To provide a highly flexible and secure network infrastructure in a multipurpose cloud environment, VMware Cloud Director uses a layered networking architecture with four categories of networks. The network categories are external networks, organization virtual data center (VDC) networks, data center group networks, and vApp networks. Most types of VMware Cloud Director networks require additional infrastructure objects, such as edge gateways and network pools.
An external network provides an uplink interface that connects networks and virtual machines in your VMware Cloud Director environment to outside networks, such as a VPN, a corporate intranet, or the public Internet.
An external network is backed either by a single vSphere network, by multiple vSphere networks, or by an NSX tier-0 logical router.
Only a system administrator can create an external network. For information about external networks, see VMware Cloud Director Service Provider Admin Guide.
A network pool is a collection of isolated layer-2 network segments that you can use to create vApp networks and certain types of organization VDC networks on demand.
Network pools must be created before organization VDC networks and vApp networks. If they do not exist, the only network option available to an organization is the direct connection to an external network.
Only a system administrator can create a network pool.
For information about network pools, see VMware Cloud Director Service Provider Admin Guide.
Organization VDC Networks
Organization virtual data center (VDC) networks enable vApps to communicate with each other or with external networks outside the organization.
Depending on the connection of the organization VDC network to an external network, there are several different types of organization VDC networks.
Organization VDC networks provide direct or routed connections to external networks, or can be isolated from external networks and other organization VDC networks. Routed connections require an edge gateway and a network pool in the organization VDC.
A system administrator or an organization administrator creates organization VDC networks and assigns them to your organization.
A newly created organization VDC has no networks available to it. After a system administrator creates the required network infrastructure, an organization administrator can create and manage most types of organization VDC networks.
Data Center Group Networks Backed by NSX Data Center for vSphere
A network backed by NSX Data Center for vSphere that spans a data center group. A data center group can comprise between one and 16 organization VDCs in a single or a multisite VMware Cloud Director deployment.
Data Center Group Networks Backed by NSX
Data center group networks are a type of organization VDC networks that are shared between one or more VDCs and to which vApps can connect.
A system administrator or an organization administrator creates data center group networks and scopes them to a single VDC group.
VMware Cloud Director supports isolated, imported, and routed data center group networks that are backed by NSX.
vApp networks allow virtual machines to communicate with each other or, by connecting to an organization VDC network, with virtual machines in other vApps.
A vApp network is contained within a vApp. A vApp network can be isolated from other networks or connected to an organization VDC network.
Every vApp contains a vApp network. The network is created when the vApp is deployed, and deleted when the vApp is undeployed.
An organization administrator sets up and controls vApp networks.
Types of Networks in a vApp
The virtual machines in a vApp can connect to vApp networks, which can be isolated, direct, or routed, and to organization VDC networks.
You can add networks of different types to a vApp to address multiple networking scenarios.
Virtual machines in the vApp can connect to the networks that are available in a vApp. If you want to connect a virtual machine to a different network, you must first add this network to the vApp.
A vApp can include vApp networks and organization VDC networks. An isolated vApp network is contained within the vApp.
You can also route a vApp network to an organization VDC network to provide connectivity to virtual machines outside of the vApp. For routed vApp networks, you can configure network services, such as a firewall and static routing.
You can connect a vApp directly to an organization VDC network.
For information, see Working with Networks in a vApp.
Fencing a vApp
If you have multiple vApps that contain identical virtual machines connected to the same organization VDC network that is backed by NSX Data Center for vSphere, and you want to start the vApps at the same time, you can fence the vApp. Fencing the vApp allows you to power on the virtual machines without a conflict, by isolating their MAC and IP addresses.
When you open the Networks tab of a vApp, if you see a notification that vApp fencing is not supported, this means that your organization VDC is backed by NSX. To avoid conflict between identical VMs in vApps connected to an NSX organization VDC network, it is best to use a routed vApp network and to set NAT rules.
An edge gateway provides a routed organization VDC network with connectivity to external networks and can provide services such as load balancing, network address translation, and a firewall. VMware Cloud Director supports IPv4 and IPv6 edge gateways.
Edge gateways require NSX Data Center for vSphere or NSX.