Self-service networking with Virtual Private Clouds

---

VMware Cloud Foundation brings the public cloud experience to your private cloud. It enables users to deploy workloads quickly and configure network connectivity with simplicity, consistency, and automation.

In this post, we’ll recap how network operations have evolved in the private data center—specifically from the perspective of the vSphere admin. The new Virtual Private Cloud (VPC) model introduced in VCF 9 is a major milestone in that journey. It delivers a clean, self-contained model that makes deploying connected workloads faster, safer, and easier than ever before.

Traditional Networking in vSphere

Historically, provisioning network connectivity for a new workload in vSphere required coordination with the networking team. The vSphere admin would open a ticket specifying requirements such as:

• Number of VMs
• Need for external connectivity
• Network segmentation

The network team would then configure the necessary infrastructure and return VLAN IDs. The vSphere admin could finally create the required dvPortGroups and attach VMs.
Note that whether the physical network uses its own virtualization (e.g., EVPN VXLAN) is not making this workflow any simpler. In many environments, this process could take days or even weeks to complete.

The NSX approach

NSX radically changed this dynamic by virtualizing the entire networking stack, removing the dependency on VLANs and the physical fabric. With NSX, networks are defined entirely in software—from segments to gateways—and can be provisioned instantly, no tickets required.

However, a vSphere admin could find themselves managing not just VM connectivity, but also complex configurations like gateways and BGP—well beyond their traditional scope.

The VPC Model: Role Clarity and Self-Service

The VPC model in VCF 9 formalizes responsibilities across the organization, enabling secure self-service networking without sacrificing control.

Enterprise Admin
The NSX enterprise admin connects NSX to the physical infrastructure and defines projects, a first level of tenancy, each with dedicated resources and consumption quotas.

Project Admin
Operating within a project, the project admin has no access to the underlying infrastructure. Instead, they distribute project resources to Virtual Private Clouds (VPCs), a second level of tenancy.

VPC Admin (typically also vSphere admin)
The VPC admin defines and manages subnets within their assigned VPC. As long as they remain within quota, they can provision networking resources independently. This mirrors the original vSphere admin’s role but with more autonomy and less complexity.

VPC in vCenter

Starting with VCF 9.0, VPCs are integrated across:

• VCF Operations & Automation
• VMware Kubernetes Services (VKS)
• HCX
• and of course vCenter

The vSphere admin can now create subnets directly in vCenter using a simple, guided interface:

Subnet Configuration Highlights:

• Access Mode defines subnet reachability:
  • Private: Scoped to the VPC
  • Private Transit Gateway: Scoped to the project
  • Public: Reachable from the physical network
• Auto Allocate Subnet CIDR: Automatically selects a CIDR block from predefined IP pools
• Subnet size: requested number of IP addresses available in the subnet
• Gateway Connectivity: Instantly enables default gateways for routing
• DHCP: Easily enable DHCP for connected VMs

Attaching a workload to a VPC subnet is identical to the familiar dvPortGroup workflow. In the vCenter UI, the vNIC of a VM can be attached to a “VPC Subnet” with few clicks:

Note: traditional dvPortGroups remain available via the “Networks” tab.

Final words

The VPC model in VMware Cloud Foundation 9 brings clarity, speed, and autonomy to private cloud networking. By formalizing roles and enabling self-service, it empowers vSphere admins to focus on workloads—not tickets. Whether you’re deploying traditional VMs or modern Kubernetes clusters, VPCs make network provisioning as simple as pushing a button.