This paper describes an architecture for the management of QoS-enabled virtual private networks (VPNs) over the Internet. The architecture focuses on two important issues of VPNs: security and Quality-of-Service (QoS). The security achieved in VPNs is based on IPSec tunnels, while QoS can be supported by mechanisms as proposed by the Differentiated Services currently being defined by the IETF. We describe an architecture that is based on the concept of service brokers. These service brokers are used for communication between different domains (such as ISP and customer networks) as well as within domains. The architecture described in the paper is currently being implemented as part of the CATI project funded by the Swiss National Science Foundation (SNF).