This section describes key concepts to understand when using VeloCloud.


The VeloCloud service has four core configurations that have a hierarchical relationship. These configurations are created and values are entered in the VeloCloud Orchestrator.


The following table provides an overview of the four configurations.

Configuration Description
Network Defines basic network configurations, such as addressing and VLANs. Networks can be designated as Corporate or Guest and there can be multiple definitions of each.
Network Services Define several common services used by the VeloCloud Service, such as BackHaul Sites, Cloud VPN Hubs, Non-VeloCloud Sites, Cloud Proxy Services, DNS services, and Authentication Services.
Profile Defines a template configuration that can be applied to multiple Edges. A Profile is configured by selecting a Network and Network Services. A profile can be applied to one or more Edge models and defines the settings for the LAN, Internet, Wireless LAN, and WAN Edge Interfaces. Profiles can also provide settings for Wi-Fi Radio, SNMP, Netflow, Business Policies and Firewall configuration.
Edge Configurations provide a complete group of settings that can be downloaded to an Edge device. The Edge configuration is a composite of settings from a selected Profile, a selected Network, and Network Services. An Edge configuration also override settings or add ordered policies to those defined in the Profile, Network, and Network Services.

The following figure below shows a more detailed overview of the relationships between multiple Edges, Profiles, Networks, and Network Services.


Note that a single Profile can be assigned to multiple Edges. An individual Network configuration can be used in more than one Profile. Network Services configurations are used in all Profiles.

The preceding figure also gives an expanded view of the configuration settings of an Edge, Profile, Network, and Network Services, which are described in the following sections. The following sections also provide additional details for the four core configurations.


Networks are standard configurations that define network address spaces and VLAN assignments for Edges. Networks configure two network types:
  • Corporate (or trusted networks)
  • Guest (or untrusted networks)

Multiple Corporate and Guest Networks can be defined. VLANs can be assigned to both Corporate and Guest Networks.

  • Corporate Networks can be configured with either Overlapping Addresses or Non-overlapping Addresses. With overlapping addresses, all Edges using the Network have the same address space. Overlapping addresses are associated with non-VPN configurations.
  • Guest networks always use overlapping addresses.

With non-overlapping addresses, an address space is divided into blocks of an equal number of addresses. Non-overlapping addresses are associated with VPN configurations. The address blocks are assigned to Edges that use the Network so that each Edge has a unique set of addresses. Non-overlapping addresses are required for Edge-to-Edge and Edge -to- Non-VeloCloud Site VPN communication. The VeloCloud configuration creates the information necessary to access an Enterprise Data Center Gateway for VPN access. The following diagram shows how unique IP address blocks from a Network configuration are assigned to VeloCloud Edges. It also shows how IPSec configuration is generated by the VeloCloud Orchestrator. An administrator for the Enterprise Data Center Gateway uses the IPSec configuration information generated during Non-VeloCloud Site VPN configuration to configure the VPN tunnel to the Non-VeloCloud Site.


Note: When using non-overlapping addressing, the VeloCloud Orchestrator automatically allocates blocks of addresses based on the maximum number of Edges you predict will use the Network configuration.

Network Services

Network Services in VeloCloud Orchestrator allows you to define your Enterprise Network Services. These definitions can be used across all Profiles. This includes services for Authentication, Cloud Proxy, Non-VeloCloud Sites, and DNS. The possible services are defined in Network Services but are not used unless they are assigned in a Profile.


Profiles define a standard configuration for one or more VeloCloud Edges. A profile is a named configuration that defines a list of VLANs, Cloud VPN settings, Interface Settings (wired and wireless), and Network Services (such as DNS Settings, Authentication Settings, Cloud Proxy Settings, and VPN connections to Non-VeloCloud Sites).

Profiles provide Cloud VPN settings for Edges configured for VPN. The Cloud VPN Settings can enable/disable Edge-to-Edge and Edge-to- Non-VeloCloud Site VPN connections.

Profiles can also define rules and configuration for the VeloCloud Business Policy and Firewall settings.


The Edge configuration includes the assignment of a Profile, from which most of the Edge configuration is derived.

Most of the settings that are defined in a Profile, Network, or Network Services can be used without modification in an Edge configuration. However, overrides or ordered policy additions can be configured for several of the Edge configuration elements to tailor an Edge for a specific scenario.  This includes settings for Interfaces, Wi-Fi Radio Settings, DNS, Authentication, Business Policy, and Firewall.

Additions can also be made to an Edge configuration to augment settings not present in Profile or Network configuration. This includes Subnet Addressing, Static Route settings, and Inbound Firewall Rules (for Port Forwarding and 1:1 NAT).

Orchestrator Configuration Workflow

VeloCloud supports multiple configuration scenarios. Here are some common scenarios:

Scenario Description
SaaS : Used for Edges that do not require VPN connections between Edges, to a Non-VeloCloud Site, or to a VeloCloud Site. The workflow assumes the addressing for the Corporate Network uses overlapping addressing.
Non-VeloCloud Site via VPN Used for Edges that require a VPN connection to a Non-VeloCloud Site such as Amazon Web Services, Zscaler, Cisco ISR, or ASR 1000 Series. This workflow assumes the addressing for the Corporate Network uses non-overlapping addressing and that the Non-VeloCloud Sites are specified in the profile.
VeloCloud SiteVPN Used for Edges that require VPN connections to a VeloCloud Site such as an Edge Hub or a Cloud VPN Hub. This workflow assumes the addressing for the Corporate Network uses non-overlapping addressing and that the VeloCloud Sites are specified in the profile.

For each scenario, there are four major steps for configuration in the VeloCloud Orchestrator:

Step 1: Network

Step 2: Network Services

Step 3: Profile

Step 4: Edge

The following table provides a high-level outline of the steps required for a Quick Start configuration for each of the workflows. For Quick Start Configurations, preconfigured Network, Network Services, and Profile configurations are used. VPN configurations also require some modification of the existing VPN Profile and creating the configuration of a VeloCloud or Non-VeloCloud Site. The final step is to create a new Edge and activate it. Additional details (including screen captures) can be found in the Quick Start Configuration section.

Quick StartConfiguration Steps


Non-VeloCloud SiteSite VPN

VeloCloud Site VPN

Step 1: Network Select Quick Start Internet Network Select Quick Start VPN Network Select Quick Start VPN Network
Step 2: Network Service Use pre-configured Network Services Use pre-configured Network Services Use pre-configured Network Services
Step 3: Profile Select Quick Start Internet Profile

Select Quick Start VPN Profile

Enable Cloud VPN - Configure Non-VeloCloud Sites

Select Quick Start VPN Profile

Enable Cloud VPN- Configure VeloCloud Sites

Step 4: Edge Add New Edge and Activate Edge

Add New Edge and Activate Edge

Add New Edge and Activate Edge