{"slug": "one-click-multi-tenant-security-with-nvidia-quantum-infiniband", "title": "One-Click Multi-Tenant Security with  NVIDIA Quantum InfiniBand", "summary": "NVIDIA introduced intent-based security profiles in its Unified Fabric Manager for Quantum InfiniBand, enabling network administrators to configure multi-tenant fabric security with a single click. The three profiles — General, Bare Metal Cloud, and Secured Bare Metal Cloud — automate partition key isolation, management datagram key protection, and GUID-based access control, reducing deployment time from hours or days to minutes. This allows cloud providers to enforce hardware-based tenant isolation across tens of thousands of GPUs without manual Subnet Manager configuration, addressing critical security needs in AI and hyperscale computing environments.", "body_md": "[NVIDIA Quantum InfiniBand](https://www.nvidia.com/en-us/networking/products/infiniband/) now offers intent-based security profiles in Unified Fabric Manager (UFM) that enable multi-tenant fabric security in a single click.\n\nNVIDIA Quantum InfiniBand supports three profiles: General, Bare Metal Cloud, and Secured Bare Metal Cloud. Network administrators can now auto-configure:\n\n- Partition Key (PKey) isolation\n- Management Datagram (MAD) key protection\n- Global Unique Identifier (GUID)-based access control\n- Continuous validation\n\nThis cuts deployment time to minutes from hours or days, letting cloud providers run hardware-enforced tenant isolation across tens of thousands of GPUs without manual Subnet Manager (SM) configuration.\n\nWith the exponential growth of AI, HPC, and hyperscale cloud computing, the integrity of the network fabric is more critical than ever, yet many networks treat security as an afterthought.\n\nInfiniBand takes the opposite approach: security extends across every layer of the fabric. While InfiniBand is best known for ultra-low latency, high throughput, and massive scalability, its [multilayered security architecture](https://docs.nvidia.com/networking/display/nvidiainfinibandsecurityoverviewandguidelines) is equally robust.\n\nThis post explains how intent-based profiles make it easy to deploy.\n\n## Why traditional networks fall short on multi-tenant security\n\nInfiniBand is a software-defined, centrally managed fabric. In traditional networking, endpoints often operate independently, making their own routing, resource, and policy decisions. This lack of centralized oversight can lead to misconfigurations, inconsistent policies, and security vulnerabilities. NVIDIA Quantum InfiniBand avoids this by centralizing control in UFM, which enforces global policies, optimizes routes, monitors health, and proactively secures the fabric.\n\nDespite NVIDIA providing robust solutions such as integrity mechanisms and hardware-enforced tenant isolation, such features remain underutilized because Quantum InfiniBand isn’t as widely understood as Ethernet.\n\nThere is currently a critical need to bridge the gap between InfiniBand’s advanced security capabilities and the user’s ability to easily implement them without deep domain expertise. In agentic AI environments that are connecting tens of thousands of GPUs with thousands of switches, even a minor configuration error in tenant isolation can compromise sensitive proprietary data or disrupt massive distributed workloads. Security features must be scalable and easy to deploy to make customers’ work easier and their clusters more secure.\n\nTo address these issues, NVIDIA presents a one-click solution for enabling InfiniBand security features.\n\n## What are intent-based security profiles for NVIDIA Quantum InfiniBand?\n\nNVIDIA is introducing intent-based security profiles to simplify and standardize security configuration across different deployment models. Instead of manually configuring multiple parameters, users can select a predefined profile, and UFM will automatically orchestrate all underlying security settings.\n\nThe following are key benefits of intent-based profiles:\n\n**Fewer errors**: Profiles implement and deploy security features as NVIDIA engineering intends, protecting against misunderstandings or missing documentation.**Configuration time reduction**: Transitioning from manual, multi-step UFM/SM configurations to pre-configured, intent-based profiles can reduce learning, adapting configurations, and deployment and testing time to minutes from hours or days.**Zero-touch scaling**: Hundreds of nodes can be added to a multi-tenant environment without a linear increase in security management overhead.**No security downtime**: When a new security feature is added, it is added to the relevant profile configurations, removing the transition phase between releasing a new feature and enabling it in deployment.\n\nThe General profile is designed for single-tenant environments with a basic out-of-the-box configuration.\n\nBare Metal Cloud is tailored for multi-tenant cloud environments and Secured Bare Metal Cloud is a hardened profile for highly secure multi-tenant environments.