VMware Cloud Director Tutorial & Quick Start Guide

September 19, 2023


This document is a quick-start guide to the phoenixNAP Virtual Private Data Center and Data Security Cloud products. Both products utilize the VMware Cloud Director user interface to manage virtual machines, networking, and storage solutions.

This article covers how to perform initial network configuration, virtual machine management, library management, and access control for both NSX-T and NSX-V edges.

VMware Cloud Director Tutorial & Quick Start Guide


  • Login URL, credentials, and public IP information from the phoenixNAP Provisioning Team.
  • Access to a web browser.

Note: The screenshots and instructions in this document cover the HTML5 version of the interface with VMware NSX version 4.x and Cloud Director version 10.x.

Initial Network Configuration

For security reasons, a new Cloud Organization has no networks preconfigured. When you create a virtual machine, it is isolated from the outside world.

Your Cloud Organization also has a VMware Edge Gateway appliance assigned to it, which provides internet access, firewall, and NAT. NSX-V also features a VPN functionality for virtual machines.

Note: Migration from NSX-V to NSX-T is also possible. See a detailed overview of the differences between NSX-V and NSX-T before opting in for migration.

Creating an Org VDC Network

The first network to create is an organization-level Virtual Datacenter (VDC) network. Select the Networking section in the top navigation bar. The Networks page loads.

Click the New button to start the VDC network creation process.

VMware Cloud Director UI Networking New Network button

The New Organization VDC Network process starts. Follow the steps below to set up a VDC network:

1. Choose the Scope. Select the Organization Virtual Data Center from the list and click Next to proceed.

New VDC Network Scope UI

2. Select the Routed as the network type and click Next. The Routed network enables connections to the Edge gateway and provides internet access, whereas Isolated creates an internal network for the VDC.

New VDC Network Type UI

3. Create the Edge Connection. Your organization will have the Edge Gateway deployed, which shows up on the list. Select the Edge Gateway from the list and click Next.

New VDC Network Edge Connection UI

4. The General step contains general information about the network. The following fields are available:

  • Name. Create any name you want to use to reference this network in the future.
  • Description (optional). A description of this network.
  • Dual-Stack Mode (optional). The switch enables the network to have both IPv4 and IPv6 subnets.
  • Gateway CIDR. The CIDR is the internal IP the VMs use to reach the internet and the network mask. For example,
  • Guest VLAN Allowed (optional). Whether to allow guest access to the network. Most clients leave it unchecked.
New VDC Network General UI

Fill out the general information for the network. When ready, click Next to proceed.

5. The Static IP Pools page allows reserving a pool of IPs that will be static. The step is optional.

To add an entry, enter the static IP address or range and click Add. The entry appears on the Allocated IP Ranges list, and the total reserved IP addresses are displayed below the list.

New VDC Network Static IP Pools UI

The interface also allows modifying and removing entries from the list. Once ready, click Next to continue.

The DNS enables adding a primary and secondary DNS and the DNS suffix for the VMs. NSX-V has an additional option to use the edge DNS. The DNS relay must be previously configured on the gateway.

Setting up a DNS is optional. Set the IPs of the DNS servers if you wish to use them, and click Next.

7. The final page shows an overview of the configuration. To modify information, click the Previous button to return to previous steps. Otherwise, click Finish to commit the changes.

New VDC Network ready to complete Finish UI

The network shows the status as Busy and the network type as Isolated, which changes to Ready->Normal and Routed once the network connects.

Networks list status and type UI

Edge Gateway Configuration

To access the Edge Gateway configuration screen, open the Edge Gateways tab from the Networks page. This shows you a list of Edge Gateways configured on your account. In most cases, your account will have one or two listed, with your organization's name assigned to it.

VMware Cloud Director UI Networking Edge Gateways

Clicking the Edge Gateway name shows the current Edge Gateway settings and enables the Services menu for NSX-T (button on NSX-V). To allow either inbound (internet to VM) or outbound (VM to the internet) traffic, create NAT rules and additional Firewall rules.

Managing NAT Rules

We recommend starting with the NAT rules, as no NAT rules are set up by default. The interface for managing the rules differs between NSX-V and NSX-T edges.


Access the NAT page in the left menu to view and manage NAT rules. To add a new NAT rule, click the New button above the rules list:

Edge gateway new NAT rule NSX-T UI

The same interface helps create Source NAT (SNAT) and Destination NAT (DNAT) rules.


