vCloud Networking

Different vCloud networks

I will attempt to lay out some of the networking concepts used in vCloud Director. So for a start this is divided into three networks layers,

• External Network
• Organization Network
• vApp Network

External Network

As the word says this is used to connect to external world or this is a network that is external to the VMware vCloud Director. It can be used to connect to external networks such as Internet, customer based VPN's or external VLANs. This is an outbound network that always have a portgoup support coming from the underlying vSphere technology.

Organization Networks

An organizational network is a network that is contained within a vCloud Director organization and is available to all the vApps in the organization. An organization virtual datacenter network allows vApps within an organization to communicate with each other. You can connect an organization virtual datacenter network to an external network to provide external connectivity. You can also create an isolated organization virtual datacenter network that is internal to the organization. Certain types of organization virtual datacenter networks are backed by network pools.

Only system administrators can create organization virtual datacenter networks. System administrators and organization administrators can manage organization networks, although there are some limits to what an organization administrator can do.

Organization Networks are sub-divided as below,

Below is the chart from the VMware's "vCloud Director Admin guide". These clearly define these networks.

Example for "External-Direct" in the vCloud Director.

Example for "External-Routed" in the vCloud Director.

Example for "Private or Internal Org Network" in the vCloud Director.

vApp Network

A vApp network is contained within a vApp and allows virtual machines in the vApp to communicate with each other. You can connect a vApp network to an organization network to allow the vApp to communicate with other vApps in the organization and outside of the organization (that is if the organization network is connected to an external network). vApp networks are backed by network pools.

Most users with access to a vApp can create and manage their own vApp networks. Working with vApp networks is described in the VMware vCloud Director User's Guide.

***********************************************************************************************************
Network Pools

A network pool is a group of undifferentiated networks that is available for use within an organization virtual datacenter. A network pool is backed by vSphere network resources such as VLAN IDs, port groups, or Cloud isolated networks. vCloud Director uses network pools to create NAT-routed and internal organization virtual datacenter networks and all vApp networks. Network traffic on each network in a pool is isolated at layer 2 from all other networks.
Each organization virtual datacenter in vCloud Director can have one network pool. Multiple organization virtual datacenters can share the same network pool. The network pool for an organization virtual datacenter provides the networks created to satisfy the network quota for an organization virtual datacenter.

Only system administrators can create and manage network pools.

• VLAN Backed
• Port-Group Backed
• vCD Network-Isolated Backed

VLAN Backed (Created on the Fly):

You can add a VLAN-backed network pool to register vSphere VLAN IDs for vCloud Director to use. A new vLAN from the Pool is assigned whenever a new organization is created and returned back to the pool when deleted.

Some highlights,

• Are created on the fly when requested.
• Dynamic assignment of vLANs from the Pool.
• Better performance.
• Best security and scalability.

Prerequisites:

Verify that a range of VLAN IDs and a vSphere distributed switch are available in vSphere. The VLAN IDs must be valid IDs that are configured in the physical switch to which the ESX/ESXi servers are connected.

PortGroup-backed (Pre-provisioned):

These are pretty much similar to the previous VLAN Backed one, other than the fact that these have to be already provisioned in the vSphere before creation. These are not dependent on the vDS switches and can use the third party switches such as Cisco NX1000v. Before you create this network the port groups must be provisioned on all the hosts in the cluster with a single vLAN. 

Some highlights,

• Must be pre-provisioned.
• Does not support vLAN trunking.
• All ports must be backed by single vLAN.
• Can use third party vDS.
• Does not depend on vSphere vDS.

vCloud Director Network Isolation Network Pools (vCD-NI):

A cloud isolated network spans hosts, provides traffic isolation from other networks, and is the best source for vApp networks. For each consumed network vCloud Director creates a portgroup and assigns this portgroup a network ID number. This network ID number is used for the encapsulation of the traffic. As explained vCD uses MAC in MAC for the encapsulation of traffic. 

Some highlights,

• Works through MAC-in-MAC encapsulation.
• Does not depend on vLANs.
• Best source for vAPP networks.
• Requires vDS to work.
• Requires MTU of 1600 because of MAC header.
• On-demand creation of networks by consumer.