\n\nThe following sections will go into more detail about the Bare Metal Cloud and Secured Bare Metal Cloud profile types.\n\n### The Bare Metal Cloud profile\n\nThe Bare Metal Cloud profile enables [PKey-based isolation](https://docs.nvidia.com/networking/display/winof2v31052010lts/infiniband+network#src-132450561_InfiniBandNetwork-PKeysDefaultandnon-defaultPKeys), providing tenant separation within cloud environments over the InfiniBand management network.\n\nAnalogous to Ethernet VLANs, InfiniBand partitioning with PKeys defines which nodes or ports can access network resources, using hardware mechanisms to prevent ports in one partition from accessing another.\n\nWhat makes this mechanism particularly well-suited to multi-tenant deployments is that partition assignment is controlled entirely by the SM: Nodes can’t determine their own partitions, and applications can’t specify which partition to use; they can only reference partitions already assigned to their port.\n\nPort attributes are stored in hardware and are accessible only via the Management Key (MKey), which is known exclusively to the SM and the InfiniBand silicon. This architecture gives cloud service providers and data center operators a strong isolation guarantee. Tenants sharing the same physical InfiniBand fabric are cryptographically and logically separated at the hardware level, with no reliance on host-side software enforcement that a tenant with elevated privileges could circumvent.\n\n### The Secured Bare Metal Cloud profile\n\nThe Secured Bare Metal Cloud profile builds on PKey isolation and enables a comprehensive set of security features required for secure multi-tenant cloud environments:\n\n- Full MAD key protection with randomized seeds, including: MKEY, VSKEY, PMKEY, CCKEY, Class C key (N2N), AM and job keys, SMKEY, and SAKEY\n- GUID-based access control using the\n`allowed_guid_list`\n\nfeature - Service-level authentication via\n`service_key`\n\n(e.g., for AM services) - Enhanced SA trust model applied to all commands\n- MAD rate limiting (MAD Limiter) to protect against abuse and congestion\n- DoS/DDoS Protection: Automatically identifies and limits excessive packet rates from individual nodes to protect the management node.\n- Source-Based Rate Limiting: Operates by monitoring and controlling traffic based on the source LID address of each node.\n\nThis approach reduces complexity, minimizes configuration errors, and ensures consistent security enforcement across deployments, allowing users to align infrastructure behavior with their intended operational model.\n\n## How to validate NVIDIA Quantum InfiniBand security posture with CSV\n\nAnother feature supported for NVIDIA Quantum InfiniBand deployments is Continuous Security Verification (CSV). This is a new UFM diagnostic capability that performs static analysis and log-based auditing. It provides users with a “Security Health Score” as well as specific, automated remediation steps for any detected vulnerabilities.\n\nCombined with intent-based profiles, this proactive diagnostic tool is critical for ensuring efficient and secure network operations.\n\nIn Figure 1, below, the screenshots show the flow for generating the security report.\n\nIn the System Health tab, users select Security from the top menu.\n\nNext, users select the desired verbosity level (Errors, Errors and Warnings, and Info), as well as the option to test PKeys settings, and then run the report. See Figure 2, below:\n\nOnce the report is completed, the results will display a list of errors, warnings, and information messages based on the selected verbosity level. See Figure 3, below:\n\n## Going further\n\nFor more information about guidelines and best practices for translating complex fabric security features into actionable deployment, learn more by reading the [NVIDIA Quantum InfiniBand security white paper](https://docs.nvidia.com/networking/display/nvidiainfinibandsecurityoverviewandguidelines).", "url": "https://wpnews.pro/news/one-click-multi-tenant-security-with-nvidia-quantum-infiniband", "canonical_source": "https://developer.nvidia.com/blog/one-click-multi-tenant-security-with-nvidia-quantum-infiniband/", "published_at": "2026-06-11 19:52:37+00:00", "updated_at": "2026-06-11 21:10:40.144705+00:00", "lang": "en", "topics": ["ai-infrastructure", "ai-chips", "artificial-intelligence", "machine-learning", "ai-products"], "entities": ["NVIDIA", "Quantum InfiniBand", "Unified Fabric Manager", "UFM", "InfiniBand", "Subnet Manager", "SM", "Bare Metal Cloud"], "alternates": {"html": "https://wpnews.pro/news/one-click-multi-tenant-security-with-nvidia-quantum-infiniband", "markdown": "https://wpnews.pro/news/one-click-multi-tenant-security-with-nvidia-quantum-infiniband.md", "text": "https://wpnews.pro/news/one-click-multi-tenant-security-with-nvidia-quantum-infiniband.txt", "jsonld": "https://wpnews.pro/news/one-click-multi-tenant-security-with-nvidia-quantum-infiniband.jsonld"}}