To navigate to the NAT page, click Services->NAT. The page shows a list with predefined (internal) and user-defined rules.

NSX-V edge gateway SNAT rule

The buttons above the list start the SNAT and DNAT rule creation process.

Creating a Source NAT Rule

To allow traffic from your VMs to reach the internet, add a Source NAT (SNAT) rule.


Configure the settings as follows:

Add NAT rule SNAT UI
  • Name. Add a descriptive name for the rule.
  • Description (optional). An optional description for the rule.
  • Interface Type. Choose SNAT from the dropdown menu.
  • External IP. The external IP that the traffic shows up as. Enter one of the usable public IP addresses. Click the info button next to the field to list the available IPs.
  • Internal IP. Enter the internal IP and subnet used earlier in VDC network creation.
  • Destination IP (optional). If the rule applies to a specific address or domain, enter the IP address or IP address list. Leave blank to apply the rule to all destinations outside of the subnet.
  • Advanced Settings (optional). The following settings are available under the Advanced Settings menu:
    • State. Enables the rule on creation.
    • Logging. Logs address translation from this rule.
    • Priority. Sets the priority for the NAT rules to determine the application order in case of multiple rules. Lower values indicate higher priority.
    • Firewall Match. Sets a firewall match rule to determine how the firewall applies during NAT.
    • Applied To. The VDC network or external network for which this rule applies.

Click Save to commit the settings and add the new SNAT rule.


Configure the settings as described below:

Add SNAT rule NSX-V UI
  • Applied On (optional). Defaults to your Edge Gateway's preconfigured external network.
  • Original Source IP/Range. This will be the same internal IP and subnet as defined earlier, such as
  • Protocol (optional). The default protocol is set as Any. Select the IP protocol from the dropdown list to use a specific type.
  • Original Port or ICMP Type (optional). Options are grayed out depending on the previously chosen protocol. If using TCP or UDP, enter a specific Original Port, or leave it as Any. If using ICMP, select the ICMP Type.
  • Translated Source IP/Range. The external IP that you want traffic to show up as. Enter one of your usable public IPs here.
  • Destination IP and Port (optional). Set the IP address and port if the rule applies to a specific IP or domain. Otherwise, set to any to apply the rule to all destinations. 
  • Description (optional). Add an optional text description of the rule.
  • Enabled (optional). Enables the rule upon creation.
  • Enable logging (optional). Enable optional logging of traffic matching this rule.

Click the Keep button to commit these settings and add the SNAT rule.

Creating a Destination NAT Rule

To allow traffic from the internet to directly reach one of your virtual machines, create a Destination NAT (DNAT) rule to translate the public IP and port to a private IP and port.


Configure the DNAT settings as follows:

Add NAT rule DNAT UI
  • Name. An identifiable name for the rule.
  • Description (optional). An optional text description.
  • Interface Type. Choose DNAT from the dropdown list.
  • External IP. The edge gateway public IP address. The IP address must be one of the public IP addresses sub-allocated to the edge gateway. The info button shows the available options.
  • External Port (optional). The port in which the DNAT rule translates packets destined for the VM.
  • Internal IP. The internal IP of the virtual machine that receives external traffic.
  • Application (optional). A port profile to which the rule applies. Includes the port number and protocol the external traffic uses on the edge gateway to connect to the internal network.
  • Advanced settings (optional). Additional settings for the rule which are identical to the previous example.

Click Save to commit the changes and create the DNAT rule.


Fill out the fields as follows:

Add DNAT rule NSX-V UI
  • Applied On. Defaults to your Edge Gateway's preconfigured external network.
  • Original IP/Range. The public IP external users will use to connect. Use the Select button to choose an IP address or type an IP address range.
  • Protocol (optional). The IP protocol type that maps with this NAT rule. Original Port or ICMP Type (optional). One or both will be greyed out depending on the setting chosen in Protocol. This is used to identify the type of traffic that will be mapped with this rule.
  • Translated IP/Range. The internal IP of the virtual machine that you would like this traffic to reach.
  • Translated Port. The port on the virtual machine that this traffic should be sent to.
  • Source IP Address and Port (optional). The IP address of a specific source that should reach the VMs. Set to any to allow all traffic.
  • Description. An optional text description of the rule.
  • Enabled. Enables the rule on creation by default.
  • Enable logging. Enable optional traffic logging matching this rule.

