The standard service provider deployment of vCloud Director envisions the sharing of vSphere resources among multiple tenant organizations. This provides the organizations with maximum flexibility and the provider with maximum utilization of the provisioned compute, network, and storage resources. Sample logical and physical deployment diagrams are below.

The rest of this subsection describes the components at a high level, while subsequent subsections describe specific recommendations regarding the resource pools, datastores, networking and other components' configuration.

Shared Resource Deployment

Physical Deployment Diagram and Logical Deployment Diagram are two views of the same vCloud Director installation. In these figures, we use the term "pod" to denote a group of resources (physical or virtual machines) dedicated to either system management ("management pod") or tenant workloads ("cloud pod").

Figure 1. Physical Deployment Diagram

Looking at Logical Deployment Diagram, the left side shows the vCloud Director cells in a load-balanced DMZ. The DMZ also contains a WAF and optionally a per-tenant administrative VPN. This VPN can be configured by a service provider for each organization to more strictly limit which users and IP addresses can access the services exposed through the WAF. In addition, a tenant can configure a VPN to connect their on-premises workloads and data with VMs in the cloud. Configuration of such VPNs is outside the scope of this document.

Figure 2. Logical Deployment Diagram

Behind the cells are the private management elements required by vCloud Director, including vCenter, NSX, the vCloud Director database, and so on. Their connections are strictly controlled by the firewalls in the diagram, as those services should not be accessible from other machines on the DMZ or directly from the Internet.

Figure Management Pod Networks focuses only on the management pod. It shows that there is a need for at least two, if not three, separate physical networks connected to that pod. This includes the load-balanced DMZ network, the Private Management network, and an optional dedicated Storage Network, with a provider-specific configuration.

Figure 3. Management Pod Networks

With respect to the vSphere hosts, grouped into different security domains, they each have External Networks exposed as a virtual machine DMZ data network for use as public organization VDC networks as well as virtual machine data networks for private organization VDC networks that may be routed to an External Network.

Figure Cloud Pod Networks focuses on the Cloud Pods. It shows four physical networks; however, the Storage Network is specific to the particular hardware and storage technologies chosen. If resource pools do not span clusters, you may not need to provide a physical VM data network. Otherwise (if resource pools span clusters), this document recommends a separate physical network for vMotion traffic.

Figure 4. Cloud Pod Networks

It is also assumed that typical datacenter security technologies, such as IDS/IPS, SIEM, configuration management, patch management, vulnerability management, anti-virus, and GRC management systems, will be applied to both the vCloud Director, its associated systems, vSphere and its associated systems, and the networks and storage infrastructure that support them. Details on these systems are also outside the scope of this document.