Using VMware vCloud Networking and Security technology to isolate Layer 2 traffic and persistent network policies, a vApp can have a number of private, vApp-only networks that never leak outside their environment. You can clone the this environment indefinitely, never changing an IP address or configuration file.

Additionally, when a vApp is built, you can create firewall rules in vCloud Networking and Security App or Edge, allowing or restricting access from external vSphere objects or physical networks to TCP and UDP ports of the key application.

 

Though the vApp is the recommended way to create the virtual infrastructure for multitier applications, Administrators can define security rules based on containers that can be any of the following vSphere objects: datacenter, cluster, resource pool, vApp, port group, or VLANs. A rule that is created for a container applies to all resources in that container.