Tenant 4 is consuming the .204 address on the Internet network, but is doing so on a physical device outside of vCloud Director. In this example, a single address has been assumed but a high availability firewall “pair” can in practice require two or three addresses. Tenant 4’s Edge Services Gateway requires a connection to an external network, but cannot use the “red” Internet network, so a second network and associated address subnet is required for that. Each network loses the highest and lowest addresses (network and broadcast addresses) as well as those required for the two connected device interfaces.

On a /24 network, 2 addresses out of 256 is a relatively small proportion, but if many tenants require “yellow” networks and each is much smaller in address subnet size, the overhead of losing four addresses from each can become a consideration. Despite that, the yellow network will still require an address subnet assigned to it. Certain network devices and protocols such as those used in VPNs can either be intolerant of, or complicated by, the presence of NAT, so the yellow network should, like the red network, be assigned a subnet of public internet addresses, one which is large enough for the customer’s requirements but not so large as to be wasteful. This is a particular challenge for service providers with limited public IPv4 addresses. Connecting tenants to a shared network employing address sub-allocation is a more efficient way to provide addresses to connected tenant Edge Services Gateways.

In the case of both Tenant 4 and the directly connected tenants, the addresses on their external Internet networks, after those allocated to the Org VDC Edge Services Gateway, can then be allocated to source or destination NATs or load balancer virtual server VIPs.