VMware Cloud Director service provides multi-tenancy to VMware Cloud on AWS SDDCs.

Figure 1.

VMware Cloud Director service (CDS) applies to the following use cases:

  • Multiple-Tenant Infrastructure

  • Multi-Tenant Infrastructure and FCAPS

VMware Cloud Director service is a software as a service application providing multi-tenancy support for VMware Cloud on AWS SDDC.

VMware Cloud Director service applies tenant isolation and resource pooling over existing SDDC fabric.

The Key benefits of CDS are:

  • Provides multi-tenancy to VMware Cloud on AWS SDDC allowing for self-service VM creation and resource pooling of SDDC resources over multiple tenants

  • Quickly provision and scale high availability instances for tenants to achieve 99.9% uptime of VMware Cloud Director service

  • Provides network isolation for each tenant with Firewalls, NAT, and Public IP services

  • Uplift security services with L4 and L7 distributed firewalling securing East-West traffic flow

  • A hybrid operational model for providers and tenants in multi-site self-service VMware Cloud Director experience

  • Automatic upgrade for new features and release with no downtime impacts.

  • Inclusive monitoring of VMware Cloud Director instances and VMC on AWS SDDC with VMware service support & escalation.

VMware Cloud Director service Consumption Models

VMware Cloud Director service extends the same management principles as the on-premise VMware Cloud Director solution, thereby providing tenants with either a shared solution for virtual server, virtual data center, or dedicated virtual data center cloud models. These tenant resources are applied to an organization in an Org VDC (organization virtual data center) and are dependent on resources from underlying provider virtual data center (pVDC) resources.

Pay-as-you-go is an on-demand Virtual Server offering with no upfront resource allocation or costs, providing a true public cloud experience. Customers only pay for what they use, and it is typically targeted for highly seasonal, variable, transient workloads like dev/test.

Allocation Pools provide a predictable cost model by guaranteeing resources and offering burst capacity to ensure workloads can start if resources are running low. This is ideal for stable workloads that need guaranteed resources, like databases for example.

Reservation Pools guarantee 100% of reserved capacity which is ideal for business-critical applications. Reservation Pools are recommended for businesses with predictable and stable workloads to avoid the undesirable potential of underutilized resources.


VMware Cloud Director has been built from the ground up to run in Kubernetes Pods ‘cells’ in a multi-zone cluster managed by VMware. For resiliency, this multi-zone capability is also used for the Postgres database instance and storage is provided in highly available NFS.

The VMware Cloud Director service cells and the supporting services automatically scale on demand and are rapidly created or deleted as necessary. VMware Cloud Director service requires access to SDDC via the Management Gateway. Tenants have portal access with direct access to other CSP services and will also have access to the vApps, VMs, and Kubernetes Clusters in their Virtual Data Centers via their Org VCD Edge Gateway organization networks.

Essential Features and Capabilities

LIfecycle of Service

VMware Cloud Director service is available through Cloud Partner Navigator, a portal that allows cloud providers to deploy, provision and manage VMware XaaS offerings and the tenant lifecycle. Using Cloud Partner Navigator, a Cloud Provider can subscribe to the VMware Cloud Director service, then launch into VMware Cloud Director service to create VMware Cloud Director service instances for tenants, join an instance to a VMware Cloud on AWS SDDC infrastructure, and then provision organization resources and allocation pools.

Multi-Tenancy on VMC on AWS

VMware Cloud on AWS vSphere infrastructure provides the foundation for Cloud Director service architecture, providing a consumable set of resources into a Cloud Director Provider Virtual Data Center (pVDC). The pVDC is directly mapped to a vSphere DRS cluster or to a resource pool within a vSphere DRS cluster.

Each customer Organization Virtual Data Center (oVDC) uses resources from a pVDC. The pVDC associates the oVDC and vSphere resources. To control how much an oVDC can consume an allocation model is applied to the oVDC restricting the vSphere resources, helping balance the needs of other oVDC sharing the same pVDC.


As with VMware Cloud on AWS, the solution is provided by VMware and uses a least privilege, restrictive access model whereby there is no root ESXi access, no VIB installations are permitted and no VMware Cloud Director service configuration access is allowed, all of these layers are managed and serviced by VMware only.

At the backend, VMware manages a shared Kubernetes cluster for VMware Cloud Director service and tenants cannot see each other’s namespaces, providing isolation. One instance of the core services (Provider and Operator) will be run for each deployment (development / staging / production). The services will use Kubernetes autoscaling to adapt to incoming tenant / Cloud Provider service requests.


Networking in VMware Cloud on AWS is provided by NSX-T. There is no capability for vApp networking, the only aspects of networking that will be included are edge Firewall, distributed L4 / 7 Firewall, NAT, VRF-Lite services, L2 VPN, IPSec VPN, and Public IP address assignment available in VMware Cloud Director service to be configured.

From a management perspective, the Cloud Provider will manage the internet gateway and management gateway (T0) for all tenants and the compute gateway (T1) per tenant. The customer’s Org Edge compute gateway (T1) is mapped to VMware Cloud on AWS Compute Gateway (CGW) through which they access the service. Although tenants can self-manage their Edge compute gateway (T1) in VMware Cloud Director service if required.


VMware Cloud Director service Organizations can use catalogs to store vApp templates and media files. Customer users in an organization that have access to a catalog can use its vApp templates and media files to create their own vApps. Organization administrators can copy items from a provider-managed public catalog to their organization catalog.