vCloud Director has a layered network structure. There are three primary networking layers:
Most organizations will use external and organizational networking; I don’t see many companies taking advantage of vApp networking outside of hosting providers. I will give you a more detailed explanation after we discuss the fundamentals of each networking component.
Surprise… Surprise… Guess what external networks do? Give up? It is the means of providing connection to the outside infrastructure. If you don’t have the external network setup in vCloud Director then your Organizations and vApps can’t connect to the outside world. External Networks are maintained by the Cloud Providers (IT Infrastructure Staff). To create a vCD External Network you point to an existing vSphere port group.
Organization Networks are where things get a little more dynamic. If you remember from my previous post, an organization is the workspace owned by an IT business partner or some other tenant. The organization is where you partition and allocate infrastructure resources so that the organizational owner can provision vApps.
The two simplest forms of the network construct are External Organization Network (Direct Connect) and Internal Organization Network. External Organization Networks (Direct Connect) are pretty straightforward; it just uses the External Network to connect to the Internet. Internal Organization Networks are only available internally to the organization; they do not have access to the External Network.
The more complex option is External Organization Network (NAT/Routed). This option is required if you are going to transfer your OVF format vApps to a hybrid cloud partner. This option provides its own private IP schema that the Organization can chose randomly through a dedicated layer 2 segment. The private network is then routed to the External Network.
If you launch your vSphere client, you will see that a dedicated port group is created that supports the organizational segment and that a vShield Edge appliance is automatically deployed. vShield Edge provides network services such as NAT, Firewall and DHCP functionalities to protect and serve this dedicated layer 2 segment.
When working with your external cloud partner, you will use the vShield Edge to create a secure VPN tunnel. In this deployment, the NAT device translates the VPN address of a vShield Edge into a publicly accessible address facing the Internet. Remote VPN routers use this public address to access the vShield Edge. Remote VPN routers can be located behind a NAT device as well. In this case, IT must provide both the VPN native address and the NAT public address to set up the tunnel. On both ends, static one-to-one NAT is required for the VPN address.
Like External Networks, Organization Networks are maintained by the Cloud Providers (IT Infrastructure Staff).
vApp networks have the same 3 types of network options - vApp Network (Direct Connect), Internal vApp Network, and vApp Network (Nat/Routed). A vApp Network is setup by the organization owner for a vApp. The reason I don't see this being prevalent in most large companies is because I am skeptical that most consumers would have the desire or need to carve up their own network.
One good scenario for vApp Networks is to fence in two development vApp regions so that you can have the same virtual machine in both instances.
There are limitless scenarios that you can design with this layered network approach, from a practical standpoint most large organizations will implement organization networks that are direct connect.