Architecting Tenant Networking with NSX in vCloud Director : Multitenancy in a Cloud Service Provider : 3.3 Multitenant Networking : 3.3.1 Network Layers in a Multitenant Cloud Platform
   
3.3.1 Network Layers in a Multitenant Cloud Platform
Data center and NSX underlay networking – The layer of network configuration which remains the responsibility of the service provider. As well as management networks, this includes the NSX “Transport” network, which carries the VXLAN-encapsulated traffic between ESXi hosts, and the per-tenant networks which must be configured within the data center infrastructure when a new customer is onboarded.
vCloud Director networking – The Org VDC networks which are created and managed entirely from within vCloud Director and use the preconfigured NSX Transport network for connectivity between hosts.
vCloud Director managed networking – The external networks which are initially created in the relevant Provider VDC vCenter Server, but which are then “added” to vCloud Director and can subsequently be managed from the vCloud Director user interface or API.
These three types of networks are show in the following figure. The diagram shows the per-tenant networks required to connect each customer’s WAN access to their vCloud Director Organization VDC.
Figure 12. Example Cloud Service Provider Multitenant Data Center Topology
 
In this graphic, the networks from the internet distribution and WAN routers are managed within the data center network infrastructure, typically at customer onboarding. The “Web”, “App”, and “DB” networks in each tenant Org VDC are created and managed from vCloud Director either by the customer or the service provider. The networks from the internet firewalls (if provided) and WAN routers, once configured, appear in vCloud Director as external networks and are subsequently managed from the vCloud Director user interface. See Appendix A: Provisioning an External Network in vCloud Director for more details.
Data center external connectivity in a Cloud Service Provider environment follows the same models in the physical infrastructure as it would in a Managed Services Provider environment.
Per-tenant networks are used where Layer 2 separation is required across shared data center infrastructure. For example in cases where there is overlapping customer addressing, or a need to manage traffic flows without resorting to Layer 3 routing. Customer access from their WAN to their vCloud Director environments, or from co-located services within the physical provider data center, are examples of per-tenant networking.
Shared networks can be used when there is no risk of overlapping addresses (such as public internet access) and where Layer 3 routing can be used to steer traffic to the correct destination.
Shared networking between multiple customers within a single Layer 2 broadcast domain raises the risk of a network problem affecting multiple customers. To mitigate this, VMware Cloud Providers can choose a hybrid approach in which common networks (again, such as internet access) are terminated on high-performance Layer 3 devices which forward traffic to multiple, smaller downstream networks that offer separate broadcast domains, thereby reducing the effect one customer can have on others.