• Connection 1 is made in the physical data center network infrastructure, and does not reach the NSX or vSphere layers of the solution.

• Connection 2 is made up of two parts, a physical connection between the customer’s internet firewall’s “inside” interface, which is presented to a port in the VLAN-backed Internet Port Group in the vSphere dvSwitch, and the Edge Services Gateway’s Internet interface connection to a second port in the same port group.

• Connection 3 is also made up of two parts, a physical connection between the customer’s WAN router “LAN” interface, which is presented to a port in the VLAN-backed WAN Port Group in the vSphere dvSwitch, and the Edge Services Gateway’s WAN interface connection to a second port in the same port group.

• Connections 4 and 5 present the Web VMs to ports in the Web Port Group which, because the Web Network is a vCloud Director Org VDC Network, is created within NSX as a “virtual wire”, so appears in the dvSwitch as a VXLAN-backed port group.

• Connection 6 presents the Edge Services Gateway web interface to the Web Port Group.

• Connections 7 to 9 follow the same pattern as 4, 5, and 6 except for the App Network/Port Group.

• Connections 10 to 12 also follow the same pattern as 4, 5, and 6 but this time for the DB Port Group.

• The logical position of the NSX Distributed Firewall on each virtual machine interface is also shown to represent the point at which a DFW policy is applied to the traffic flow into or out of a vNIC on a virtual machine.