first of all what is the network infrastructure you are going to use e.g Cisco nexus, ASRs !!
for the logical design best way to get this done in a scalable and secure way is to use L2 VLANs combined with L3 VRF per customer
if you have an internet lin per customer you can have the virtulized path end to end
if you are using a shared Internet link for all the customers then you need to use some polices on the Internet edge router
check out the below links which will guide to the best way to design you virtualized network
http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html
http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ServEdge.html
by the way if you are going to have multiple L3 Internet edge devices you may need to consider using MPLS with VPNv4 ( like ISP network design model )
hope this help