I consider it something of a life mission to make complex networking scenarios, physical or virtual, easy to understand at a glance. Let’s just say it’s a tough mission! The last entry was a bit of a mess trying to show how the various network pool backing scheme work down at the provider level, but for this entry we are moving a level up to the organization level. The goal today is to provide a snapshot of how networking works on the vCD consumer side. I think this one came out much better!
What’s being illustrated above is the various flavors of vCD organizational networks. Some quick points for review:
- Networks in a vCD organization (tenant) can be defined at two levels:
- Organization Virtual Datacenter (vDC): these networks are the basic building block of vCD networking and are your main virtual tenant network
- vApp Networks: these are networks associated specifically with a vApp and shared only by the VMs within that vApp
- Each of these networks have 3 main connection options (how they connect to the next network level down)
- Routed: routed networks utilize a vShield Edge for layer 3 services. Routed org vDC networks route to the provider external network. That means a vShield edge is auto deployed with one of its interfaces in the provider external network port group, and the other in the org vDC network port group. vApp networks, on the other hand, route into org vDC networks. This hierarchy is important to note. Org networks connect to provider networks, vApp networks connect to Org networks. Always moving one level down.
- Direct: direct networks, as implied, connect directly to the next network level down. So for org networks that means they’re sitting in the external network port group and for vApp networks, obviously they are in the org network port group. There is no vShield Edge deployed in this case and IP addressing is flat
- Isolated: an interesting one, isolated networks don’t connect to anything. It is possible to create a connection between two isolated networks manually by attaching a VM to both of them and enabling routing on it (although that would somewhat defeat the purpose).
- In addition to the above, vApp networks add a fourth option – fenced. Fenced networks utilize a vShield Edge, essentially, as a bridge with filtering. This allows multiple vApp networks with overlapping IP space to coexist within one org network. Again, usage of this construct is very scenario specific