The vCloud Director management network is a private network that serves the cloud infrastructure and provides access for client systems used to perform administrative functions on vCloud Director.
Systems that connect to the management network include the vCloud Director database server, an NFS server for transfer storage, the vCenter servers, an optional LDAPv3 directory for authenticating provider administrators, any LDAPv3 directories maintained by the provider for authenticating organization users, and NSX managers. The vCenter servers on this network also need access to their own Active Directory servers.
Virtual Infrastructure Management Network Configuration Requirements
It is important for the management network to be separate from the virtual machine data networks. This is even more important in a cloud environment where the provider and tenants are from separate organizations. You do not want to open the provider's management network to attack from the organizations' vApps. Similarly, the management network must be separate from the DMZ that provides access for organization administrators. Even though they may be accessing the same interfaces as provider system administrators, the DMZ concept is important in segmenting public from private traffic and providing defense in depth.
From a physical connectivity perspective, the virtual machine data network must be separate from the management network. This is the only way to protect management systems from malicious virtual machines. Likewise, the vCloud Director cells exist physically on the DMZ. In the physical deployment diagram, the servers in the management pod that connect over to the cloud pods do so via a separate physical network, and specific firewall rules allow this traffic to pass.
The internal firewall that mediates vCenter and vCloud Director connections to vSphere (and other networks) is required from a network architecture perspective. This is not a question of whether different virtual machines on a single host can connect to both a DMZ and a private network. Rather, there are virtual machines in that management pod, the cloud cells, that are themselves connecting to both networks. While the vCloud Director software was designed and implemented following VMware's Product Security Policy and with security requirements in mind, it is not a firewall itself and thus should not mediate traffic on its own between DMZ and private management networks. This is the role of the firewall.
Other Related Networks
As shown on the physical and logical deployment diagrams, the storage networks are also physically separate. This follows vSphere best practices and protects tenant and provider storage from malicious virtual machines. The same is true of the backup network. It is technically a branch off the management network. Its specific requirements and configuration depends on the backup software and configuration in use.
vMotion is not always placed on a separate network from the management network; however, in the cloud it is important from a Separation of Duties perspective. vMotion generally takes place in the clear, and if it is put on the management network, it allows a provider administrator or other user with access to that network to "sniff" on the vMotion traffic, violating organizations' privacy. For this reason, you should create a separate physical network for vMotion of cloud workloads.