Your subscription and configuration decisions within vCloud Air have network security implications.

The following table illustrates the security differences between the service offerings—Dedicated Cloud versus Virtual Private Cloud. Choose the service offering that meets your security needs.

Security Differences Between Service Offerings

Dedicated Cloud

Virtual Private Cloud


Physically separated hosts

Logically separated network and storage

Shared cloud

Logically separated network, compute, and storage


Segmented virtual data centers based on organizations

Because of segmentation, not subject to multi-tenancy

No virtual data center segmentation


Ideal for running regulated applications

Ideal for shared access within a single organization

The type of networks you add to vCloud Air and how you connect your virtual machines to those networks have security considerations as well. Connect your virtual machines to the appropriate networks based on their security needs.

Security Differences Between Network Types

Gateway Network

Internal Network


Virtual machines that need access to external networks.

Workloads that need to be isolated.

Workloads subject to specific security policies; for example, compliance rules that a particular application cannot be connected directly to the Internet.


Connecting virtual machines to gateway networks gives those virtual machines access to the networking services provided by a gateway—firewall, NAT, and load balancing.


You can have an instance of a dual NIC on a virtual machine and can connect one interface of the virtual machine to the gateway network and the other interface to the internal network.

Internal networks are not connected to gateways; therefore, they are ideal for running internal applications.

Virtual machines running applications you want to isolate from direct Internet traffic, such as your log servers, tracking servers, and database servers.

The following security functionality is available in vCloud Air:

Gateway: firewall, IP address management, and routing

Threat mitigation: third-party antivirus, traffic analysis, and threat mitigation appliances

Third-party appliances: virtual appliances of your choice allowing you to deploy your own security policies

VXLAN: the foundation for elastic portable virtual data centers

vCloud Air supports threat mitigation by allowing you to deploy your own antivirus solution (such as, MacAfee antivirus) and configure static routing between the gateway interfaces so that all traffic traverses the antivirus first, and then travels to your virtual machines.

vCloud Air supports the deployment of third-party virtual appliances into the cloud. For example, if you are using policies based on a Palo Alto security appliance, or appliances deployed onsite at your data center, you can deploy that same third-party virtual appliance in vCloud Air and run network traffic to your virtual machines through the appliance. By using the same virtual appliance in vCloud Air that you used onsite in your data center, vCloud Air can become an extension of your onsite cloud. vCloud Air supports the deployment of all third-party virtual appliances supported by VMware vSphere; such as, F5, RSA (for secure ID), and Riverbed (caching).

Additionally, you can use a third-party appliance with your internal networks in vCloud Air. Internal networks (which are not connected to the gateway) can connect to a third-party appliance; the third-party virtual appliance can have access to the gateway.