OK so I have vDCs for each tenant with its own user accounts. For network separation I need a vShield Edge device for each tenant?! Ok, I also can separate networks by using VLANs, not so cool Then I can use VXLAN right? And for using this i need those vShield Edge devices?!

Networking can be VERY complicated within VCD.  If you are running VCD internally and you're not worried about network security you can run all Organizations on the same VLANs.  You can also setup different External Networks for each Organization and put them on their own VLAN.  This can all be done by standard VLAN's or VXLAN, that is up to you and your network setup.  There are physical switch requirements for VXLAN to work though so read up on that.

If you want your tenants to control what traffic comes into their Organization VM's you can deploy a vShield Edge device to their Organization.  This allows that tenant to control Firewall and Nat rules to their entire Network.

-Eric

ah ok, so networks are already separeted through VLAN/VXLAN and Edge device is then used as firewall/nat/...

Networks do not have to already be separated though.  For my internal deployment I run all 8 Organizations on the same network.  They can all see eachother's VM's.  I separate them by Organizations based on divisions within the company.

hm ok but if I sign up for a public vCloud service I get my own organization vDC and I only have external network connection. So I can create my own networks within my organisation and I dont need to set up an edge device and others cant access my VMs. How is that done?!

good to know. Last question, the provider sets up a VLAN or can use VXLAN, right?

Correct.  When you are then tenant you can only setup internal vApp networks and connect them to the External Networks the hosting provider has created for you.

-Eric

thx for your help