vApp Design Considerations

A vCloud vApp differs from a vSphere vApp in the way it is instantiated and consumed in the vCloud. A vApp is a container for a distributed software solution and is the standard unit of deployment in vCloud Director. It allows power on and off operations to be defined and ordered, consists of one or more virtual machines, and can be imported or exported as an OVF package. A vCloud vApp can have additional vCloud-specific constructs such as networks and security definitions.

Some general recommendations for designing vApps include:

Deploy virtual machines using default shares, reservations, and limit settings unless a clear requirement exists to avoid defaults.

Virtual machine hardware version 9 is supported in vSphere 5.1. This support is carried over to vCloud Director. For maximum configuration values, see VMware Configuration Maximums (VMware vSphere 5.1) (http://www.vmware.com/pdf/vsphere5/r51/vsphere-51-configuration-maximums.pdf). The major use cases for using hardware version 9 are:

Windows 8 XP mode – XP mode allows a virtualized Windows XP instance to run on Windows 8 for compatibility with older applications that do not run natively on Windows 8. Users running XP mode in Windows 8 must choose an organization virtual datacenter that is backed by a provider virtual datacenter with support for virtual hardware version 9. After adding support for virtual hardware version 9, you must also enable the Nested HV feature.

64-bit nested virtualization – Hyper-V and virtualized VMware vSphere ESXi™ nested virtualization can be helpful for non-production use cases, such as training and demonstration environments. Virtualized Hyper-V or virtualized ESXi running nested 64-bit virtual machines requires virtual hardware version 9 with the Nested HV feature enabled.

CPU-intensive workloads – Running a CPU-intensive workload in a virtual machine requiring between 32 and 64 vCPUs requires virtual hardware version 9.

A vApp network provides network connectivity to virtual machines within a vApp. Virtual machines in a vApp use an organization virtual datacenter network to connect to the outside world or to other vApps in the organization. A vApp network is backed by a network pool unless it is directly attached to an organization virtual datacenter network that is directly attached to an external network. vApp networks are created with one of the following methods:

Dynamic – Created when a vApp is directly connected to an organization virtual datacenter network and deployed in fenced mode. There is no opportunity to use the DHCP, NAT, or firewall services at the vApp network level because this network is created automatically. It is not accessible from the vCloud UI.

Manual – Created and either connected to an organization virtual datacenter network in NAT mode or left isolated. DHCP, NAT, or firewall service rules can be defined manually at the vApp network level as needed.

A vApp network can be directly connected to an organization virtual datacenter network, whether routed, isolated, or connected with NAT. The following are types of vApp networks:

Direct – Virtual machines in a vApp are configured to connect directly to the organization virtual datacenter network port group and are assigned IP addresses from the organization’s network range.

NAT-routed – vApps are protected behind a VMware vCloud Networking and Security Edge (Edge) instance that provides NAT services for outbound and inbound access.

Fenced – Allows identical virtual machines to exist in different vApps by isolating their MAC addresses. Fenced vApps are protected behind an Edge instance with proxy Address Resolution Protocol (ARP) capabilities.

None – Isolated, with no external access to an organization virtual datacenter network or other vApps in the organization.

The most common vApp network configurations are described in the following sections.

Connecting a vApp to an organization virtual datacenter network that has a direct connection to an external network connects the vApp directly to the external network and deploys the vApp there with the external network's IP addressing. An example vApp with three virtual machines using this configuration is shown in the following figure.

If the same example vApp with three virtual machines is connected to an organization virtual datacenter network that has a routed connection to an external network, the vApp is connected to an organization virtual datacenter network and is deployed there with the organization virtual datacenter network’s IP addressing. The Edge Gateway device then provides a routed connection between the organization virtual datacenter network and the external network. This scenario is shown in the following figure.

As shown in the following figure, if the same vApp is connected directly to an isolated organization virtual datacenter network, the vApp is deployed there with the organization virtual datacenter network's IP addressing.

In vCloud Director, a network type is fenced when the virtual machines in the vApp share the same Layer 2 network as their organization virtual datacenter network. This is a special case of a NAT-routed network in which the inside and outside address of the Edge device are on the same Layer 2 network. In this mode the Edge device provides proxy ARP services to the virtual machines in the vApp.

From a vApp network perspective, depending on the type of connected organization virtual datacenter network, a NAT or double NAT might occur for incoming or outgoing traffic. The following scenarios describe a double and single NAT situation.

If a vApp configured with a NAT-routed vApp network is connected to an external NAT-routed organization virtual datacenter network, the deployment results in a double NAT. In this scenario, the virtual machines are connected to a NAT-routed vApp network and are deployed there with the vApp network’s IP addressing. The first Edge device provides NAT between the vApp network and the organization virtual datacenter network, and the second Edge device provides NAT between the organization virtual datacenter network and the external network. This scenario is shown in the following figure.

If the same vApp, configured with a NAT-routed vApp network, is connected to an isolated organization virtual datacenter network, the deployment results in a single NAT. The virtual machines are connected to the vApp network and deployed with the vApp network’s IP addressing. The Edge device then provides NAT between the vApp network and the organization virtual datacenter network. This scenario is shown in the following figure.

The following figure shows a scenario where a vApp is configured with a NAT-routed vApp network that is connected to an external organization virtual datacenter network. The virtual machines are connected to a NAT-routed vApp network and deployed there with the vApp network IP addressing. The Edge device provides NAT between the vApp network and the external network.

A vApp network that is configured with no organization virtual datacenter network connectivity is completely isolated. The network is isolated at Layer 2, and no connectivity outside the vApp is possible. This configuration is usually used to build multi-tier applications.