VMware Virtual Private Cloud in VMware Cloud Foundation 9.0: A New Era of Private Cloud Networking

Key Points:

• A New Cloud Operating Model: VMware VPC introduces a simplified networking model across VCF including vCenter and VCF Automation that empowers VI admins to move faster. This user agility is balanced with centralized IT governance, where Enterprise Admins manage the overall environment from a single pane of glass, set security guardrails , and then delegate network creation to users, streamlining the entire application provisioning process.
• On-Demand Networking and Integrated Services: Powered by NSX, users can create on-demand networks, defining them as private and isolated or as public and advertised to the physical infrastructure. For workloads on private networks, the platform provides the ability to assign external IPs for outside access. Other available services include Network Address Translation (NAT), Gateway Firewall, and the vDefend Distributed Firewall (DFW).
• Flexible Management and Automation: Manage your VPC environment through the interface that best fits your operational needs. Use vCenter for simplified network connections, the NSX UI for advanced configuration, or leverage VCF Automation for end-to-end application automation.

---

An exciting evolution is underway in private cloud infrastructure, centering on delivering a more agile, secure, and user-centric experience. The latest advancements in VMware Cloud Foundation 9 (VCF) bring enhanced Virtual Private Cloud (VPC) capabilities directly within vCenter.

A Virtual Private Cloud (VPC) creates a secure and isolated multi-tenant network environment hosted within a broader VCF private cloud. It empowers users to define and manage their own logically isolated networks, complete with custom IP addressing, routing, and security policies. Available directly within vCenter, this model provides the self-service, cloud-like experience that application owners need to control their virtual machines and networking with speed and autonomy.

This evolution bridges the gap between the on-demand flexibility users want and the robust oversight that enterprise IT requires. By delegating network creation, VI admin and development teams can move faster. This allows network and security admins to retain central governance and provide security guardrails, delivering a streamlined and efficient cloud operating model that dramatically accelerates application provisioning.

VMware Virtual Private Cloud (VPC) Architecture

The VMware VPC architecture is designed to enable a multi-tenant, self-service cloud-like operating model in VMware Cloud Foundation. It establishes a clear separation of duties between different administrative roles while allowing for secure, isolated network environments.

The diagram below illustrates this layered structure. At the top, the Physical Network Admin manages the underlying physical network resources. The Enterprise Admin oversees the entire VMware Cloud Foundation environment, establishing central governance and external connectivity. Below this layer, a NSX Project Admin, that manages a Tenant within NSX (also called as NSX Project) can be delegated control over their own set of resources. An important function for Enterprise and Project Admins is the ability to carve out networking quotas for each Project and VPC.

Finally, the VPC Admin creates and manages the networking for their specific VPC. Any security or network policies created by a VPC Admin are contained entirely within that VPC and do not affect other VPCs. However, these policies are subject to the broader security and governance controls put in place by the Enterprise or Project Admins. This hierarchical model ensures that tenant users (VPC Admins) can deploy and manage their applications with autonomy and speed, without compromising the robust oversight that enterprise IT requires.

Core Components of a VMware VPC

The advanced networking and security capabilities of a VMware VPC are delivered by NSX. The following are the fundamental components that constitute a VMware VPC

Virtual Private Cloud (VPC):

A VPC delivers a simplified, self-service networking model directly within vCenter, empowering users to define and manage their own logically isolated networks with custom IP addressing, routing, and security policies. For more information on self-service topic please visit following blog.

VPC Gateway:

A dedicated logical router for the VPC that handles north-south traffic routing to and from Transit Gateway. It also manages east-west traffic routing between all subnets within the VPCs.

Subnet:

A network with an IP address range in a broadcast domain within a VPC where virtual machine network adapters can be connected, without the need to configure the physical environment.

Subnet Access Mode:

Three access modes are available for Subnets to choose from (Public, Private-VPC, and Private-TGW) as they define the connectivity of a subnet.

Public: 

Subnets with Public Access Mode are advertised externally, making workloads connected directly available to the environment.  This network can use RFC 1918 IPs to be available within the Data Center (and not Internet). This offers direct connectivity without NAT.

Private-VPC:

Private – VPC Subnets are isolated within the VPC. The scope of these Private Subnets is the VPC. So, VMs attached to a private subnet can only communicate directly with peer subnets inside that VPC. NAT can be configured via External IP to reach an IP in this subnet.

