Your configuration decisions within Virtual Private Cloud OnDemand have network security implications.

The type of networks you add to Virtual Private Cloud OnDemand and how you connect your virtual machines to those networks have security considerations as well. Connect your virtual machines to the appropriate networks based on their security needs.

Security Differences Between Network Types

Routed Network

Isolated Network

REQUIRED FOR

Virtual machines that need access to external networks.

Workloads that need to be isolated.

Workloads subject to specific security policies; for example, compliance rules that a particular application cannot be connected directly to the Internet.

BENEFITS

Connecting virtual machines to routed networks gives those virtual machines access to the networking services provided by a gateway—firewall, NAT, and load balancing.

Note

You can have an instance of a dual NIC on a virtual machine and can connect one interface of the virtual machine to the routed network and the other interface to the isolated network.

Isolated networks are not connected to gateways; therefore, they are ideal for running internal applications.

Virtual machines running applications you want to isolate from direct Internet traffic, such as your log servers, tracking servers, and database servers.

The following products and solutions are supported with Virtual Private Cloud OnDemand and work together to provide network security for Virtual Private Cloud OnDemand.

Product Interactions to Provide Security in Virtual Private Cloud OnDemand
Product Interactions to Provide Security in Virtual Private Cloud OnDemand

The following security functions are available in Virtual Private Cloud OnDemand:

Gateway: firewall, IP address management, and routing

Threat mitigation: third-party antivirus, traffic analysis, and threat mitigation appliances

Third-party appliances: virtual appliances of your choice allowing you to deploy your own security policies

VXLAN: the foundation for elastic portable virtual data centers

Virtual Private Cloud OnDemand supports threat mitigation by allowing you to deploy your own antivirus solution (such as, MacAfee antivirus) and configure static routing between the gateway interfaces so that all traffic traverses the antivirus first, then travels to your virtual machines.

Virtual Private Cloud OnDemandsupports the deployment of third-party virtual appliances in to the cloud. For example, if you are using policies based on a Palo Alto security appliance, or appliances deployed onsite at your data center, you can deploy that same third-party virtual appliance in Virtual Private Cloud OnDemand and run network traffic to your virtual machines through the appliance. Using the same virtual appliance in Virtual Private Cloud OnDemand that you used onsite in your data center, Virtual Private Cloud OnDemand can become an extension of your onsite cloud. Virtual Private Cloud OnDemandsupports the deployment of all third-party virtual appliances supported by VMware vSphere; such as, F5, RSA (for secure ID), and Riverbed (caching).

Additionally, you can use a third-party appliance with your isolated networks in Virtual Private Cloud OnDemand. isolated networks (which are not connected to the gateway) can connect to a third-party appliance; the third-party virtual appliance can have access to the gateway.