A network profile defines a group of networks and network settings that are available for a cloud account in a particular region or data center.

A network profile defines the networking options and capabilities that are made available to deployed machines, based on the network tags in the network component YAML in a blueprint.

Based on tag matching, one or more networks in one or more matched network profiles is available for use when a blueprint is deployed. The network and security settings that are defined in the matched network profile are also applied when the blueprint is deployed.

You typically define network profiles to support a target deployment environment, for example a small test environment where an existing network has outbound access only or a large load-balanced production environment that needs a set of security policies. Think of a network profile as a collection of workload-specific network characteristics.

When you deploy a blueprint, constraints in a blueprint's network components are matched to network tags. For network profiles that contain capability tags, the capability tags are applied to all networks that are available for that profile. See What are tags.


Tag matching does not require that network profiles contain capability tags. For network profiles that do not contain capability tags, tag matching occurs on the network tags only. The network profiles that contain tag-matched networks, or matched subnets for Amazon Web Services and Microsoft Azure, are considered matched network profiles.

A network profile contains the following information. While some settings are optional, they all play an important role.

  • Capabilities

    Capability tags are applied to all networks in the network profile, but only when the networks are used as part of that network profile. Capability tags are an optional grouping and naming tool for network profiles.

  • Networks

    Networks, also referred to as subnets, are logical subdivisions of an IP network. A network groups a cloud account, IP address or range, and network tags to control how and where to provision a blueprint deployment. Network parameters in the profile define how machines in the deployment can communicate with one another over IP layer 3.

    Network tags exist on the network item itself, irrespective of the network profile. Network tags apply to every instance of the network they have been added to and to all network profiles that contain that network. Networks can be instanced into any number of network profiles. Regardless of network profile residency, a network tag is associated with that network wherever the network is used.

  • Network policies

    A network component is defined in a blueprint as one of the following networkType types in the blueprint YAML:

    • existing

    • public

    • private

    • outbound

    • routed

      In blueprint YAML, the routed network type is only available in a Cloud.NSX.Network network type, not in the agnostic Cloud.Network resource type.

    Depending on the associated cloud account, you can use network policies to define settings for on-demand networks for the outbound and private network types.

    For example, for an on-demand routed network you must specify a distributed logical network (DLR) when using an NSX-V cloud account.

    Routed networks are an on-demand network type that is available for NSX-V and NSX-T networks.

    • Do not create an on-demand network

      This network profile can't be used for blueprints that contain the outbound and private network types.

    • Create an on-demand network

      The specified network or subnet names and sizes for the network domain are used for on-demand networks that contain the outbound and private network types. The network profile can also match other network type values, for example existing or public.

    • Create an on-demand security group

      A new security group is created for matched blueprints if the network type is outbound or private.

      Network policy settings, such as the following NSX-V settings, are cloud account-specific and are described in the i on-screen help:

      • Transport zone

      • CIDR

      • Subnet size

      • External network

      • Tier-0 logical router

      • Edge cluster

  • Load balancers

    You can add load balancer settings for the networks that are used in the network profile. Available load balancers have been data-collected from the cloud account. You can also update load balancer settings in the blueprint YAML.

  • Security

    You can use a security group to further define the isolation settings for a private or outbound network.

    Security groups are applied to all the machines in the deployment that are connected to the network that matches the network profile. As there might be multiple networks in a blueprint, each matching a different network profile, you can use different security groups for different networks.

    Listed security groups are available based on information that has been data-collected from the source cloud account.

For introductory information about using network profiles, see WordPress use case: add network profiles.

For overall information about available networks, see Network resources.