vCloud Director: Org VDC and Org Networks

Consider this real life private cloud use case with the following requirement for an external network connectivity of vCloud Director tenants:

“Each tenant will have possibility to connect their vApps to either internet connected network or to their intranet (office) connected network but never to both at the same time due to security reasons.”

Any vApp can be connected to a vApp network or Organizational network and the latter can be connected to external networks (internet/intranet). So we would create one common internet external network and for each tenant an external intranet network and then create two organizational networks for each tenant, one routed (internet) and one direct (intranet). Right? But how to prohibit the user to attach his vApp to both org networks?

It can be easily done with creation of two organizations per each tenant. One organization for internet facing vApps and the other for intranet vApps. However this is not very elegant for the users who will not have a single pane of glass to manage both kinds of vApps.

Could it be done by creation of two org VDC per organization? One internet org VDC and one intranet org VDC? Unfortunately in the current vCloud Director release there is no possibility to limit org network to an org VDC. However there is a way how to do it. It requires changing the design of the vSphere resources.

vCloud Director is built on top of vSphere so if we would do the network separation on vSphere level it would still apply on the vCloud Director level. So we could create two clusters where the hosts in one cluster would have access to only internet network and hosts in the other cluster to the intranet networks. Each cluster would be used for provider VDC. We could then create two org VDC per organization, each from different provider VDC. In practical terms in vSphere we would create two distributed switches and attache hosts in each cluster to one of them.

It could also be done also on higher scale – i.e. on vCenter level. Remember vCloud Director can manage up to 25 vCenters.

Advertisements

2 thoughts on “vCloud Director: Org VDC and Org Networks

  1. Hi Tom, is this still true with the new release of vCloud Director 5.1. ? I have the same requirement from the customer Thank you Gianfranco

    1. Organization network concept has changed in vCloud Director 5.1. They are now called Organization VDC networks and can be either Org VDC limited or shared between all other Org VDCs in the organization. So no workarounds are needed anymore.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s