After my introduction on vCD last week, I thought it was time to publish an article on Networking. Networking is most likely the most complex concept of vCD(VMware vCloud Director) and can at times be very confusing. I have created three articles which will explain the concepts of networking within vCD and of course will explain on a technical level how things work. (Including the vSphere layer)
If there are any questions don’t hesitate to leave a comment. Please note that I am deliberately trying to simplify things in this first article as I don’t want you to get lost in any of the layers of networking vCD offers.
Layered
Networking within vCD is built up out of 3 distinct layers.
- External Network
- Org Network
- vApp Network
These three layers have been created to give the end-user the flexibility needed in a multi purpose virtual datacenter. I have depicted all three layers in the following diagram which shows the logical relationship between the layers:
Some of you technical guys might say, that’s nice but I would like to see something less abstract. I created the following diagram which depicts the different layers in a different way. The diagram shows the three layers. I created a single External Network which links to two Org Networks. These Org Networks in its turn connect to multiple VMs(Org Y) and multiple vApps(Org X).
This is just an example however that illustrates possible network connections and as can clearly be seen it can be rather complex. As demonstrated there are multiple ways to connect vApps to each other or the outside world.
Now that we know some of the basics I will break down the three layers of networking. The first before we will discuss any of the advanced options like vShield Edge or network pools
External Network
The External Network is used for inter-Cloud connections. Or as I like to call it “your connection to the outside world”. It is the first network “object” that you create within vCD. An External Network is always backed by a Portgroup, meaning that a portgroup needs to exist within vSphere before you can create this vCD network object. This portgroup can be on a regular vSwitch, a dvSwitch or you could use Nexus 1KV. It all works, and all of them are supported!
Of course it is heavily recommended to set this portgroup up with a VLAN for layer 2 isolation, again note that this is an outbound facing connection for your Org or for multiple Orgs.
Examples of External Networks are:
- VPN to customer site
- Internet connection
As said, an external network can be shared between organizations but is typically created per organization and is your connection from or to your virtual datacenter.
I would to stress that, the external network is your exit from your virtual datacenter or your entrance!
Org Network
The second object that is created is the Org Network. The Org Network is used for intra-Cloud connections. Or as I like to call it “Cloud internal traffic”. An Org Network is linked to an organization and can be:
- Directly connected to an External Network
- NAT/Routed connected to an External Network
- Completely Isolated
With that meaning that although an Org Network is primarily intended for internal traffic, it can be linked to an External Network to create an entry to or exit from your virtual datacenter. Note that it doesn’t necessarily need to be connected to an External Network, it could be completed isolated and used for “Cloud internal traffic” only! A use case for this would be for instance a test/dev environment where vApps will need to communicate with each other but not with the tenants back-end.
It should also be noted that the Org Network is mandatory! Every organization needs an Org Network, it is the only mandatory network object.
Just for completeness, an Org Network consumes a segment from a Network Pool when it is NAT/Routed or Isolated. A network pool is a collection of L2 networks which will be automatically consumed by vCD when needed, and what I call a segment is one of those L2 networks… basically a portgroup. I will explain Network Pools more in-depth in part 2.
When an Org Network is directly connected it is just a logical entity and physically doesn’t exist. Again in one of the following articles(part 3) I will explain what that looks like in vCenter.
vApp Network
The vApp Network kind of resembles the Org Network as it also consumes a segment from a Network Pool. The vApp Network enables you to have a vApp internal network, this could be useful for isolating specific VMs of a vApp. The vApp Network can be:
- Directly connected to an Org Network
- NAT/Routed to an Org Network
- Completely Isolated
It should be noted that the “directly connected” option for both the Org Network and the vApp Network is just a logical connection. In the back-end it will be directly connected to the layer above.
As shown in an earlier diagram and explained above a vApp can contain multiple networks. This can be used to isolate specific VMs from the outside world. An example is shown in the following diagram where only the Web Server has a connection to the Org Network and the App and Database servers are isolated but do connect to the Web server.
Summary
vCD has three different layers of networking. Each of these layers has a specific purpose. The External Network is your connection to the outside world, the Org Network is linked to a specific Organization and the vApp network only resides within a vApp.
That is it for Part 1. Part 2 will focus on the Network Pools and Part 3 will focus on what these vApp, Org and External Networks look like on a vSphere layer and some general best practices.
My tip of the day, if you want to get to know vCD really well, check vCenter every time you make a change and see what happens!
UPDATE: for a full schematic overview check Hany’s awesome diagram.
Simon Long says
Nice Duncan nice!
I like the tip of the day, I’m going to do that a lot more from now on.
Thanks
sanjai says
Duncan,
Nice intro about vCD, i’d already tried vShield in the lab, awaiting for part 2 & 3.
It sounds like vApp a small block communicates to Org Network which is a bigger block.
Thanks
Chakrit says
Thank you!
sam keen says
Thanks that is a very easy to understand overview appreciate it.
Magnus says
Hi Duncan,
is it possible to enable a “NO IP” option (vCloud Directory 1.5) for the networks you create as in you can do in LabManager.
What i want to achieve is to deploy test and lab environments which includs ESXi hosts and i do not want to set IP addresses for these VMs when i create the vApps.
thanks
/Magnus
Godfrey says
Thnaks, I’m new to vCD I know the most difficult part is getting to grips with the Networking, thanks for this post I’m now going on to Part 2 then Part 3
GuruRam says
Though I have been working with vCD for some time, your articles helped me understand the concepts better – Thanks!
Godfrey says
Goodmorning again and thanks for this wonderful website, like I said before I’m new to vCD, I will like to ask the following question
vCD I know provides Infrastructire as a service, can it be used for the following:
1) Provision windows workstations for hundreds of end users for day to day work working at home or in the office
2) If users are working from home what will be the best practice way to connect i.e via VPN etc
3) Can vmware view work along side vCD for Desktop virtualisation
Prasad says
IT gave our team one subnet with 254 IP’s
I am trying to POC vcloud, but I do not have VLAN’s created in my switch and almost all the ports are allocated. I cannot create VLAN’s now.
I created external network with VLAN as none and it got created.
I am getting error when trying to create sphere port group-backed network pool, error is: “Port group “dvPortGroup2″ has a conflicting VLAN with another port group that is currently being used ”
I also tried to check the option in administration–> general
Allow Overlapping External networks.
MY BIG QUESTION IS,
Can we create vcloud infrastructure without VLANs ?
This is just POC, IT takes 8 to 12 weeks to get our team a new subnet with VLAN’s
Please help.
Duncan says
Create portgroups!
Prasad says
dvPortGroup2 is the new port group I created with VLAN as none. I am trying this new port group.
Is it possible to build vcloud without VLAN’s ?
I want to have all the vapps allocated the external IP’s set up.
Jordansphere says
Prasad. I believe you need to enable “Allow overlapping External Networks” System -> Administration -> General. This will let you split up your /23 without using vlans.
Craig Jenkins says
Thanks duncan great article i am pleased you have made it easy and also precise.