In this video you will learn how a vCloud Director network is constructed. The PowerPoint presentation "vCloud networking explained in 1 slide and 52 animations" is created by fellow VCI over at Tuukka Korhonen (itvirtuoosit.fi).
Port group backed network pools require preconfigured set of port groups either on a vNetwork distributed switch or on a standard vSwitch and port groups must be available on each ESX/ESXi host in the cluster. They need to be imported into vCloud Director when creating this network pool. This network pool is used in circumstances where vCenter cannot programmatically create port groups on the fly. Other scenarios when you want to use this network pool is when do not have vNetwork Distributed switches and want to use the Standard switch or when you want to use the Nexus 1000v switches. The port groups must be isolated at the layer 2 level from all other port groups. The port groups must be physically isolated or must be isolated using VLAN tags. Failure to properly isolate the port groups can cause a disruption on the network.
Unlike other types of network pools, a network pool that is backed by port groups does not require a vNetwork distributed switch and this is the only type of network pool that works with Cisco Nexus 1000V virtual switches. A network pool is backed by vSphere network resources such as VLAN IDs, port groups, or cloud isolated networks. Network traffic on each network in a pool is isolated at layer 2 from all other networks. Each organization vDC in vCloud Director can have one network pool. Meaning each Organization vDC can only be assigned to only one network pool. Multiple organization vDCs can share the same network pool but make sure that networks in the pool are isolated. Only system administrators can create and manage network pools.
vApp networks are used for connectivity of virtual machines within a vApp. A vApp can be connected to a vApp specific network or to an organization network. A vApp network isolates the virtual machines in that vApp from everything else; in that way, it is like an internal organization network, but is only used by that vApp. You can connect vApps to organization network to allow them to communicate with other vApps in that organization. When you connect a vApp to an organization network, determine whether you want a fence or direct connection. Fenced will allow you to have identical virtual machines to connect to organization networks without worrying about IP and MAC address conflicts. You can also have additional firewall rules added to protect virtual machines in the vApp. While direct connection will allow you to directly connect the vApp to the organization network.