I'm currently in the process of planning a vShield deployment. I have to give IP addresses to the vShield Apps but before I proceed there is one question - do the IP adresses of the vShield Apps (when deployed via the vShield Manager) have to be in the same Subnet as the ESXi Hosts which will be protected by them? The vShield Apps enforce the firewall policies set on the Manager and filter the host traffic, but the IP address is only relevant for managing them and the filtering itself is done by the hypervisor, or am I in the wrong here?

Example: The vShield Manager is deployed in Subnet_1, the ESXi hosts run in Subnet_2. Do the vShield Apps HAVE to be deployed in Subnet_2 or can I give them addresses from Subnet_1?

Thanks!