From Cloud Avenue
Jump to navigation Jump to search


The network and security layer of Cloud Avenue is weared by the NSX-T solution from vmware. The implémentation is done at two levels according to the followin principle :

  • a T0 Edge gateway, including a per customer dedicated context, able to connect the external networks: internet, BVPN Galery, X-Connect, administration, etc. The T0 Edge gateway configuration is done by the automation of the platform.
  • a T1 Edge gateway, able to manage the vDC networks, which configuration is done by the Customer from the vCloud Director portal.
It is important to choose the right parameters when creating a vDC network, because it is not easy to modify most of the parameters once VM/Vapp connected to this network.

The IP address ranges are choosen by the Customer, generally among non routable subnets.

NSX-T gateways specifications

Depending of the needs, several configurations are available.

Type of gateway Class of service Specifications Connected networks


T0 VRF Standard 300 Mbps max flow(*)
  • 150 Mbps max on internet
  • 150 Mbps max shared by the other interfaces
  • Limit to 100 Mbps on BVPN Galery
  • Internet
  • BVPN Galery
  • Admin & backup
  • Internal VPNs
T0 VRF Premium

1 Gbps débit max (*)

  • 500 Mbps max on internet
  • 500 Mbps max shared by the other interfaces
  • Limit to 300 Mbps on BVPN Galery
  • Internet
  • BVPN Galery
  • Admin & backup
  • Internal VPNs
  • Network storage
  • X-Connect
  • Object storage (S3)
Dedicated T0 Medium 3,5 Gbps max flow(*)
  • 1 Gbps max on internet
  • 2,5 Gbps shared by the other interfaces
  • 100 T0 VRF max
Dedicated T0 Large
  • 10 Gbps max flow (*)
  • 100 T0 VRF max
T1 Standard 300 Mbps max flow (*) A single interface for connection to the T0

Nine interfaces for vDC networks

T1 Premium 1 Gbps max flow (*)

Need a T0 Premium

Dedicated T1 Medium 2,5 Gbps max flow (*)

Need a dedicated T0

Dedicated T1 Large 6 Gbps max flow (*)

Need a dedicated T0

(*) The max flow means the global throughput available for the gateway.

All the gateways are in high availability mode by default. The max flow information is given according to a network packet size of 1500 bytes.

By default, the T0 VRF and T1 gateways are hosted on a mutualized cluster. It is possible to order a dedicated T0 & T1 (hosted on a dedicated VM cluster), for the following use cases:

  • huge need of internet bandwidth
  • organization with a lot of vDC and several hundred VM
  • Customer preference for dedicated component (in addition to a dedicated cluster for example)
  • need to manage a lot of T0 VRF
The choice of T0 model determines the model of T1


Switching from a standard T0 VRF gateway to a Premium T0 VRF can be done without service interruption in the majority of cases (technical validation to be obtained from support beforehand).

Switching from a T0 VRF Premium gateway to a dedicated T0 is a heavy operation with service interruption and requires planning.

These operations are carried out from a change request submitted from the Cloud Customer Space.

The NSX configurations

General case

With this principle of architecture, the Internet or VPN Gallery bandwidth subscribed by the Customer for each Organization is configured at the T0 level, and shared between the different vDCs.

A T1 gateway is used to create Organization networks that can be shared between all vDCs in the Organization.

Each T1 can be connected to a single T0 gateway, with a single interface.

In the diagram presented here, a T0 VRF gateway is subscribed by default and will manage all the underlying networks distributed by the T1 at the vDC level.

NGP - General principle VCD+NSX.png

Internet bandwidth limitation

The Customer may limit the bandwidth of a T1 gateway. This makes it possible to control the sharing of bandwidth between the different vDCs.

NGP - NSX Configuration with limit of internet BW.png

Configuration with 2 T0 VRF

To meet internal security policy constraints, it is possible to separate the external networks and assign them a separate T0 VRF.

In our example, we have assigned a T0 VRF for internet access, and another T0 VRF for access to the BVPN Gallery.

This separation is recommended to avoid configuration errors made by the customer, which would lead to exposing networks or VMs on the internet that should not be exposed. Indeed, the configuration of each external network will be done in 2 different gateways in VCD.

Note that if the Customer needs to manage a lot of T0 VRF, he must consider the dedicated T0 option, which can provide up to 100 T0 VRF.

NGP - NSX configuration with 2 T0 VRF.png

Integrated features

Organization networks

The Edge T1 gateway is used to create the internal networks of the vDC on which the VMs will be connected. The addressing of these networks is chosen by the Customer during configuration/creation. To share the networks between vDCs, it is necessary to create a group of vDCs, in order to include the vDCs concerned, which can then share the functionalities of the Edge gateway T1, and its networks.


The T1 gateway offers a 2-level firewall:

  • perimeter firewall, for north-south flows, i.e. entering and leaving the vDC (or group of vDCs)
  • distributed firewall, for east-west flows, on a scope ranging from a single vDC to all the vDCs included in a group of vDCs.
NGP - NSX-T services into VCD.png

Perimeter firewall configuration will be done in the Services options of the T1 Edge Gateway configuration. All incoming and outgoing flows of the vDC will be filtered through the rules implemented here. It will also be possible to configure a point-to-point IPSec VPN between the remote equipment and the Edge T1 gateway.

A Load Balancer is also available, providing basic functionality for clustering servers.

The Security option will allow you to manage part of the configuration related to the distributed firewall. This is where you need to define the security groups that carry the authorizations defined later in the firewall configuration (see below).

IP Address Management allows you to configure advanced T1 Edge Gateway IP services, such as DNS or DHCP forwarding.

In the vDC group configuration, we will be able to configure the distributed firewall, and define fairly fine-grained permissions at the security group level.

This extremely powerful feature allows:

  • effectively protect VMs by filtering east-west flows
  • to create trust zones based on tags manually positioned on the VMs or built dynamically from programmed rules.
NGP - NSX-T and datacenter group.png

All features described below are configurable by Customer in the vCloud Director portal.

Return to Services catalogue