cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Rkaczor
Cadet
Cadet
Thursday
  • 87 Views

One license, two environments, and network-isolated controllers—possible?

Hey folks,

I’m planning a deployment of Red Hat Ansible Automation Platform across two separate environments but under a single license, and I’m trying to figure out the cleanest architecture to keep things network-isolated while still centrally manageable.

What I’m aiming for:

  • Two Automation Controller hosts, each confined to its own network, managing their own local Execution Hosts.

  • Ideally, a hub-and-spoke model: one primary (parent) controller that can communicate with several secondary (child) controllers.

    • The parent should be able to talk to each child.

    • Children must not be able to communicate with each other.

  • Strong multi-tenancy boundaries so that admins on one child controller (or “tenant”) cannot see or touch resources owned by admins on another child/controller.

  • If possible, use a “tenant-like” separation (orgs/projects/inventories/credentials/etc.) so teams remain blind to each other’s assets.

Questions:

  1. Is there a supported way to deploy AAP to achieve this parent/child controller model with strict east-west isolation between children?

  2. Any recommended patterns for controller-to-controller network flows (ports, directionality) that keep child controllers isolated from each other but reachable from the parent?

  3. Would you implement this with organizations/teams/RBAC only, or is a multi-controller topology preferable for hard network boundaries?

  4. For Execution Hosts in each network: better to keep them attached only to the local child controller, or is there a safe way to register them up to the parent without breaking isolation?

  5. Any licensing gotchas when running multiple controllers/execution nodes across two environments under one license?

  6. If you’ve done this in practice, do you have reference architectures, gotchas, or hard-won lessons (failover, mesh connectivity, credential isolation, logging, etc.)?

Constraints & nice-to-haves:

  • One license spanning both environments.

  • Parent can see/manage children; children can’t see each other.

  • Clear administrative isolation so that Child A admins can’t view resources from Child B.

  • Prefer minimal cross-network openings—only the flows that are absolutely required.

Thanks in advance for any guidance, docs, or war stories!

Join the discussion
1 Reply
Chetan_Tiwary_
Community Manager
Community Manager
Thursday
  • 79 Views

@Rkaczor with my little knowledge on your scenario - I can say two things :

1. Controller of controllers : https://www.redhat.com/en/blog/controller-of-controllers-with-red-hat-application-interconnect 

2. I think multi controller topology bcz of your network isolation requirement. 

3. Regarding license and subscription - you need to engage RH ansible product support on this.

The best advise would be to engage RH Ansible product support to achieve such architecture in production because it is complex , challenging and multi pronged in approach. 

Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2025 Red Hat, Inc. Privacy policy Terms of use