vCloud Networking: Using vShield Edge for Firewall & Routing (without NAT)

The Challenge: You are providing cloud services for a tenant using vCloud Director (obviously!) and want to provide a dedicated [routed] subnet and firewall services that are managed by the tenant admins.  Apps deployed in this cloud will be utilizing shared infrastructure services – LDAP, patching, scanning, etc – outside the cloud, so you’re trying to avoid NAT due to possible complications introduced by masking/translating source IPs.  Sound familiar?  Read on…
The release of vCloud Director (vCD) v1.5 along with vShield Edge (VSE) v5.0 provided a significant number of in-cloud networking enhancements that put a smirk on the faces of socially awkward cloud geeks everywhere.  Okay, I’ll admit it – the networking capabilities VMware has baked into vCloud Director have been one of the most intriguing components of the solution.  The combination of vCD 1.5 and VSE 5.0, riding on top of vSphere’s native networking capabilities, provide the framework for enhanced (and industry-leading) networking options for your cloud.  Check out the vCD 1.5 Technical Whitepaper for more info on these and other enhancements.
Here are the cliff notes for those who don’t care to read the marketing stuff:
  • improved network isolation at several levels within the cloud,
  • enhanced firewall capabilities,
  • baked-in VPN tunnels and the ability to securely stretch tenant networks across clouds,
  • enhanced NAT’ing flexibility,
  • the addition of static routes and layer-3 routing
Speaking of static routes and layer-3 routing (yep, that’s the best transition I can come up with), I have found many of my customers questioning what is actually possible with the use of these features.