There are three categories of vCloud Director networks: external networks, organization vDC networks, and vApp networks. Additional infrastructure objects such as Edge Gateways and network pools are required by most categories of networks.

You must be a system administrator to create an external network, a directly connected organization vDC network, a network pool, or an Edge Gateway. An organization administrator can create and modify routed and isolated organization vDC networks, and any user who has vApp Author rights can create and modify a vApp network.

A vApp network is a logical network that controls how the virtual machines in a vApp connect to each other and to organization vDC networks. Users specify vApp network details in an instantiateVAppTemplate or composeVApp request. The network is created when the vApp is deployed, and deleted when the vApp is undeployed. All nonisolated virtual machines in the vApp connect to a vApp network, as specified in their NetworkConnectionSection elements.

Every VApp element includes a link that you can use to retrieve details of a vApp network that it contains, as the following example shows.

<Link
      rel="down"
      type="application/vnd.vmware.vcloud.vAppNetwork+xml"
      name="isoNet1"
      href="https://vcloud.example.com/api/network/94 />

A GET request to this link returns a read-only VAppNetwork element. To modify an existing vApp network or create a new one, you must find the NetworkConfigSection of the VApp element and use its edit link, as shown in Update a vApp Network Configuration.

The configuration of a vApp network, contained in the NetworkConfig element of the InstantiateVAppTemplateParams request body, includes the following information

A name for the network, specified in the networkName attribute of the NetworkConfig element. The instantiation parameters must create a vApp network whose name matches the value of the network attribute of the NetworkConnection of each Vm element in the template. If this attribute has the value none or is missing, the Vm can connect to any network. If the template contains Vm elements that specify different names for their network connections, you must create a vApp network for each.

Note

When you create a vApp network where the FenceMode is bridged, the networkName of the vApp network must match the name of the ParentNetwork. This requirement is enforced by the composeVapp operation. The instantiateVappTemplate operation automatically corrects a name mismatch by changing the value of the network attribute in the NetworkConnection element of the VApp.

A Configuration element that specifies network configuration details.

For routed and directly connected networks, the ParentNetwork element contains a reference to the organization vDC network that the vApp network connects to. The FenceMode element controls how the two networks connect. Specify a FenceMode of bridged for a direct connection to the parent network, or natRouted to specify a routed connection controlled by network Features such as a NatService or FirewallService. If you want the organization network to be isolated, with no external connection, omit the ParentNetwork element and specify the FenceMode as isolated.

The Features element defines features of the vApp network, and can include the following services:

DhcpService

Provides DHCP services to virtual machines on the network.

FirewallService

Specifies firewall rules that, when matched, block or allow incoming or outgoing network traffic.

NatService

Provides network address translation services to virtual machines on the network.

StaticRoutingService

Specifies static routes to other networks. Requires a routed organization vDC network.

For more information, see Network Services in vApp Networks

Additional modifiable elements like IpScopes and RetainNetInfoAcrossDeployments, and read-only elements such as SyslogServerSettings and RouterInfo. For more information about the type and scope of these elements, see the schema reference.

Network pool resources required by an isolated or natRouted vApp network are allocated by the system from the pool associated with the vDC in which the vApp is deployed.

An organization vDC network allows virtual machines in the organization vDC to communicate with each other and to access other networks, including organization vDC networks and external networks, either directly or through an Edge Gateway that can provide firewall and NAT services.

A direct organization vDC network connects directly to an eternal network. Only a system administrator can create a direct organization vDC network.

A routed organization vDC network connects to an external network through an Edge Gateway, which is backed by a vShield Edge device. A routed organization vDC network also requires the containing vDC to include a network pool. After a system administrator has provisioned an organization vDC with an Edge Gateway and associated it with a network pool, organization administrator or system administrators can create routed organization vDC networks in that vDC.

An isolated organization vDC network does not require an Edge Gateway or external network, but does require the containing vDC to be associated with a network pool. After a system administrator has created an organization vDC with a network pool, organization administrators or system administrators can create isolated organization vDC networks in that vDC.

Most types of organization vDC networks do not provide any network services. Isolated organization vDC networks can specify a DhcpPoolService, which provides DHCP addresses from several pools of IP address ranges. All other services, such as NAT, firewall, and load balancing, are configured by a system administrator on the Edge Gateway to which the network connects.

Types of Organization vDC Networks and Their Requirements

Organization vDC Network Connection

Description

Requirements

Direct connection to an external network.

Provides direct layer 2 connectivity to machines and networks outside of the organization vDC. Machines outside of this organization vDC can connect directly to machines within the organization vDC.

The cloud must contain an external network.

Routed connection to an external network.

Provides controlled access to machines and networks outside of the organization vDC via an Edge Gateway. System administrators and organization administrators can configure network address translation (NAT) and firewall settings on the gateway to make specific virtual machines in the vDC accessible from an external network.

The vDC must contain an Edge Gateway and a network pool.

No connection to an external network.

Provides an isolated, private network that machines in the organization vDC can connect to. This network provides no incoming or outgoing connectivity to machines outside this organization vDC.

The vDC must contain a network pool.

By default, only virtual machines in the organization vDC that contains the network can use it. When you create an organization vDC network, you can specify that it is shared. A shared organization vDC network can be used by all virtual machines in the organization.

An Edge Gateway provides a routed connection between an organization vDC network and an external network. It can provide any of the following services, defined in the GatewayFeatures element of the Edge Gateway's Configuration.

FirewallService

Specifies firewall rules that, when matched, block or allow incoming or outgoing network traffic. See Firewall Service Configurations.

GatewayDhcpService

Provides DHCP services to virtual machines on the network. A variant of this service, DhcpService, is intended to provide DHCP services in vApp networks. See Gateway DHCP Service Configurations.

GatewayIpsecVpnService

Defines one or more virtual private networks that connect an Edge Gateway to another network in or outside of the cloud.

LoadBalancerService

Distributes incoming requests across a set of servers. See Load Balancer Service Configurations.

NatService

Provides network address translation services to computers on the network.

StaticRoutingService

Specifies static routes to other networks. See Static Routing Service Configurations.

For an example of adding services to an Edge Gateway, see Configure Edge Gateway Services. For more information about any of these services, see the vShield Administration Guide.

External networks and network pools are vSphere resources backed by vSphere portgroup, VLAN, or DVswitch objects. A system administrator must create them, as described in Create an External Network and Create a Network Pool. You must supply a reference to an external network when you create an Edge Gateway. When you create an organization vDC, you must supply a reference to a network pool if the vDC is to be able to contain routed or isolated networks. See Retrieve a List of External Networks and Network Pools