This conceptual design provides you with an understanding of the network virtualization design.

The network virtualization conceptual design includes a perimeter firewall, a provider logical router, and the NSX for vSphere Logical Router. It also includes the external network, internal tenant network, and internal non-tenant network.

The conceptual design has the following key components.

External Networks

Connectivity to and from external networks is through the perimeter firewall. The main external network is the Internet.

Perimeter Firewall

The physical firewall exists at the perimeter of the data center. Each tenant receives either a full instance or partition of an instance to filter external traffic.

Provider Logical Router (PLR)

The PLR exists behind the perimeter firewall and handles North-South traffic that is entering and leaving tenant workloads.

NSX Distributed Logical Router (DLR)

This logical router is optimized for forwarding in the virtualized space, that is, between VMs, on VXLAN port groups or VLAN-backed port groups.

Management Network

The management network is a VLAN-backed network that supports all management components such as vCenter Server, Platform Services Controller, NSX Manager and NSX Controllers, and Update Manager Download Service (UMDS).

In a dual-region environment, this network also handles Site Recovery Manager traffic.

Internal Non-Tenant Network

A single management network, which sits behind the perimeter firewall but not behind the PLR. Enables customers to manage the tenant environments.

Internal Tenant Networks

Connectivity for the main tenant workload. These networks are connected to a DLR, which sits behind the PLR. These networks take the form of VXLAN-based NSX for vSphere logical switches. Tenant virtual machine workloads will be directly attached to these networks.