I wanted to split a /24 subnet into 4 IP chunks per orgVDC. Using the new sub-allocation feature in vShield Edge you can configure this so one OrgVDC can only use a specific allocated range. However, what if you have an orgVDC that has a direct internet connection (eg connecting to the Internet directly without using a vShield Edge Gateway) and want to lock down IP addresses? The answer is you can’t. Not through vCloud Director anyway.
The range I want to split is 22.214.171.124/24 which is tagged to 1 portgroup on vlan 0 (and therefore 1 external network).
Org A has an allocated range of 126.96.36.199 – 188.8.131.52. This has been sub allocated on the Edge Gateway device. This disallows the Org from using any other external IP address from the /24. Great. VM-A and VM-B happily sit behind this device. NAT rules can be set for external to internal etc. However there is requirement for VM-C to connect directly to the external network. This is where we run into problems. There is no mechanism to stop the Org Admin manually giving this an IP address out the allocated range and thus using another Orgs IP addresses.
Ways around this include creating alternative external networks with vlans (with individual Org IP ranges) or simply using a 1:1 NAT style approach through the Edge Gateway and disallowing direct external network access. Neither are ideal . I suspect the next version of vCloud Director will remedy this. A feature request has been sent anyway! 🙂