There are three categories of VMware Cloud Director networks: external networks, organization VDC networks, and vApp networks. Additional infrastructure objects such as Edge Gateways and network pools are required by most categories of networks and must be created by a system administrator.
A Virtual Infrastructure Administrator or Network Administrator can create networks in a VDC. Any VDC can support an isolated network. A VDC must be provisioned with a Edge Gateway to support a routed network.
You must be a system administrator to create an external network, a directly connected organization VDC network, a network pool, or an Edge Gateway. An organization administrator can create and modify routed and isolated organization VDC networks, and any user who has vApp Author rights can create and modify a vApp network.
vApp Networks
A vApp network is a logical network that controls how the virtual machines in a vApp connect to each other and to organization VDC networks. Users can create and update vApp networks and connect them to organization VDC networks. See About vApp Networks.
A vApp network is a logical network that controls how the virtual machines in a vApp connect to each other and to organization VDC networks. End users can create and update vApp networks and connect them to organization VDC networks. See About vApp Networks.
Organization VDC Networks
- A direct organization VDC network connects directly to an eternal network. Can be IPv4 or IPv6.
Only a system administrator can create a direct organization VDC network.
- A routed organization VDC network connects to an external network through an Edge Gateway. A routed organization VDC network also requires the containing VDC to include a network pool. After a system administrator has provisioned an organization VDC with an Edge Gateway and associated it with a network pool, organization administrator or system administrators can create routed organization VDC networks in that VDC. Can be IPv4 or IPv6.
- An isolated organization VDC network does not require an Edge Gateway or external network. Provides an isolated, private network that machines in the organization VDC can connect to. Can be backed by either a network pool or an NSX-T logical switch. Can be IPv4 only.
After a system administrator has created an organization VDC with a network pool, organization administrators or system administrators can create isolated organization VDC networks in that VDC.
Only the system administrator can create and manage NSX-T organization virtual data center networks by using theVMware Cloud Director OpenAPI or the VMware Cloud Director Service Provider Admin Portal.
- A cross-VDC network is part of a stretched network spanning a data center group. Can be IPv4 only.
Only the system administrator can create and manage cross-VDC networks by using the VMware Cloud Director OpenAPI or the VMware Cloud Director Tenant Portal.
For information about using the VMware Cloud Director OpenAPI, see Getting Started with VMware Cloud Director OpenAPI at https://code.vmware.com.
Most types of organization VDC networks do not provide any network services. Isolated organization VDC networks can specify a DhcpPoolService, which provides DHCP addresses from several pools of IP address ranges. All other services, such as NAT, firewall, and load balancing, are configured by a system administrator on the Edge Gateway to which the network connects.
By default, only virtual machines in the organization VDC that contains the network can use it. When you create an organization VDC network, you can specify that it is shared. A shared organization VDC network can be used by all virtual machines in the organization.
Organization VDC Networks
- A routed organization VDC network connects to other networks through the Edge Gateway created when the VDC was instantiated. If the VDC was instantiated from a template that does not include an Edge Gateway, it cannot contain a routed network. After a Virtual Infrastructure Administrator creates a VDC that includes an Edge Gateway, a Virtual Infrastructure Administrator or Network Administrator can create and manage routed networks in that VDC.
- An isolated organization VDC network does not require an Edge Gateway. After a Virtual Infrastructure Administrator creates a VDC, a Virtual Infrastructure Administrator or Network Administrator can create and manage isolated networks in that VDC whether or not it contains an Edge Gateway.
- Most types of organization VDC networks do not provide any network services. Isolated organization VDC networks can specify a DhcpPoolService, which provides DHCP addresses from several pools of IP address ranges. All other services, such as NAT, firewall, and load balancing, are configured by a Virtual Infrastructure Administrator or Network Administrator on the Edge Gateway to which the network connects.
By default, only virtual machines in the organization VDC that contains the network can use it. When you create an organization VDC network, you can specify that it is shared. A shared organization VDC network can be used by all virtual machines in all VDCs in the organization.
Edge Gateways
An Edge Gateway is a virtual router for organization VDC networks. You must be a system administrator to create an Edge Gateway. When a Virtual Infrastructure Administrator creates a VDC, the administrator can choose to have the VDC include an Edge Gateway.
VMware Cloud Director supports IPv4 and IPv6 Edge Gateways.
An Edge Gateway can provide any of the following services, defined in the GatewayFeatures element of the Edge Gateway's Configuration.
- FirewallService
- Specifies firewall rules that, when matched, block or allow incoming or outgoing network traffic. See Firewall Service Configurations.
- GatewayDhcpService
- Provides DHCP services to virtual machines on the network. A variant of this service, DhcpService, is intended to provide DHCP services in vApp networks. See Gateway DHCP Service Configurations.
- GatewayIpsecVpnService
- Defines one or more virtual private networks that connect an Edge Gateway to another network in or outside of the cloud.
- LoadBalancerService
- Distributes incoming requests across a set of servers. See Load Balancer Service Configurations.
- NatService
- Provides network address translation services to computers on the network.
- StaticRoutingService
- Specifies static routes to other networks. See Static Routing Service Configurations.
For an example of adding services to an Edge Gateway, see Configure Edge Gateway Services. For more information about any of these services, see the vShield Administration Guide.
For an example of how to see which IP addresses are currently in use in rules for an Edge Gateway, see #GUID-9F2B9F0C-74B6-4055-918F-41EE5769B20D.
External Networks and Network Pools
External networks and network pools are vSphere resources backed by vSphere portgroup, VLAN, or DVswitch objects. A system administrator must create them, as described in Create an External Network and Create a Network Pool. As a system administrator, you must supply a reference to an external network when you create an Edge Gateway. An organization VDC must include a reference to a network pool or it will not be able to able to contain routed or isolated networks. See Retrieve a List of External Networks and Network Pools
External networks and network pools are system resources managed by vCloud Air administrators. All VDCs include a network pool.