Click Keep to commit these settings and create the DNAT rule.

Creating Firewall Rules

Next, create Firewall rules so the traffic matching these NAT rules is allowed through. The edge gateway has some preconfigured firewall rules, which do not require changing.

"Traffic applies the first rule that it matches. For example, if you have a""deny all inbound" traffic rule, it should be low on the list. This approach ensures that some traffic gets through instead of blocking all traffic."Traffic applies the first rule that it matches. For example, if you have a "deny all inbound" traffic rule, it should be low on the list. This approach ensures that some traffic gets through instead of blocking all traffic.

The process for creating new firewall rules differs for NSX-T and NSX-V. Below are sections describing the steps for each setup.


To start creating a rule on NSX-T, do the following:

1. Access the Firewalls page from the left menu in the Services section.

2. Click Edit Rules to access the rule editing page.

Edge gateway edit firewall rules NSX-T

You can directly create and edit the firewall rules on this screen. 

3. Click New On Top to create a new rule above the list of existing rules.

Add firewall rule UI

The process for creating and editing a rule is the same whether you are editing a rule for SNAT or DNAT traffic. Only the settings themselves change.

4. Fill out the fields according to the requirements. Consider your own desired network configuration before applying any rules to your environment.

For example, a rule to allow all traffic from VMs to reach the internet looks like the following:

  • Name. Egress Traffic
  • State. Enabled
  • Applications. HTTPS, HTTP
  • Source. A selected source VM
  • Destination. Any
  • Action. Allow
  • IP Protocol. IPv4
  • Logging. Enabled
  • Comment. Monitored Egress Traffic.

5. Click the Save button to apply the firewall rules to your Edge Gateway.

Firewall rule example UI

You can also re-order rules to control the traffic flow.


To create firewall rules on NSX-V, do the following:

1. Navigate to the Edge Gateway page.

2. Click Services->Firewall. The page allows creating, editing, and removing firewall rules.

The rule editing and creation process is the same for SNAT and DNAT traffic.

3. Click the + button to start the rule creation process.

Edge gateway add firewall rule NSX-V

The new rule appears below the selected rule on the list.

4. Double-click the fields to edit the settings. An example rule to allow inbound traffic to port 443 on a virtual machine looks like the following:

  • Name. HTTPS
  • Type. User
  • Source. Any
  • Destination. Internal IP of the VM serving HTTPS
  • Service. tcp:443:any
  • Action. Accept
  • Enable logging. Checked

5. Click Save Changes above the rules list to save the newly created rule.

Firewall rule save changes UI

Re-order the rule using the up and down buttons above the rules list and control the traffic flow.

Virtual Machine Creation and Management with Cloud Director

In Cloud Director, virtual machines link into collections called vApps. While it is possible to configure a VM without a vApp, a vApp provides additional functionalities.

For example, you can configure your networks so VMs can communicate with each other but not with other collections of virtual machines. vApps are easy to duplicate, which is convenient if you have a collection of VMs that you always deploy together.

Creating a vApp

To access the vApp screen, click the Applications section in the top navigation bar. The page automatically lands on the Virtual Applications tab. Follow the steps below to create a new vApp.

1. Open the New dropdown menu and choose New vApp.

VMware Cloud Director UI applications new vApp

A new page opens for vApp creation.

2. Select the target virtual data center from the list and click Next to proceed.

vApp creation target virtual data center UI

3. The New vApp page allows adding the vApp configuration and details:

  • Name. A descriptive name for the vApp.
  • Description (optional). An optional descriptive text for the vApp.
  • Power on (optional). Whether to power on the vApp immediately after creation. Add virtual machine (optional). If there are no virtual machines on the list, the button starts a VM creation process. Virtual machines can be added immediately or after vApp creation.
Create new vApp UI

4. Add a new virtual machine or click Create to complete the vApp creation process. Virtual machine creation is a multi-step process covered in the next section.

Virtual Machine Creation

Click Add Virtual Machine to add the first virtual machine from the New vApp window.

Add virtual machine new vApp UI

Next, if your organization has a template you want to use, select the Type as From Template and choose the template you wish to clone.

