This conceptual design provides you with an understanding of the network virtualization design.

The network virtualization conceptual design includes a perimeter firewall, a provider logical router, and the NSX for vSphere Logical Router. It also includes the external network, internal tenant network, and internal non-tenant network.

Note

In this document, tenant refers to a tenant of the cloud management platform within the compute/edge stack, or to a management application within the management stack.

Conceptual Tenant Overview
The conceptual design includes a perimeter firewall, provider logical router, and NSX logical router.

The conceptual design has the following key components.

External Networks

Connectivity to and from external networks is through the perimeter firewall. The main external network is the Internet.

Perimeter Firewall

The physical firewall exists at the perimeter of the data center. Each tenant receives either a full instance or partition of an instance to filter external traffic.

Provider Logical Router (PLR)

The PLR exists behind the perimeter firewall and handles north/south traffic that is entering and leaving tenant workloads.

NSX for vSphereDistributed Logical Router (DLR)

This logical router is optimized for forwarding in the virtualized space, that is, between VMs, on VXLAN port groups or VLAN-backed port groups.

Internal Non-Tenant Network

A single management network, which sits behind the perimeter firewall but not behind the PLR. Enables customers to manage the tenant environments.

Internal Tenant Networks

Connectivity for the main tenant workload. These networks are connected to a DLR, which sits behind the PLR. These networks take the form of VXLAN-based NSX for vSphere logical switches. Tenant virtual machine workloads will be directly attached to these networks.