5. vCloud Resource Design : 5.5 vCloud Networking : 5.5.5 vApp Networks
   
5.5.5 vApp Networks
vApp networks are created by vCloud consumers and connect multiple virtual machines in a vApp. vApp networks separate vApp virtual machines from the workloads in the organization virtual datacenter network. The effect is similar to placing a router in front of a group of systems (vApp) to shield the systems from the rest of the corporate network. vApp networks are instantiated from a network pool and consume vSphere resources while the vApp is running.
*Connectivity options for vApp networks include the following:
*Direct – vApps connect directly to the organization virtual datacenter network.
*Fenced – Identical virtual machines can exist in different vApps. A virtual router provides isolation and proxy ARP.
*Routed – A new network is defined. A virtual router provides NAT and firewall functionality.
*Isolated – Communication is restricted to the virtual machines in the vApp. No connection exists to an organization virtual datacenter network.
vApp networks are created as follows:
*Manually create vApp networks using the Add Network wizard. Connecting the vApp network to an organization virtual datacenter network creates a routed connection, with configurable NAT and firewall services.
*Fencing a vApp directly connected to an external or organization virtual datacenter network. Choosing the fence option associates an implicit vApp network to the vApp. Firewall and NAT services are configurable on a fenced network.
5.5.5.1. Direct
Connecting virtual machines in a vApp directly to an organization virtual datacenter network places vApp virtual machines in the port group of the organization virtual datacenter network. IP address assignments for vApps follow the organization virtual datacenter network IP addressing scheme.
The following figure shows a vApp network directly connected to a direct external organization virtual datacenter network.
Figure 18. vApp Network (Direct) for Organization Virtual Datacenter Network (Direct)
 
The following figure shows a vApp network directly connected to a routed external organization virtual datacenter network. vCloud Networking and Security Edge provides DHCP, firewall, NAT, and static routing services to the organization virtual datacenter network.
Figure 19. vApp Network (Direct) for Organization Virtual Datacenter Network (Routed)
 
The following figure shows a vApp network directly connected to an isolated organization virtual datacenter network. A vCloud Networking and Security Edge automatically deploys only if using DHCP services.
Figure 20. vApp Network (Direct) for Organization Virtual Datacenter Network (Isolated)
 
5.5.5.2. Fenced
For a fenced network, the external and internal IP subnet is the same, with proxy ARP used to move traffic. vCloud Networking and Security Edge provides the network fencing functionality for vCloud environments. The option to fence a vApp is available if the vApp directly connects to an organization virtual datacenter network.
Depending on the organization virtual datacenter network connection, NAT or double NAT might take place for incoming or outgoing traffic from a vApp network perspective. The following scenarios describe a single and double NAT situation.
The following figure illustrates a scenario where a vApp network connected to a direct organization virtual datacenter network is fenced.
Figure 21. vApp Network (Fenced) for Organization Virtual Datacenter Network (Direct)
 
If you are fencing a vApp network connected to a routed organization virtual datacenter network, double NAT occurs with two vCloud Networking and Security Edge instances deployed. The following figure illustrates this scenario.
Figure 22. vApp Network (Fenced) for Organization Virtual Datacenter Network (Routed)
 
The following figure shows a fenced vApp network connected to an isolated organization virtual datacenter network. There is only one NAT.
Figure 23. vApp Network (Fenced) for Organization Virtual Datacenter Network (Isolated)
5.5.5.3. Routed
A routed vApp network is a vApp network connected to an organization virtual datacenter network where the IP address space differs between the two networks. A vCloud Networking and Security Edge provides the DHCP, NAT, and firewall services.
Depending on the organization virtual datacenter network connection, NAT or double NAT might take place for incoming or outgoing traffic from a vApp network perspective. The following scenarios describe a single and double NAT situation.
The following figure illustrates a scenario where a routed vApp network connects to a direct organization virtual datacenter network.
Figure 24. vApp Network (Routed) for Organization Virtual Datacenter Network (Direct)
 
If a routed vApp network connects to a routed organization virtual datacenter network, double NAT occurs with two vCloud Networking and Security Edge instances deployed. The following figure illustrates this scenario.
Figure 25. vApp Network (Routed) for Organization Virtual Datacenter Network (Routed)
 

The following figure shows a routed vApp network connected to an isolated organization virtual datacenter network.
Figure 26. vApp Network (Routed) for Organization Virtual Datacenter Network (Isolated)
 
5.5.5.4. Isolated
A vApp network configured to none is completely isolated and the virtual switch of the corresponding port group is the endpoint for this network. This network is isolated on Layer 2 and only intra-vApp communication is possible.
Figure 27. vApp Network (Isolated)