VMware Cloud Director integrates with NSX-T to build rich networking topologies and configure advanced network policies in the cloud.

Network Pools

A network pool is a group of undifferentiated networks that is available for use in an organization VDC to create vApp networks and certain types of organization VDC networks. VMware Cloud Director uses network pools to create NAT-routed and internal organization VDC networks and all vApp networks. Network traffic on each network in a pool is isolated at Layer 2 from all other networks.

Each organization VDC in VMware Cloud Director can have one network pool. Multiple organization VDCs can share a network pool. The network pool for an organization VDC provides the networks created to satisfy the network quota for an organization VDC.

Every provider VDC that is backed by NSX-T Data Center includes a Geneve network pool. When you create a provider VDC that is backed by NSX-T Data Center, you can associate that provider VDC with an existing Geneve network pool, or you can create a Geneve network pool for the provider VDC.

VMware Cloud Director Geneve networks provide a number of benefits:

  • Logical networks spanning Layer 3 boundaries

  • Logical networks spanning multiple racks on a single Layer 2

  • Broadcast containment

  • High performance

  • Increased scaling (up to 16 million network addresses)

External Networks

A VMware Cloud Director external network provides an uplink interface that connects networks and VMs in the system to a network outside of the system, such as a VPN, a corporate intranet, or the public Internet.


The range of IP addresses defined for the external network are allocated either to an edge gateway or to the VMs that are directly connected to the network. Hence, the IP addresses must not be used outside of VMware Cloud Director.

An external network can be backed by an NSX-T Data Center tier-0 logical router. You can also create an external network that is backed by a VRF-lite tier-0 gateway in NSX-T Data Center. A VRF gateway is created from a parent tier-0 gateway. It has its own routing tables. Multiple VRFs can exist within the parent tier-0 gateway. This allows VDCs to have their own external network without deploying multiple tier-0 gateways.

NSX Edge Gateways

An NSX-T Data Center edge gateway provides a routed organization VDC network or a data center group network with connectivity to external networks and IP management properties. It can also provide services such as firewall, NAT, IPSec VPN, DNS forwarding, and DHCP, which is enabled by default.


By using route advertisement, you can create a fully routed network environment in an organization virtual data center (VDC). You can decide which of the network subnets that are attached to the NSX-T Data Center edge gateway to advertise to the dedicated external network. If a subnet is not added to the advertisement filter, the route to it is not advertised to the external network and the subnet remains private.

Route advertisement is automatically configured on the NSX-T Data Center edge gateway. VMware Cloud Director supports automatic route redistribution when you use route advertisement on an NSX-T edge gateway. Route redistribution is automatically configured on the tier-0 logical router that represents the dedicated external network.

You can configure an external or internal Border Gateway Protocol (eBGP or iBGP) connection between an NSX-T Data Center edge gateway that has a dedicated external network and a router in your physical infrastructure.

  • BGP speaker: A networking device that is running BGP. Two BGP speakers establish a connection before any routing information is exchanged.

  • BGP neighbor: A BGP speaker that established a connection. After establishing the connection, the devices exchange routes and synchronize their tables. Each device sends keep-alive messages to keep this connection alive.

In an edge gateway that is connected to an external network backed by a VRF gateway, the local AS number and graceful restart settings are inherited from the parent Tier-0 gateway and they cannot be changed at the VRF level.

Table 1. Recommended VMware Cloud Director Network Design

Design Recommendation

Design Justification

Design Implication

Create a Geneve Network pool.

Required to create NSX-T backed network resources.


Create a dedicated external network per Organization.

Allows the use of a fully routed network topology.


Create a VRF per Organization.

Allows all Organizations to share a single parent Tier-0 gateway, while maintaining isolation between Organizations. Sharing a single parent gateway reduces the number of NSX Edges required in the deployment.

VRFs inherit the local AS and graceful restart configuration of the parent Tier-0, such that each VRF has the same local AS.

Create one or more Edge Gateways (Tier-1 gateways) per Organization VDC.

Enables networking services for the Organization VDC.