A network profile defines a group of networks and network settings that are available for a cloud account in a particular region or data center in Cloud Assembly.

You define network profiles to support a target deployment environment, for example a small test environment where an existing network has outbound access only or a large load-balanced production environment that needs a set of security policies. Think of a network profile as a collection of workload-specific network characteristics.

What's in a network profile

A network profile contains the following information.

  • Networks

    Networks, also referred to as subnets, are logical subdivisions of an IP network. A network groups a cloud account, IP address or range, and network tags to control how and where to provision a blueprint deployment. Network parameters in the profile define how machines in the deployment can communicate with one another over IP layer 3. Networks can have tags.

    A network component in a blueprint is defined as one of the following networkType types.

    Network type



    Selects an existing network that is configured on the underlying cloud provider, such as vCenter, Amazon Web Services, and Microsoft Azure. An existing network is required by the outbound, private, and routed on-demand network types.

    You can define a range of static IP addresses on an existing network.


    The definition of a public network is identical to that of an existing network for all existing networks that allow network traffic to occur along public networks.


    Limits network traffic to occur only between resources on the deployed network. It prevents inbound and outbound traffic. In NSX, it can be equated to on-demand NAT one-to-many.


    Limits network traffic to occur between the compute resources in the deployment but also allows one-way outbound network traffic. In NSX, it can be equated to on-demand NAT one-to-many with external IP.


    Routed networks contain a routable IP space divided across available subnets that are linked together using Distributed Logical Router (DLR). The virtual machines that are provisioned with routed networks, and that have the same routed network profile, can communicate with each other and with an existing network.

    Routed networks are an on-demand network type that is available for NSX-V and NSX-T networks. A routed network is only available for blueprint specification in a Cloud.NSX.Network network component.

  • Tags

    Network tags exist on the network item itself, irrespective of the network profile. Network tags apply to every occurrence of the network they have been added to and to all network profiles that contain that network. Networks can be instanced into any number of network profiles. Regardless of network profile residency, a network tag is associated with that network wherever the network is used.

    Capability tags are optional. When used, capability tags are applied to all networks in the network profile, but only when the networks are used as part of that network profile. Capability tags are an optional grouping and naming tool for network profiles.

  • Network policies

    Network policy settings, such as the following NSX-V settings, are cloud account-specific and are described in the on-screen help:

    • Transport zone

    • CIDR

    • Subnet size

    • External network

    • Tier-0 logical router

    • Edge cluster

    Depending on the associated cloud account, you can use network policies to define settings for on-demand networks for the outbound, private, and routed network types and for on-demand security groups.

    • Do not create an on-demand network

      You can use this option when specifying an existing or public, or routed network type.

    • Create an on-demand network

      You can use this option when specifying an outbound, private, or routed network type.

      The specified network or subnet names and sizes for the network domain are used for on-demand networks that contain the outbound, private, or routed network types.

      For example, for an on-demand routed network you must specify a distributed logical network (DLR) when using an NSX-V cloud account.

    • Create an on-demand security group

      You can use this option when specifying an outbound or private network type.

      A new security group is created for matched blueprints if the network type is outbound or private.

  • Load balancers

    You can add load balancers that are used in the network profile. Available load balancers have been data-collected from the cloud account. You can update load balancers in the blueprint YAML.

  • Security

    You can use a security group to further define the isolation settings for a private or outbound network.

    Security groups are applied to all the machines in the deployment that are connected to the network that matches the network profile. As there might be multiple networks in a blueprint, each matching a different network profile, you can use different security groups for different networks.

    Listed security groups are available based on information that is data-collected from the source cloud account.

How does tag matching affect which networks are available for my blueprint deployments

When you deploy a blueprint, constraints in a blueprint's network components are matched to network tags. For network profiles that contain capability tags, the capability tags are applied to all networks that are available for that profile.

Based on tag matching, one or more networks in one or more matched network profiles are available for use when a blueprint is deployed. The network and security settings that are defined in the matched network profile are also applied when the blueprint is deployed.

Tag matching does not require that network profiles contain capability tags. For network profiles that do not contain capability tags, tag matching occurs on the network tags only. The network profiles that contain tag-matched networks, or matched subnets for Amazon Web Services and Microsoft Azure, are considered matched network profiles.

More information about network profiles

For more information about network profiles, see WordPress use case: add network profiles.

For more information about networks, see Network resources.

For more information about tags and tag strategy, see How to use tags to manage Cloud Assembly resources and deployments.