Changing VLAN ID on External Networks in vCloud Director

Recently I have encountered a situation when we had to change an external network VLAN ID in vCloud Director. It seems it can be done easily by changing the portgroup VLAN in vSphere. The External Networks list in vCloud Director was immediately showing the new VLAN ID next to the particular external network. So you could think all is well.

Unfortunately this is again one of the situations when you really have to be careful what you are doing in vSphere on objects managed by vCloud Director. Although everything seems to be working fine, next time you will want to create external network or network pool with the original VLAN ID you will receive an error message: “Port group “dvPortGroup-XXX” has a conflicting VLAN with another port group that is currently being used.“. The reason for this message is that vCloud Director tracks used VLANs in its own table vlan_in_use and the old VLAN ID is still present. What is probably even worse the new VLAN ID is not there and therefore you can create for example network pool with the new VLAN ID and create security issue when an external network VM could see network pool traffic.

So what is the correct way to change external network VLAN ID? Unfortunately you have to remove the external network from vCloud Director (which usually means disconnecting all org networks and vApps), then change the VLAN ID in vSphere and  then recreate the external network again in vCloud Director. Of course database editing can be also considered but this is definitely not supported and should be avoided in production situations.

Update 13 October 2012: There is a kb article describing an official workaround that might solve this problem:


