I have an organization with 1 vDC that is connected to external network.
I'd like to share this vDC with other users, so each user will be able to log in and create his own vApp.
The problem is that I do not wish to have connection between the different vApps at all, so for example:
User A is creating his vApp with IP 220.127.116.11
User B is creating his vApp with IP 18.104.22.168
And each one is separated from the other.
So, how it can be achieved?
I want to create a user role that will be able to create vApp from catalog, but will not be able to change the parameters of the CPU/RAM/Storage at all?
I've tried to remove the permissions "Edit VM hardware" but doing so created a user that is unable to add network to his VM and also cannot change the password.
Thank you all for any assistance here.
If the VMs have to be on the external network, there is no real segregation that can happen. You could have two separate external networks on different vLANs, but that's a little extreme.
You could use vApp Networks with a NAT enabled on them, which would do what you want. This introduces some networking variables, and you'd have to confirm that this is okay with them.
For this I would do one of two things.
1. create vApp networks in each vApp (generally a good idea anyway) - then use NAT for network translation along with an edge firewall. You can use this firewall to allow to deny traffic.
2. If you are using NSX to back the networks in your cloud, you can use the distributed firewall to drive this protection.