Private-Transit Gateway:

Private – Transit Gateway Subnets route traffic through the Transit Gateway and are accessible via other VPCs (within that same TGW).A common use case is to have access to shared services running in other VPCs connected to the same TGW. NAT can be configured via External IP to reach an IP in this subnet.

Subnet Size:

Specifies the total number of IP addresses for the subnet. An important note is that a size of 16 does not refer to a /16 subnet mask, but rather to a total of 16 IP addresses in that subnet. The actual number of IPs available for VMs will be less than this size, as some addresses are reserved for network operations.

VPC Admin:

The user role with permissions to manage and configure a specific VPC, its subnets, and associated services. This access can be further limited to granule services like Networking and Security.

NSX Projects:

Definition of a Tenant in NSX that groups networking and security objects, allowing for multi-tenancy and the delegation of administrative controls and quotas, forming the basis for a VPC environment. Each NSX Project has its own Transit Gateway and each VPC must be part of a Project. VCF deployments come with a special ‘default’ NSX Project that can be consumed and configured from vCenter. But customers can add more Projects to organize their infrastructure from NSX UI (for example: NSX Projects represent their organization’s structure, site locations, tenants, applications, etc.).

Transit Gateway (TGW):

A shared gateway that facilitates interoperability between multiple VPCs and aggregates north-south traffic to external networks. High Availability can be enabled and both Active-Active and Active-Standby architectures are supported.

TGW Connectivity:

Defines the connectivity to the External Network. Two supported architectures are Centralized (CTGW) and Distributed (DTGW). Transit Gateway southbound connection is always with VPC Gateway(s), and its Northbound connection can be directly to a vLAN (in DTGW Architecture – aka Edgeless) or to NSX T0 router (in a CTGW Architecture).

Centralized (CTGW):

Routes traffic through a centralized NSX Edge node cluster via NSX T0 router. It enables services like NAT, DHCP, Load Balancer, Gateway Firewall, DFW, etc. For more information on this topic please visit following blog.

Distributed (DTGW):

Leverages the distributed routing capabilities on vSphere hypervisor itself for optimized traffic flow. Smaller footprint as NSX Edge Cluster is not used, instead Northbound connection can be directly made with a vLAN network. Enables distributed services like distributed DHCP, 1:1 NAT, DFW, etc. It’s also referred to as Edgeless design. For more information on this topic please visit following blog.

Project Admin:

The administrative role responsible for managing project resources (like VPCs) , its users, quotas, and permissions within a specific NSX Project.

Route Tables:

The system that controls how traffic is directed within the VPC, between VPCs, and to external networks, managed through route tables and forwarding tables associated with gateways and subnets. This can be viewed from the NSX UI and router’s CLI.

IP Blocks:

IP Blocks are ranges of public or private IP addresses that can be assigned to specific Projects and VPCs to provide IP addressing for subnets and network services.services. style=”padding-left: 40px;”

External IP Blocks:

External IP Blocks are defined by the enterprise admin and can be exposed to NSX Projects. The same public block can be exposed to multiple NSX Projects. A range of public or externally routable IP addresses used for VMs on the Public Subnets and services like 1:1 NAT.

Private – Transit Gateway IP Block:

The tenant admin (NSX project admin role) can define Private-TGW IP blocks and assign them to the specific VPCs. Private-TGW subnets get their IP addresses from these blocks. This IP Block can be shared among multiple VPCs that are part of the same TGW/NSX Project.

Private – VPC IP CIDR:

The scope of the Private-VPC IP CIDR is that of VPC. VPC Admin can assign this CIDR during the creation of VPC. VMs attached to a Private-VPC Subnet get IPs from here.

Integrated Network and Security Services on VPC

Each Virtual Private Cloud is equipped with a comprehensive suite of networking and security services powered by NSX. These can be categorized into foundational services included with the platform and advanced add-on capabilities that can be enabled as needed.

Core Networking and Security Services

These services form the foundation of every VPC, providing the essential connectivity and security required for modern applications.

• On-demand Networking with Integrated IPAM: Users can create their own networks on-demand. NSX automatically manages the IP addresses within these subnets, simplifying IP Address Management (IPAM) and removing the need for external tools.
• DHCP and DHCP Relay: Each VPC includes built-in DHCP server capabilities to automatically assign IP addresses to workloads. It can also be configured as a DHCP relay to integrate with existing external DHCP servers.
• Distributed and Static Routing: Traffic between subnets within a VPC is handled with optimal efficiency by the distributed routing capabilities of NSX. For specific traffic engineering needs, static routes can also be configured on the Transit gateway.
• Network Address Translation (NAT): Robust, built-in NAT services are available for controlling access. This includes Source NAT (SNAT) for outbound access from private networks and 1:1 NAT, to allow external access to internal services.
• Gateway Firewall: A stateless gateway firewall runs on the gateways, providing essential perimeter security for all north-south traffic entering or leaving the VPC.

