For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
GitHub
DocumentationREST API Reference
DocumentationREST API Reference
    • Home
  • Overview
    • What is NICo?
    • Key Capabilities
    • Operational Principles
    • Day 0 / Day 1 / Day 2 Lifecycle
    • Scope and Boundaries
  • Getting Started
    • Building NICo Containers
    • Quick Start Guide
  • Provisioning (Day 0 Operations)
    • Ingesting Hosts
    • Ingesting Hosts (REST API)
    • Host Validation
    • SKU Validation
  • DPU Management
    • DPU Lifecycle Management
    • DPU Configuration
    • BlueField DPU Operations
  • Configuration (Day 1 Operations)
    • Network Isolation
    • Tenant Management
    • Organization & Permissions
  • Architecture
    • Overview and Components
    • Redfish Workflow
    • Redfish Endpoints Reference
    • Reliable State Handling
    • Networking Integrations
    • Health Checks and Health Aggregation
    • Health Probe IDs
    • Health Alert Classifications
    • Key Group Synchronization
  • Operations
    • NVLink Partitioning
    • IP Resource Pools
    • BGP Peering
  • Playbooks
    • Azure OIDC for Infra Controller Web UI
    • Force Deleting and Rebuilding Hosts
    • Rebooting a Machine
    • InfiniBand Setup
  • Development
    • Codebase Overview
    • Bootable Artifacts
    • Local Development
    • Running a PXE Client in a VM
    • TLS and SPIFFE Certificates
    • SPIFFE and casbin policies with admin-cli
    • Re-creating Issuer/CA in Local Dev
    • Visual Studio Code Remote Development
    • Adding Support for New Hardware
    • Build Guide
  • Reference
    • Hardware Compatibility List
    • Release Notes
    • FAQs
    • Glossary
GitHub
NVIDIANVIDIA
Developer-friendly docs for your API
Privacy Policy | Manage My Privacy | Do Not Sell or Share My Data | Terms of Service | Accessibility | Corporate Policies | Product Security | Contact

Copyright © 2026, NVIDIA Corporation.

LogoLogo
On this page
  • Ethernet (North-South)
  • InfiniBand (East-West)
  • NVLink
  • What a Tenant Can and Cannot Access
Configuration (Day 1 Operations)

Network Isolation

||View as Markdown|
Previous

BlueField DPU Operations

Next

Tenant Management

NICo enforces separation between tenants across all network planes. This isolation is established automatically during instance provisioning — operators do not need to configure isolation manually.

Ethernet (North-South)

BlueField DPUs running HBN (Host-Based Networking with Containerized Cumulus) enforce L3 VXLAN/EVPN boundaries. Each VPC gets its own VRF (Virtual Routing and Forwarding instance) on every DPU that hosts an instance in that VPC. Traffic between VPCs is isolated at the network layer without requiring any leaf switch configuration changes.

Key properties:

  • Per-VPC VRF with dedicated VNI (VXLAN Network Identifier) from the site’s VNI pool
  • Route targets control which VRFs can exchange routes
  • deny_prefixes ACLs block tenant traffic from reaching management networks
  • Network Security Groups provide per-subnet firewall rules

For the full networking architecture, see VPC Network Virtualization.

InfiniBand (East-West)

UFM assigns P_Key partitions to each tenant’s IB ports. Only hosts sharing a P_Key partition can communicate over InfiniBand, enforcing tenant isolation on the high-performance fabric.

View IB partition assignments:

nicocli tui
> infiniband-partition list
> infiniband-partition get

NVLink

NMX-M APIs configure NVLink partition assignments, ensuring that NVLink domains are dedicated to a single tenant. For GB200 NVL72 systems, NICo gates instance allocation on NVLink cluster readiness — if the fabric is not healthy, provisioning is blocked.

View NVLink partition state:

nicocli tui
> nvlink-logical-partition list
> nvlink-logical-partition get

What a Tenant Can and Cannot Access

ResourceTenant Can AccessTenant Cannot Access
InstancesOwn instances in own VPCsOther tenants’ instances
NetworkTraffic within own VPCs and subnetsManagement networks, other tenants’ VPCs (unless peered)
StorageNVMe on assigned machinesStorage on unassigned machines
InfiniBandP_Key partitions assigned to their instancesOther tenants’ IB partitions
NVLinkNVLink domains allocated to their instancesOther tenants’ NVLink domains
BMC/UEFINo access (managed by NICo)All BMC and UEFI interfaces