By: Chris Colotti

This is a repost from Chris Colotti’s blog,


As a newish member of the VMware vCloud Hybrid Service Technical Marketing Team one cool thing I get is access to various things to play with and test.  Something my whole team has access to in vCHS is both a Virtual Private Cloud and a Dedicated Cloud.  The unique thing about VMware vCloud Hybrid Service is that with a single user account you can access multiple cloud services you sign up for.  In our case we have two we can deploy workloads to.  What are some things to think about with this?

  • These are two different vCloud Director URLs
  • These are two separate vCloud Director Organizations
  • Each has its own vCNS Edge Gateway, and in the case of the dedicated there could be multiple Edge Gateways configured
  • Each vCNS Edge Gateway has ben assigned an external Public IP address

This means these are essentially two independent cloud environments federated by the vCHS user portal.  Something I wanted to point out very quickly was how you can actually connect these together using the built-in VPN functionality in vCloud Director.  Let’s take a very basic example of what each cloud offering might look like initially.  This assumes you have yet to connect them to your on premise data center.


In the image above you can see that each Virtual Data Center has a single Edge with a public IP address and a single routed network.  You will also notice that each routed network is a DIFFERENT subnet.  This is mandatory for the VPN to work since you cannot have the same local endpoint addresses.  It’s important to note that when you deploy your vCNS Edge in vCHS you will always get a Default-Routed network using and in most cases you will want to simply remove it and start clean if you are looking to do advanced networking.

Configure the VPN

This is probably the easiest thing you will ever do.  Before you begin you will need a couple of things from both your VPC and your Dedicated instance.

  • vCloud Director URL
  • vCloud Director Organization Name
  • Login Credentials – which will be the same for both if these are all under your account

The URL can be found for each cloud on the right side of the screen.  It will also include the organization name in the full URL.  You will need to do this for both your clouds.


Secondly you will want to click on one of the gateway and select Manage Advanced Gateway Settings to access the vCD user interface.


Once you are connected to the vCloud Director native UI, you can easily configure the VPN.

Select your Edge Gateway in your vCloud organization and select the VPN tab.  Once there select “Add” and you will see the following screen.  Select “Use public IP” and leave the other settings to their defaults.


Select “A Network in another Organization, and then select ” Log Into Remote vCD”


Fill in the required fields for just the vCloud URL and the org that you recorded earlier from the vCHS portal.  Use your vCHS credentials to connect and once you log in you will be presented with the other vCloud Organization’s networks so you can multi-select the mappings for the networks in each Organization.

Once this is done the two sites should come up with VPN between them, but if you deploy virtual machines they will still not communicate.  This is because even though the VPN tunnel is up, like everything you need to apply firewall rules.


Configure the Firewall Rules

This is pretty simple provided you simply want to allow all traffic from the network on the VPC side and the Dedicated cloud side to communicate without any restrictions.  In each vCNS Edge Gateway you need simple reciprocating rules, assuming you have not yet “Allowed all Outbound” connections.  Using the IP Addresses shown from the diagram the rules for each vCNS Edge would look something like this on each side:

Source Destination : Any : Any : Any : Any

This ensures that both vCNS Edge Gateways pass source and destination traffic from either end back and forth.  Personally I always write reciprocating rules just in case especially when this is a subnet to subnet VPN rule.  The key is to make sure you duplicate the rule in BOTH edge gateways.


At this point you have now securely interconnected your Virtual Private Cloud to your Dedicated Cloud.  It also stands to reason you can do this between multiple Dedicated Clouds or even different Virtual Data Centers in the same dedicated cloud.  Finally, you can even do secure VPN’s between networks on vCNS Edge devices in the same organization for encrypted communication if you require it.  The bottom line is the VMware vCloud Hybrid Service networking that is built on the vCloud Networking and Security products is extremely flexible to meet the connectivity needs you have.  I think this connection between clouds is something many people will want to explore as they utilize multiple offerings in a single account.

Chris is a Senior Technical Marketing Manager with the vCloud Hybrid Services team with over 10 years of experience working with IT hardware and software solutions. He holds a Bachelor of Science Degree in Information Systems from the Daniel Webster College. Prior to VMware he served a Fortune 1000 company in southern NH as a Systems Architect/Administrator, architecting VMware solutions to support new application deployments. At VMware, in the roles of Consulting Architect, Chris has guided partners as well as customers in establishing a VMware practice and consulted on multiple customer projects ranging from datacenter migrations to long-term residency architecture support. Currently, Chris is working on the newest VMware vCloud Hybrid Service solutions and architectures for vSphere customers wishing to migrate to the VMware Hybrid Cloud Service. Chris is also a VMware Certified Design Expert, (VCDX #37).