In a Managed Service Provider environment, the IP address space on a shared network such as the “Internet” network in Figure 25, is under the control of the service provider. If the tenant connections to that network were for example per-tenant physical firewalls under the management of the provider, the consumption of addresses on the Internet network would also, therefore, remain under the control of the provider. Allocating an internet address to a particular tenant would be accomplished by configuring NAT on the appropriate firewall, which would then respond to IP packets on the internet network destined for the address in the NAT statement.

If, as may be the case in a Cloud Service Provider environment, the customer could configure their own firewall NATs or load balancing VIPs, they could, without some form of control, consume as many of the internet addresses as they wanted, and conceivably, configure an address which is already in use within another tenant on the network, causing service disruption. To manage this scenario, vCloud Director introduces the concept of address sub-allocation. Before an Edge Services Gateway can consume addresses on an external network (other than its assigned interface address), a range of addresses must be sub-allocated to it. This is a two-stage process. First, the assignment of the external network’s subnet is made in the External Networks properties dialog as shown in the following figure.

 

Then, after the external network has at least one IP pool assigned, the pool can be sub-allocated to connected Edge Services Gateways. The sub-allocation is carried out in the Edge Services Gateway configuration as shown in the following figure.

In this example, the Edge Services Gateway “ACME_GW2” has been assigned the range of addresses from 100.64.67.20 to 100.64.67.29. These addresses are on a connected network, so do not need to be specifically routed to the Edge Services Gateway and therefore do not need to fall on subnet boundaries. Should the tenant require more addresses in the future, they could be added with a subsequent allocation from the IP pool. Should the parent IP Pool become exhausted, it is possible to add another IP pool to the external network from which further sub-allocations can be made, but care should be taken when doing so, because the upstream, gateway device will need to be configured with a secondary interface address, and default gateway and routing configurations become more complex to configure and troubleshoot.