The Features element of a vApp NetworkConfigSection defines the network services available to virtual machines in the vApp.

A vApp network can be configured to provide many of the same kinds of services available in an organization VDC network. Configuration parameters for these services are similar to those of their counterparts on an Edge Gateway, but scoped to the needs of a vApp network.

For more information about VMware Cloud Director networks, see About VMware Cloud Director Networks. For more information about network services for organization VDC networks, see Configure Edge Gateway Services

DHCP Service

A DhcpService element defines an IP address range and lease policies for a DHCP service that can be used by virtual machines in the vApp. Unlike a DHCP service in an Edge Gateway, it can support only a single IP address range, as shown in this example.

<DhcpService>
   <IsEnabled>true</IsEnabled>
   <DefaultLeaseTime>3600</DefaultLeaseTime>
   <MaxLeaseTime>7200</MaxLeaseTime>
   <IpRange>
      <StartAddress>192.168.3.2</StartAddress>
      <EndAddress>192.168.3.99</EndAddress>
   </IpRange>
</DhcpService>

Firewall Service

A FirewallService element defines firewall rules that, when matched, block or allow incoming or outgoing traffic on the vApp network. A firewall rule in a vApp network can specify the destination as a combination of address and port, or as a specific virtual NIC in a Vm. This FirewallService allows TCP traffic to ports 21 and 22.

<FirewallService>
   <IsEnabled>true</IsEnabled>
   <FirewallRule>
      <IsEnabled>true</IsEnabled>
      <Description>FTP Rule</Description>
      <Policy>allow</Policy>
      <Protocols>
         <Tcp>true</Tcp>
      </Protocols>
      <DestinationPortRange>21</DestinationPortRange>
      <DestinationIp>10.147.115.1</DestinationIp>
      <SourcePortRange>any</SourcePortRange>
      <SourceIp>any</SourceIp>
      <EnableLogging>false</EnableLogging>
   </FirewallRule>
   <FirewallRule>
      <IsEnabled>true</IsEnabled>
      <Description>SSH Rule</Description>
      <Policy>allow</Policy>
      <Protocols>
         <Tcp>true</Tcp>
      </Protocols>
      <DestinationPortRange>22</DestinationPortRange>
      <DestinationIp>10.147.115.1</DestinationIp>
      <SourcePortRange>any</SourcePortRange>
      <SourceIp>any</SourceIp>
      <EnableLogging>false</EnableLogging>
   </FirewallRule>
</FirewallService>

You can see this example in the context of a vApp NetworkConfigSection in Update a NetworkConfigSection

An alternate implementation of the second FirewallRule in this example includes a DestinationVm element that specifies the destination as a specific virtual NIC (identified in the VmNicId element) in a specific Vm (identified in the VAppScopedVmId element. The value of VAppScopedVmId is taken from the VAppScopedLocalId element of the Vm and the VmNicId value is taken from its PrimaryNetworkConnectionIndex. See Configuration Links in a Vm Element. The IpType is set to assigned, indicating that the NIC retains its assigned IP address. If you set IpType is set to NAT, the IP address of the NIC is its translated address.

<FirewallRule>
   <IsEnabled>true</IsEnabled>
   <Description>allow ssh to a specific NIC in a specific Vm</Description>
   <Policy>allow</Policy>
   <Protocols>
      <Tcp>true</Tcp>
   </Protocols>
   <DestinationPortRange>22</DestinationPortRange>
   <DestinationVm>
      <VAppScopedVmId>3963994b-5a0a-48fe-b9ae-7f9a2d8e8e5b</VAppScopedVmId>
      <VmNicId>0</VmNicId>
      <IpType>assigned</IpType>
   </DestinationVm>
   <SourcePortRange>Any</SourcePortRange>
   <SourceIp>Any</SourceIp>
   <EnableLogging>false</EnableLogging>
</FirewallRule>

NAT Service

A NatService element defines network address translation services to virtual machines on the network. This simple NatService defines a single rule that implements an IP translation NAT strategy for a single Vm.

<NatService>
   <IsEnabled>true</IsEnabled>
   <NatType>ipTranslation</NatType>
   <Policy>allowTraffic</Policy>
   <NatRule>
      <OneToOneVmRule>
         <MappingMode>automatic</MappingMode>
         <VAppScopedVmId>3963994b-5a0a-48fe-b9ae-7f9a2d8e8e5b</VAppScopedVmId>
         <VmNicId>0</VmNicId>
      </OneToOneVmRule>
   </NatRule>
</NatService>

You can see this example in the context of a vApp NetworkConfigSection in Update a NetworkConfigSection

A NatService element like this one configures the service to use port forwarding instead of IP translation. Instead of using a OneToOneVmRule, which specifies one external IP address to one NIC, it uses a VmRule element, which enables port forwarding by allowing one external IP address to be forward to different ports on different virtual machines.
<NatService>
   <IsEnabled>true</IsEnabled>
   <NatType>portForwarding</NatType>
   <Policy>allowTraffic</Policy>
   <NatRule>
      <VmRule>
         <ExternalPort>22</ExternalPort>
         <VAppScopedVmId>3963994b-5a0a-48fe-b9ae-7f9a2d8e8e5b</VAppScopedVmId>
         <VmNicId>0</VmNicId>
         <InternalPort>22</InternalPort>
         <Protocol>TCP</Protocol>
      </VmRule>
   </NatRule>
</NatService>

Static Routing Service

A StaticRoutingService specifies static routes to other networks. In addition to creating static routes from organization VDC networks on an EdgeGateway (see Static Routes Between Organization VDC Networks, you can create static routes between vApp networks if they both define the same ParentNetwork. Assume two vApp networks that have the following properties:

  • The Configuration of the vApp network in vApp1 has a RouterInfo element whose ExternalIp value is 192.168.0.100.
  • The Configuration of the vApp network in vApp2 has a RouterInfo element whose ExternalIp value is 192.168.0.101.
  • Both vApp networks have the same ParentNetwork, an organization VDC network whose network specification in CIDR notation is 192.168.0.0/24.

You can enable static routing between these two vApp networks by inserting a StaticRoutingService element in the Features of each vApp network Configuration. This excerpt from the NetworkConfigSection of vApp1 shows the network's Configuration and Features elements..

<!-- Static route from vApp network 1 to vApp network 2 -->
<Configuration>
   ...
   <Features>
      <StaticRoutingService>
         <IsEnabled>true</IsEnabled>
         <StaticRoute>
            <Name>TovAppNet2</Name>
            <Network>192.168.2.0/24</Network>
            <NextHopIp>192.168.0.101</NextHopIp>
            <Interface>External</Interface>
         </StaticRoute>
       </StaticRoutingService>
   </Features>
   ...
</Configuration>

This is a similar excerpt from the NetworkConfigSection of vApp2.

<!-- Static route from vApp network 2 to vApp network 1 -->
<Configuration>
   ...
   <Features>
      <StaticRoutingService>
         <IsEnabled>true</IsEnabled>
         <StaticRoute>
            <Name>TovAppNet1</Name>
            <Network>192.168.1.0/24</Network>
            <NextHopIp>192.168.0.100</NextHopIp>
            <Interface>External</Interface>
         </StaticRoute>
      </StaticRoutingService>
   </Features>
   ...
</Configuration>