One of our developers asked me the other day if he unselected, both NAT and Firewall...is there still any other fencing functionality? I told him that I was pretty sure that, if unselecting all options he is essentially just creating a non-fenced vApp. However, after over thinking this I started wondering if there was still any MAC or SID isolation going on, since NAT really just deals with IP. Again, I could be over thinking this but I'm curious to hear all the expert thoughts on this. Thanks!
So let's make sure we get some terms straight.
"Fencing" is when you have a Direct External Network assigned to the vApp, and you want to isolate it. A vApp network is similar, but the internal addresses differ from the external addresses.
In both cases and Edge device is deployed for isolation purposes.
If you disable FW/NAT, then the edge functions as a pure gateway. This means you could setup some static route to say that a specific network or IP range exists behind the external IP of the Edge device. This is more useful in the case of a vApp Network or Routed Organization Network.
right, so if he is trying to fence a directly connected organization network, but is unchecks FW/NAT an edge device is still deployed. It just doesn't server any isolation functionality.
I understand how they work, I guess what me and this developer were trying to figure out was if it made sense to even allow a customer to select a "Fenced vApp", but then allow them to remove both NAT and FW. He was trying to determine if we should just default them both in our customer portal, or if we should give them to option to deselect them like in the vCD UI.
If the network is fenced and NAT is disabled (or NAT is enabled but there are no NAT rules), then you have no connectivity to the outside network. The only reason to do this would be to have a vApp that's been cloned and you want the clone to be on an isolated network but you don't want to go through the trouble of creating an isolated vApp net and connecting the VM NICs to it.