Using the model from Section 5.3, Internet Address Management, there are two types of addresses which need to be advertised from the vCloud Director environment to the upstream data center Internet access, and both are subnets allocated to the “Internet” external networks in the earlier section. The “red” shared internet network is directly connected to the upstream router and so is automatically present in that router’s routing table.

 

The first routing exchange in this figure is the advertisement of the Tenant 4 F/W Inner subnet to the next-hop gateway of the Shared Internet external network. This is necessary because the F/W Inner network is not directly connected to the Shared Internet network and would otherwise be unreachable. The choice of routing protocol used between the dedicated firewall and the upstream router depends upon a number of factors, but typically follow the service provider’s established standard. Some service providers do not run dynamic routing protocols on physical firewalls as a security precaution and, were that to be the case here, a static route would need to be configured on the Shared Internet router directing traffic to the F/W Inner subnet through the “.204” address on the connected, shared network. Similarly, the dedicated firewall would need its default gateway setting to the “.254” address of the upstream router.

The second routing exchange would be the advertisement of the Shared Internet subnet (in this example 100.64.67.0/24) to the next-hop Internet router within, or upstream of the provider data center. This would usually be carried out using Border Gateway Protocol (BGP), and the relative Autonomous Systems (AS) within which the two routers sit would determine whether this would be Internal BGP (iBGP) or External BGP (eBGP). After the Shared Internet router establishes a peering relationship with its upstream neighbor (2) it will advertise reachability of the connected Shared Internet subnet and the F/W Inner subnet, which it learned through the dynamic or static routing process in (1).

While not explicitly discussed earlier, it is possible for a customer to use registered internet addressing on an Org VDC network. This might be a range allocated by their service provider, or a Provider Independent Address (PIA) range which the customer already owns. To illustrate this, the usual web network in the Tenant 1 Org VDC in the following figure has been replaced with a routed “DMZ” network. Although not shown, the network would be addresses from a range of public internet addresses, with the Edge Services Gateway interface consuming one address, and the remaining useable addresses allocated to an IP pool for assignment to vApps connected to that network.