When you move (stretch deploy) a virtual machine or a vApp to a public cloud from your private datacenter, vCloud Connector stretches the private network of the VM or vApp to the public cloud by creating a Layer 2 SSL VPN tunnel between the private network's vShield Edge and the public network's vShield Edge.

Specifically, vCloud Connector does the following.

1

Verifies that the network of the VM or vApp on the private datacenter can be extended.

2

Creates a new routed vApp network in your Organization VDC in the public vCloud.

3

Creates NAT and firewall rules in the public network, if required.

4

Creates NAT and firewall rules in the private network, if required.

5

Creates an SSL VPN tunnel from the vShield Edge of the private network to the vShield Edge of the new routed vApp network in the public vCloud.

6

Copies and deploys the VM or vApp into the new routed vApp in the public vCloud.

Note

When you stretch deploy from a vSphere datacenter, vCloud Connector creates a temporary vApp in your Organization VDC in the public vCloud. The temporary vApp is deleted when the Stretch Deploy command is completed.

When you stretch deploy from a vCloud Director datacenter, vCloud Connector creates a temporary vApp in both the source vCloud Director cloud and in the public vCloud. The temporary vApps are deleted when the Stretch Deploy command is completed.

A network can only be stretched to a single routed vApp network in a public vCloud. This implies that once you stretch deploy a VM or vApp from a private cloud to a public vCloud and vCloud Connector creates a routed vApp network for it in the public vCloud, if you want to stretch deploy any other VMs or vApps from the same private network, they must be moved to the same routed vApp network on the public vCloud.

Datacenter Extension Traffic Flow
Datacenter Extension Traffic Flow

In the figure above, if an Apache Tomcat server is running on VM A at port 8000,

A user accesses it through VM A's public IP address (via NAT): 10.112.185.1:8000.

VM B accesses it through VM A's private IP address: 192.168.2.2:8000.

When VM A is in the enterprise network,

When a user accesses the Tomcat server in VM A through its public IP address (10.112.185.1), the service request reaches the Routed Organization network's vShield Edge, which routes it to the routed vApp network's vShield Edge, which routes the traffic to VM A.

When VM B accesses the Tomcat server in VM A through its private IP address (192.168.2.2), the service request reaches VM A directly because both VMs are in the same L2 network.

VM A is then moved to the public cloud with the Stretch Deploy command. vCloud Connector creates a routed vApp network in the public cloud and then creates an SSL VPN tunnel between the enterprise network's routed vApp vShield Edge and the vShield Edge of the new routed vApp network in the public cloud.

When VM A is in the public cloud network,

When a user accesses the Tomcat server in VM A through its public IP address (10.112.185.1), the service request reaches the Routed Organization network vShield Edge in the enterprise network and is routed to the routed vApp vShield Edge in the enterprise network, which is where the L2 tunnel is present. The request is then sent over the SSL VPN tunnel to the Routed Organization network vShield Edge in the public cloud, which routes the traffic to the routed vApp network vShield Edge in the public cloud, which then routes it to VM A.

When VM B accesses the Tomcat server in VM A through its private IP address (192.168.2.2), the service request reaches the routed vApp vShield Edge in the enterprise network, where the L2 tunnel is present, so the request is sent to the public cloud's Routed Organization network vShield Edge over the SSL VPN tunnel, which routes the traffic to the public cloud's Routed vApp vShield Edge, which then routes it to VM A.

When VM C accesses the Tomcat server in VM A through its private IP address (192.168.2.2), the service request reaches VM A directly because they are in the same L2 network and on the same side of the L2 tunnel.