2.2.2 The NSX Edge Services Gateway

Architecting Tenant Networking with NSX in vCloud Director : Customer Networking In a Service Provider Environment : 2.2 Replicating a Managed Service Customer Topology in vCloud Director : 2.2.2 The NSX Edge Services Gateway

vCloud Director allows the provisioning of compute workloads (and their associated storage) on the underlying vSphere environments which it controls as well the provisioning of networks to support them. With the ability to consume and manage NSX in recent versions of vCloud Director, networks are now provisioned using NSX managed VXLAN rather than vCloud Director Network Isolation (VCDNI) which was used in earlier versions. In addition to these NSX networks, vCloud Director now provides the ability to provision and manage an NSX network and security appliance called the Edge Services Gateway (ESG) rather than the VMware vCloud® Network and Security™ edge used in earlier versions.

Unlike virtual networks which are implemented within the VMware ESXi hypervisor, the Edge Services Gateway is a network appliance virtual machine (or virtual appliance) with interfaces that connect to the networks within the solution. In this position, the Edge Services Gateway can provide a number of network services, the main ones of which are the following:

• Routing – Using static routes and/or dynamic routing protocols.

• Firewalling – To provide filtering of “North/South” traffic entering or leaving the solution.

• Network Address Translation – Of either source, destination or both addresses.

• Load balancing – At either Layer 7 for greater feature capabilities or Layer 4 for greater throughput.

• VPN termination – Either Layer 3 site-to-site or client VPNs or Layer 2 VPN¹ to allow bridging of hybrid solutions where part of the solution sits outside of the vCloud Director environment or data center.

• Physical-to-virtual interconnection – Allows routing between external, physical networks (in the form of VLANs) and internal NSX virtual networks (in the form of VXLANs).

• DHCP/DNS – The Edge Services Gateway also supports DHCP (as a server or relay/helper) and a DNS forwarder.

Providing both routing and firewalling capabilities, the Edge Services Gateway can perform the roles of both tenant core router and internal firewall as shown in Figure 1. The equivalent customer topology built using the Edge Service Gateway is described in the following section.

¹ See Streamlining Customer On-Boarding with NSX L2 VPN Services in the References section for more information.