vCloud Director networking leverages the Software-Defined Networking capabilities of vSphere and NSX to provide tenants with secure access to shared network resources. The service provider's responsibilities are limited to providing external connections and the networking infrastructure required to make those connections usable by tenants and allocation of system-level networking resources to network pools so that they can be consumed by tenants.

This brief overview of vCloud Director is intended to establish the context in which we can discuss provider-level and tenant-level networking requirements from a security configuration standpoint. These features are described in detail in the vCloud Director documentation at http://docs.vmware.com.

Provider-Level Network Resources

In the typical case, a service provider is responsible for creating one or more connections between vCloud Director and an external network such as the Internet or a customer's enterprise network. This sort of network is essentially a commodity IP network connection. It does not provide confidentiality if packets on it are intercepted at the physical level, and provides no vCloud Director VLAN or VXLAN network isolation features.

To enable tenant organization networking, the service provider must create one or more network pools that aggregate resources from ESXi DVswitches and portgroups in a form that can be made available to tenant organizations. (An external network does not consume resources from a network pool.) A VXLAN- or VLAN-backed Network Pool provides isolation using VLANs across a vNetwork Distributed Switch. A vCloud Director VXLAN network can also provide isolation by encapsulating Layer 2 packets in other Layer 2 packets (MAC-in-MAC) in the ESXi kernel, allowing the kernel when de-encapsulating packets to direct them to the correct guest virtual machines connected to the networks created out of this sort of pool.

The service provider is also responsible for creating and managing the NSX infrastructure that stands between the networks that tenants create for themselves and the system-level resources such as switches and portgroups provided by ESXi. From these resources, tenant organizations can create their own networks.

Organization VDC Networks

An organization VDC network allows virtual machines in the organization VDC to communicate with each other and to access other networks, including organization VDC networks and external networks, either directly or through an Edge Gateway that can provide firewall and NAT services.
  • A direct organization VDC network connects directly to an external network. Only a system administrator can create a direct organization VDC network.
  • A routed organization VDC network connects to an external network through an Edge Gateway. A routed organization VDC network also requires the containing VDC to include a network pool. After a system administrator has provisioned an organization VDC with an Edge Gateway and associated it with a network pool, organization administrator or system administrators can create routed organization VDC networks in that VDC.
  • An isolated organization VDC network does not require an Edge Gateway or external network, but does require the containing VDC to be associated with a network pool. After a system administrator has created an organization VDC with a network pool, organization administrators or system administrators can create isolated organization VDC networks in that VDC.
Table 1. Types of Organization VDC Networks and Their Requirements
Organization VDC Network Connection Description Requirements
Direct connection to an external network. Provides direct layer 2 connectivity to machines and networks outside of the organization VDC. Machines outside of this organization VDC can connect directly to machines within the organization VDC. The cloud must contain an external network.
Routed connection to an external network. Provides controlled access to machines and networks outside of the organization VDC via an Edge Gateway. System administrators and organization administrators can configure network address translation (NAT) and firewall settings on the gateway to make specific virtual machines in the VDC accessible from an external network. The VDC must contain an Edge Gateway and a network pool.
No connection to an external network. Provides an isolated, private network that machines in the organization VDC can connect to. This network provides no incoming or outgoing connectivity to machines outside this organization VDC. The VDC must contain a network pool.

By default, only virtual machines in the organization VDC that contains the network can use it. When you create an organization VDC network, you can specify that it is shared. A shared organization VDC network can be used by all virtual machines in the organization.

vApp Networks

Every vApp contains a vApp network. A vApp network is a logical network that controls how the virtual machines in a vApp connect to each other and to organization VDC networks. Users can create and update vApp networks and connect them to organization VDC networks, either directly or with NAT and Firewall protection.