External networks connect vApps to outside networks. An external network maps to a vSphere port group with external connectivity.

Internal or routed networks are used to facilitate communication between virtual machines within a vCloud instance. These are backed by vCloud Director network pools.

Network design complexity depends on vCloud workload requirements. A vApp with a large number of upstream dependencies is more complex to deploy than a vApp with a self-contained application.

vCloud Director coordinates with vCloud Networking and Security Manager to provide automated network security for a vCloud environment. vCloud Networking and Security Edge gateway devices are deployed during the provisioning of routed or private networks. Each vCloud Networking and Security Edge gateway runs a firewall service that allows or blocks inbound traffic to virtual machines that are connected to a public access organization virtual datacenter network. The vCloud Director web console exposes the ability to create five-tuple firewall rules that are comprised of source address, destination address, source port, destination port, and protocol.