You can add an NSX-T on-demand NAT network component or NSX-T on-demand routed network component to the design canvas in preparation for associating their settings to one or more vSphere machine components in the blueprint.

When you associate an existing network component or an on-demand network component with a machine component, the NIC information is stored with the machine component. The network profile information that you specify is stored with the network component.

You can add multiple network and security components to the design canvas.

You can have more than one on-demand network component in a single blueprint. However, all of the on-demand network profiles that are used in the blueprint must reference the same external network profile.

For NSX-T, the network ranges that are used by the different networks in your blueprint cannot overlap. This restriction surfaces when you are configuring NSX-T Tier-1 router networks.

For vSphere machine components with associated NSX, use network, security, and load balancing setting in the user interface. For machine components that do not have a Network or Security tab, you can add network and security custom properties, such as VirtualMachine.Network0.Name, to their Properties tab in the design canvas. NSX network, security, and load balancer properties are only applicable to vSphere machines.

Only the network profiles that are applicable to the current tenant are exposed when authoring a blueprint. Specifically, network profiles are made available if there is at least one reservation in the current tenant that has at least one network assigned to the profile.



  1. To display the list of available network and security components, click Network & Security in the Categories section.
  2. Drag and NSX-T On-Demand NAT or NSX-T On-Demand Routed network component onto the design canvas.
  3. To uniquely label the component in the design canvas, enter a component name in the ID text box.
  4. Select an appropriate network profile from the Parent network profile drop-down menu. For example, if you want to add a NAT network component, select a NAT network profile that is configured to support your intended network settings.

    If you want to specify NAT rules in a NAT network component, you must use a parent network profile that is configured for NAT one-to-many.

    Depending on the profile type you select, the following network settings are populated based on your network profile selection. Changes to these values must be made in the network profile:
    • External network profile name
    • NAT type (NSX-T On-Demand NAT)
    • Subnet mask
    • Range subnet mask (NSX-T On-Demand Routed)
    • Range subnet mask (NSX-T On-Demand Routed)
    • Base IP address (NSX-T On-Demand Routed)
  5. (Optional) Enter a component description in the Description text box.
  6. (Optional) Click the DNS/WINS tab.
  7. (Optional) Specify DNS and WINS settings for the network profile.
    • Primary DNS
    • Secondary DNS
    • DNS Suffix
    • Preferred WINS
    • Alternate WINS

    You cannot change the DNS or WINS settings for an existing network.

  8. Click the IP Ranges tab.

    The IP range or ranges specified in the network profile are displayed. You can change the sort order or column display. For NAT networks, you can also change IP range values.

    1. Enter a start IP address value in the IP range start text box.
    2. Enter a start IP address value in the IP range start text box.
  9. If you are using a NAT network that is based on a one-to-many NAT network profile that uses static IP ranges, you can use the NAT Rules tab to add rules that enable an external IP to access components in the internal NAT network.

    For a NAT one-to-many network, you can define NAT rules that can be configured when you add a NAT network component to the blueprint. You can change a NAT rule when you edit the NAT network in a deployment.

    The options that are available for selection are based on the vSphere machine components that you have associated to the NAT network component.

    • Name - Enter a unique rule name.
    • Component - Select from a list of associated vSphere machine or load balancer components to which the NAT network is associated.

      NAT rules are only supported for non-clustered machines. If you have specified a cluster size of more than 1, no components are listed as the configuration is not supported.

    • Source port - Select the ANY option, enter a valid port or port range, or specify a valid property binding.
    • Destination port - Select the ANY option, enter a valid port or port range, or specify a valid property binding.
    • Protocol - Enter any valid NSX-T-supported protocol or select the TCP, UDP, or ANY option.
    • Description - Enter a brief description of what the NAT rule is designed to do.
  10. To save the blueprint as draft or continue configuring the blueprint, click Save or Finish.

What to do next

You can add network settings in the Network tab of a vSphere machine component.