Using VMware vCloud Networking and Security technology to isolate Layer 2 traffic and persistent network policies, a vApp can have a number of private, vApp-only networks that never leak outside their environment. It is possible to clone this environment indefinitely, never changing an IP address or configuration file.

When a vApp is built, firewall rules created in VMware vCloud Networking and Security Edge (Edge) can permit or restrict access from external vSphere objects or physical networks to TCP and UDP ports of the application. See the following figure.

 

Although the vApp is the recommended way to create the virtual infrastructure for multitier applications, Administrators can define security rules based on any of the following vSphere objects: datacenter, cluster, resource pool, vApp, port group, or VLANs. A rule that is created for a container applies to all resources in that container.