About vCloud Director Networks

There are three categories of vCloud Director networks: external networks, organization VDC networks, and vApp networks. Additional infrastructure objects such as Edge Gateways and network pools are required by most categories of networks and must be created by a system administrator.

You must be a system administrator to create an external network, a directly connected organization VDC network, a network pool, or an Edge Gateway. An organization administrator can create and modify routed and isolated organization VDC networks, and any user who has vApp Author rights can create and modify a vApp network.

vApp Networks

A vApp network is a logical network that controls how the virtual machines in a vApp connect to each other and to organization VDC networks. Users can create and update vApp networks and connect them to organization VDC networks. See About vApp Networks.

Organization VDC Networks

An organization VDC network allows virtual machines in the organization VDC to communicate with each other and to access other networks, including organization VDC networks and external networks, either directly or through an Edge Gateway that can provide firewall and NAT services.

■	A direct organization VDC network connects directly to an eternal network. Only a system administrator can create a direct organization VDC network.
■	A routed organization VDC network connects to an external network through an Edge Gateway. A routed organization VDC network also requires the containing VDC to include a network pool. After a system administrator has provisioned an organization VDC with an Edge Gateway and associated it with a network pool, organization administrator or system administrators can create routed organization VDC networks in that VDC.
■	An isolated organization VDC network does not require an Edge Gateway or external network, but does require the containing VDC to be associated with a network pool. After a system administrator has created an organization VDC with a network pool, organization administrators or system administrators can create isolated organization VDC networks in that VDC.
■	Most types of organization VDC networks do not provide any network services. Isolated organization VDC networks can specify a DhcpPoolService, which provides DHCP addresses from several pools of IP address ranges. All other services, such as NAT, firewall, and load balancing, are configured by a system administrator on the Edge Gateway to which the network connects.

Types of Organization VDC Networks and Their Requirements
Organization VDC Network Connection	Description	Requirements
Direct connection to an external network.	Provides direct layer 2 connectivity to machines and networks outside of the organization VDC. Machines outside of this organization VDC can connect directly to machines within the organization VDC.	The cloud must contain an external network.
Routed connection to an external network.	Provides controlled access to machines and networks outside of the organization VDC via an Edge Gateway. System administrators and organization administrators can configure network address translation (NAT) and firewall settings on the gateway to make specific virtual machines in the VDC accessible from an external network.	The VDC must contain an Edge Gateway and a network pool.
No connection to an external network.	Provides an isolated, private network that machines in the organization VDC can connect to. This network provides no incoming or outgoing connectivity to machines outside this organization VDC.	The VDC must contain a network pool.

By default, only virtual machines in the organization VDC that contains the network can use it. When you create an organization VDC network, you can specify that it is shared. A shared organization VDC network can be used by all virtual machines in the organization.

Edge Gateways

An Edge Gateway is a virtual router for organization VDC networks. You must be a system administrator to create an Edge Gateway.

An Edge Gateway can provide any of the following services, defined in the GatewayFeatures element of the Edge Gateway's Configuration.

FirewallService	Specifies firewall rules that, when matched, block or allow incoming or outgoing network traffic. See Firewall Service Configurations.
GatewayDhcpService	Provides DHCP services to virtual machines on the network. A variant of this service, DhcpService, is intended to provide DHCP services in vApp networks. See Gateway DHCP Service Configurations.
GatewayIpsecVpnService	Defines one or more virtual private networks that connect an Edge Gateway to another network in or outside of the cloud.
LoadBalancerService	Distributes incoming requests across a set of servers. See Load Balancer Service Configurations.
NatService	Provides network address translation services to computers on the network.
StaticRoutingService	Specifies static routes to other networks. See Static Routing Service Configurations.

For an example of adding services to an Edge Gateway, see Configure Edge Gateway Services. For more information about any of these services, see the vShield Administration Guide.

External Networks and Network Pools

External networks and network pools are vSphere resources backed by vSphere portgroup, VLAN, or DVswitch objects. A system administrator must create them, as described in Create an External Network and Create a Network Pool. As a system administrator, you must supply a reference to an external network when you create an Edge Gateway. An organization VDC must include a reference to a network pool or it will not be able to able to contain routed or isolated networks. See Retrieve a List of External Networks and Network Pools