Alternatively, to create a new VM and see the complete list of settings, set the Type to New:

VMware Cloud Director new VM UI

Configure the settings as follows:

  • Name. The name you want to display for this VM within VMware Cloud Director.
  • Computer Name. The hostname of the guest system.
  • Description (optional) An optional text description of the machine.
  • Type. Set to New unless using a template.
  • Guest OS family. Set this to the operating system family that best matches your desired guest OS.
  • Guest OS. Set this to the specific operating system you plan on installing within the guest OS. Note that this only configures the VM for compatibility with this guest – it does not install the guest OS.
  • Boot image (optional). If you have installation media uploaded to your catalog, select it here, and it will automatically connect to the VM upon creation. If not, you can connect it manually later.
  • Boot firmware. Choose between EFI or BIOS firmware for the VM. The default selected is EFI.
  • Enter Boot setup (optional). Toggle on to enter the boot firmware setup when the VM starts.
  • Trusted Platform Module (optional). Switch on to have the Trusted Platform Module device for the VM.
  • Compute. This will pre-populate with a list of standard VM sizes based on the operating systems selected. If none of the shown settings match your desired configuration, manually change the following:
    • CPU. This is the total number of virtual CPUs that will be assigned to the VM. One virtual CPU is approximately equal to one physical CPU core.
    • Cores per socket. This controls how many sockets the guest OS will see. It does not modify the number of cores, only how they are presented to the guest. In most cases (and especially for VMs that are not very large), this should be set to be the same as the Virtual CPUs setting.
    • Memory. Virtual RAM assigned to the VM, shown in gigabytes or megabytes.
  • Storage. This allows you to configure the size and policy of virtual hard disks. To add additional storage, click the Add button.
  • Networking. By default, this will be connected to your routed network created earlier. If you need to change the network, IP allocation, or add more virtual NICs, click the Customize button.

Click the OK button to apply these settings to the VM. The Build new vApp screen returns into view. You may repeat the process above if you want to add more virtual machines at this time.

Once you add your initial virtual machine(s) to the vApp, click Create to create the vApp. When created, it will show an entry as this one below on the vApp screen:

vApp overview actions details UI

The buttons at the bottom allow you to control or modify the vApp:

  • Actions. This enables power control options for the vApp, such as power on, power off, suspend, or reset. Additional actions include adding VMs, creating templates, or changing ownership.
  • Details. This opens the vApp and shows a detailed overview of the VM, as well as additional settings. All vApp actions are available from the Details page as well.
vApp details page UI

Clicking the Virtual Machines on the Applications page in the top tabs list shows the VM settings in all vApps. The Details page for individual VMs allows you to further customize them and their virtual hardware.

Virtual machines applications page UI

Alternatively, you can also click the Virtual Machines item in the menu on the left-hand side from any Details page and see all VMs in all vApps:

VMware Cloud Director VMs list

The VMs on this screen each have an entry as shown:

VM overview actions details UI

If you have not already connected an install media to a VM, you can do it on this screen by clicking Actions->Media->Insert Media.

If you have already connected an install media or created a VM from a template, you can power on the VM and then click Actions->VM Console->Launch Web Console to manage the VM directly.

Named Disks

The use of named disks with the Cloud Director allows updating virtual machines without impacting the underlying data. The feature is designed to enable users to create virtual disks that can be attached to and detached from virtual machines at any stage.

You can find this option in the menu under Storage. To create a new independent disk, click New.

Named disks new disk UI

A new window opens where you set the name, an optional description, storage size, bus, and bus sub-types of the named disk.

Create named disk UI

Click Save to create the new named disk.

Note: If you are interested in getting the Enterprise-All-Flash storage solution, please contact your sales representative for more information.

Storage Policies

View how much storage you are consuming compared to how much you have purchased by clicking Storage Policies in the Storage menu.

Storage policies used and limit UI

The last two columns show the used amount and the storage limit.

Note: For additional documentation on Cloud Connector, refer to our guide Veeam Plugin for VMware Cloud Director.

Library Management

Libraries are where installation media and VM templates are stored. Access the Libraries page from the navigation bar on top.

VMware Cloud Director Libraries page

The default screen shows the vApp Templates. Click the New button if you have an OVA or OVF file to upload as a template, and follow the on-screen instructions to configure the template.