Optional Advanced Services and Add-ons

For organizations with more advanced requirements, the platform can be extended with the following services:

• vDefend Distributed Firewall (DFW): A key capability of NSX that enables micro-segmentation. The DFW operates at the virtual network card of each workload, allowing for highly granular security policies that move with the VM, isolating workloads from each other to prevent the lateral spread of threats.
• vDefend Gateway Firewall with Advanced Threat Prevention: The capabilities of the gateway firewall can be enhanced with advanced threat prevention features, including Intrusion Detection and Prevention Systems (IDS/IPS), and stateful Layer 7 inspection.
• AVI Load Balancer: Provides enterprise-grade load balancing, including local load balancing, global server load balancing (GSLB), and a web application security to ensure application performance and security.

Accessing and Managing VMware VPC Capabilities

One of the strengths of the VMware ecosystem is the variety of ways to provision, configure, and manage VMware VPC constructs, catering to different roles and operational models:

VMware vCenter Server: Remains crucial for day-to-day VM operations and their networking connectivity. Virtual machine administrators use vCenter to connect VMs to the appropriate Subnets (networks) that have been created and defined within the VPC. For more information on this topic please visit following blog.

VMware NSX User Interface (UI): This is the primary interface for network admins and security teams, providing comprehensive, granular control over all aspects of the platform. Architects and administrators use the NSX UI for detailed configuration of gateways, routing, firewall policies, and other advanced services.

VMware Cloud Foundation (VCF) Automation: VCF automates the lifecycle management for the entire VCF stack. Foundational networking for VPC environments can be provisioned in a highly automated and validated manner. Through VCF Automation, VPCs can be leveraged as self-service catalog items. This allows application teams to deploy the entire applications along with their required isolated network environments from predefined blueprints.

VMware Cloud Foundation Operations: Provides deep operational visibility and monitoring for VPC environments. It allows administrators to track network performance, troubleshoot connectivity issues, and ensure the health and compliance of the VPC constructs and the workloads running within them.

VMware Cloud Foundation Operations HCX: Provides a secure and seamless path for non-disruptively migrating existing VM workloads from legacy network architectures into the new VPC network segments, without the need to change the IP address or MAC address resulting in minimal to no downtime. For more information on this topic please visit following blog.

APIs and Infrastructure as Code (IaC) Tools: For a DevOps approach, NSX (orchestrated by VCF) offers robust REST APIs that enable full programmatic control of VPC lifecycle and monitoring. This can be leveraged by tools like the Terraform Provider for NSX, PowerCLI, and SDKs (Python and Java) for custom automation.

Conceptualizing VMware VPC Deployment Models

VMware VPCs offer significant flexibility in how they are designed and deployed to meet specific needs. Following are some of the deployment examples:

• Optimized vSphere Networking: Simplifies the life of the vSphere admin beyond VDS by allowing networking configuration and management all from vCenter.
• Tenant-Based VPCs: Ideal for service providers or large enterprises creating isolated environments for different customers or business units.
• Application-Specific VPCs: Each major application gets its own dedicated VPC, ensuring its network environment is tailored and isolated.
• Lifecycle-Based VPCs (Dev/Test/Prod): Create separate VPCs for development, testing, and production to ensure isolation and enable safe testing of changes.
• Security Zone VPCs: Design VPCs to represent specific security zones (e.g., DMZ, PCI compliance zone, internal trusted zone) with distinct security policies.

Conclusion: Unleashing Agility and Security

VMware Virtual Private Cloud (VPC) offers a transformative approach to networking and security. By providing robust isolation, granular control, and a rich set of integrated services, VMware VPCs enable organizations to build more agile, secure, and efficient infrastructures.

The flexibility to manage these capabilities through various interfaces — from the vCenter UI to the end-to-end automation of VCF Automation, and the programmatic power of IaC tools — ensures that organizations can adopt a model that best suits their operational maturity. Ultimately, VMware VPCs are a critical enabler for achieving a true cloud-like operating model, delivering consistent networking and security across VMware Cloud Foundation private cloud.

---

---