Not having used vCD or NSX before this maybe a very stupid question. We currently use another third party orchestration layer for a public cloud solution, this handles all of the Public IP assignment and isolation. It can do this without the need for any NAT, using a router appliance on each ESXi host. The router appliance is per host (not per customer)
We are looking to do the same thing with vCD, but from what I understand we would need to provide an Edge Gateway to each customer and use NAT. We can then prevent unauthorised changes to the external interface on each customer Edge gateway.
We have a mix of customers, some using /29 networks and others with single IP addresses. I appreciate the routing suggested below would not work for the /32 IP assignments, so that will be a separate question/solution.
For the /29 what I was hoping to do is create a global external DLR which we connect the customers to. We would create the the various /29 networks as individual LIF's. That way the DLR would be the default gateway for the customers. they can then either use up their 5 available IP addresses on each LIF, or put in their own firewall appliance with a distributed logical switch behind that where they can deploy their vAPPS.
So my question is, can we create a pool of LIF's which can be assigned to customers as an External network? or would we need to create a DLR for each customer (if that is an option)?
The reason I would prefer a single DLR is to avoid the need for a controller VM for each customer, but if a DLR per customer allows us to avoid introducing NAT and a limit of 10 interfaces on the Edges, its still a good option. Providing its supported with vCD