benefits like automatic scaling, integrated security, and infrastructure-as-code management.

For VMware administrators ready to embrace advanced networking in OpenShift Virtualization, this blog provides a practical starting point that demonstrates enterprise-grade networking patterns while reducing the complexity of initial implementations. The investment in learning these new paradigms pays dividends in operational efficiency, security posture, and application scalability that traditional virtualization platforms struggle to match.