Catalogs are collections of installation media and templates. You can access them by clicking the Catalogs page on the menu on the left.

Libraries catalogs public shared catalog UI

A catalog may be managed by phoenixNAP and shared among all users, or you can create one with personal installation media and templates. The Public_Shared_Catalog is already connected to your organization and can be used for standard installation media.

To upload installation media, click New on this screen to create a catalog. The following screen prompts you for a name, and an optional description, before allowing you to click OK.

Uploading Installation Media

Once you have created a catalog, click the Media & Other menu item to upload files.

Libraries media and other UI add new

Click the Add button at the top of the screen to upload the installation media. Assign a name to the installation media, then select the ISO file you wish to upload:

Upload media to catalog UI

Once the upload is complete, use this installation media on VMs in your organization.

PhoenixNAP Data Security Cloud customers who have resources at both Ashburn and Phoenix sites can now utilize the multisite feature of the VMware Cloud Director portal. This single pane of glass approach allows for easier resource management by creating organization associations between the sites. One dedicated organization administrator can quickly perform multisite pairing via the UI.

Access Control

The VMware Cloud Director uses role-based access control to authorize users and groups to perform actions. To view the access control options, open the Administration page from the navigation bar.


Several predefined roles are available to cover predefined workflows. System administrators have access to edit or delete predefined roles, as well as create and publish custom roles.

To view the roles, open the Roles page in the left-hand side menu.

Administration roles new role UI

The page shows predefined global tenant roles. The table below explains each role and the available permissions.

Catalog AuthorCreate and publish catalogs.
Console Access OnlyView VM state and use guest OS.
Defer to Identity ProviderTakes information from OAuth or SAML identity provider. If there is no matching role, the user has no rights.
Organization AdministratorManage users, groups, and roles within the organization. Includes the Organization Administrator role.
vApp AuthorUse catalogs and create vApps.
vApp UserUse existing vApps.

To create a new role:

1. Click New to start the role creation process.

2. Add a role name and a description for the role.

3. Choose the appropriate view, manage permissions for the role, and click Save.

The new role shows up on the list alongside the predefined roles.


The VMware Cloud Director portal allows System Administrators to create, edit, import, and delete users. If a user attempts to log in with an incorrect password, the user account can be unlocked from this page.

To create a user, access the Users page from the left panel and click New.

Administration users new user UI

Fill out the following fields:

  • User name. Enter a user name. Spaces are now allowed, and the maximum character limit is 128 characters.
  • Password. Enter the password for the user. The minimum password length is six characters.
  • Enable (optional). Enables the user upon account creation.
  • Configure user's quota (optional). Enables limiting resource availability to a user. Redirects to Quotas page after account creation.
  • Available roles. Choose a role from the dropdown menu.
  • Contact info (optional). Various contact information for the user, including full name, email address, phone number, and IM.

Click Save to apply the information and create a user account. The account shows up on the user list. Click the user name to see additional user settings and actions for the user.


After reading this guide, you should have set up VMware Cloud Director for an NSX-V or NSX-T edge. In-depth documentation for these features and other functionalities within the Cloud Director.

Click the question mark icon in the upper right-hand corner, followed by the Help link in the menu that pops up. Alternatively, use the shortcut (Ctrl+').

Was this article helpful?
Dejan Tucakov
Dejan is the Head of Content at phoenixNAP with over 8 years of experience in Web publishing and technical writing. Prior to joining PNAP, he was Chief Editor of several websites striving to advocate for emerging technologies. He is dedicated to simplifying complex notions and providing meaningful insight into data center and cloud technology.
Next you should read
How to Install VMware Tools on Ubuntu 18.04
April 1, 2024

This article provides three methods of installing VMware Tools on your Ubuntu guest system. VMware Tools...
Read more
VMware vCloud Availability Tenant Setup Guide
August 12, 2019

VMware vCloud Availability 3.0 is a single interface for workload migration, cloud-to-cloud disaster...
Read more
Containers vs Virtual Machines (VMs): What's the Difference?
January 25, 2024

Both virtual machines and containers are used to created isolated virtual environments for developing and...
Read more
How to Install VMware Workstation on Ubuntu
March 21, 2024

This easy tutorial shows you how to install VMware Workstation Pro on Ubuntu. Running a virtual machine (VM)...
Read more