8. vCloud Operations Control : 8.9 Access and Security Management : 8.9.1 Workload Isolation
8.9.1 Workload Isolation
Additional security controls and network functionality can be added to a vCloud platform for greater versatility in hosting enterprise applications.
Using VMware vCloud Networking and Security technology to isolate Layer 2 traffic and persistent network policies, a vApp can have a number of private, vApp-only networks that never leak outside their environment. It is possible to clone this environment indefinitely, never changing an IP address or configuration file.
When a vApp is built, firewall rules created in VMware vCloud Networking and Security Edge (Edge) can permit or restrict access from external vSphere objects or physical networks to TCP and UDP ports of the application. See the following figure.
Figure 29. Workload Isolation
Although the vApp is the recommended way to create the virtual infrastructure for multitier applications, Administrators can define security rules based on any of the following vSphere objects: datacenter, cluster, resource pool, vApp, port group, or VLANs. A rule that is created for a container applies to all resources in that container.