By now you should have heard a lot about VMware Cloud Director (vCD) and how you can use to create Public, Private, and even Hybrid Clouds based on VMware Infrastructure. One of the least understood aspects of vCD is the networking options that you have available to you. The flexibility that is built into vCD networking is such that you can, if you need to, build very complex datacenter like networking inside of your Organizational Virtual Datacenter (OvDC). I will try and breakdown the networking in vCD into its basic constructs, so that it is a little easier to understand the different components and how to apply the networking constructs to your vCloud designs.
Networking in vCD is broken into three layers:
- External Networks
- Organization Networks (Org-Nets)
- vApp Networks (vApp-Net)
Each of these layers simulates different components of networking in a Datacenter. Port groups in the VMware Infrastructure (VI) are the backing for External Networks. Whereas Organization Networks and vApp Networks are both backed by Network Pools, which are by definition, a collection of networking resources that can be consumed by an organization.
The simplest way to approach an explanation of Network pools, is from a physical point of view. If you had no networking background, and you wanted to enable a group of machines to talk to each other on a network, you would have your provider configure a switch for you.
The provider would set the switch up in such a way that you could plug groups of machines into predetermined ports on the switch, and the machines would be able to see their groups traffic, but not the traffic of other groups of machines. One way the provider would do this is to take say, 8 consecutive ports in your 48-port switch, and assign a unique VLAN to each group of ports. In essence what the provider was doing was creating a pool of 6 groups of ports that you could use to create unique isolated networks for up to 8 machines at a time. In essence that is what Network Pools are, a collection of ports (port groups), isolated using VLANs from each other, and used to create isolated networks.
vCD uses External networks as the conduit to communicate with networks outside of vCD. In other words, this is how traffic gets to and from vCD Organizations and into the physical networking environment.
In a hosting environment an External Network would be the equivalent of the network cable that a provider would give you to get to the Internet. You would plug this cable into a switch and machines that attached to this switch would be assigned public addresses in order to get to the Internet. If you needed other external connectivity, say to your MPLS backhauled network, the provider would give you another cable that you would plug into another switch, and any machines that used this switch would have access to your backhauled network.
Organization Networks (Org Nets):
In the service provider example above the cable that came from the provider was your External Network. The switch that the cable plugged into gave your organization the capability to attach machines, assign them IP addresses, and have them visible on the Internet. The switch in this example is the equivalent of an External Organizational Network as it is only accessible to your organization and gives you access to an external network. Since your service provider configures all the ports on the switch identically they are considered one network out of the Network Pool that was assigned to you. Other organizations would get their own external network cable and their own switch representing their own External Organization Networks.
Directly Attached External Organization Networks:
The example used above represents a Directly Attached External Organization Network due to the fact that the external network is directly connected to the switch.
Isolated Organization Networks:
If on the other hand you just wanted a switch, or a subset of a switch, that you could use to attach your machines, say to configure and patch them before you gave them access to the Internet. This would be considered an Isolated Organization Network that was backed by one of the networks in the Network Pool assigned to you by the provider.
NAT/Routed External Organization Networks:
If you wanted to secure your External Organization Network, you would get a firewall, enable NAT and IP masquerading on it, configure its outside interface with a public address in the providers external network and the inside interface with a private network of 192.168.0/24. You would then take the external network cable and attach it to the outside interface of the Firewall, and your network switch to the inside interface. You would now have a NAT/Routed External Organization Network. All the machines that plugged into the switch would be assigned a private address (192.168.0.x/24) and would have access to the Internet due to the Firewalls masquerading functionality.
If you wanted your machines to be reachable from the Internet, you would configure the Firewall to translate traffic addressed to predetermined external IP addresses, to the private IP addresses of the machines that you wanted to be accessible from the Internet. This is equivalent in vCD to adding a vShield Edge to an External Organization Networks and adding NAT and Firewall rules to the vShiled Edge configuration.
vApp Networks (vApp Nets):
A vApp is a definition (think metadata) of how related machines are configured. The definition can reference zero or more virtual machines. One of the definitions of a vApp is how the related machines attach to the network. This includes the number and definition of the networks, whether or not the networks are directly attached to the Organization or use NAT, and also if there is a Firewall or not.
All machines in the organization have to attach to one of the preconfigured Organization Networks in order to communicate with each other. If a vApp, as in the related machines, need to talk only to each other, they can use a preconfigured network from your Network Pool, assign their own private addresses and have an isolated network to themselves. This is what a vApp Network is.
A vApp network, which is inherently isolated, can be connected to an Org Net in order to give the machines in the vApp access to specific networks in an Organization. Like Org Nets, vApp Networks can be left isolated, or attached to an Org Net either directly (Directly Attached vApp Network) or behind a Firewall (NAT/Routed vApp Network).
The End result is a complete stack as shown in the image below.