Cloud services are often assigned with public (or Internet routable) IP addresses, which can be accessed from clients either in or out of the cloud. The tenants' clients inside the cloud are often assigned with private IP addresses (i.e., IP addresses that are not routable for traversing the Internet). The private IP addresses are selected from specific IP address ranges that are reserved for private use. Devices with private IP addresses cannot directly connect to outside of the network on which the IP addresses are used (i.e., the tenant's logical network). Similarly, devices outside of the local network cannot directly connect to devices with private IP addresses. Access to and from a device with private IP address requires network address translation (NAT) into public Internet routable IP addresses.
There are two ways for tenants' clients to access cloud services. One floating IP address can be assigned to each virtual machine (VM), i.e., a 1:1 NAT. This method allows a client VM to directly access cloud services but is expensive because it requires one floating IP address per VM.
Alternatively, one NAT gateway can be used per tenant logical network. This approach requires that client initiated communication go through the NAT gateway, which would become a bottleneck when the network input/output (I/O) is intensive. FIG. 1 illustrates a portion of a prior art virtualized infrastructure domain. As shown the virtualized infrastructure domain includes several hosts 101-104.
Each host 101-104 includes a hypervisor 111-114, respectively. The VMs for several tenants T1-Tn and several services S1-Sn are hosted on hosts 101-104. For instance, VMs T1-1, T1-2, and T1-3 for tenant T1 are hosted on hosts 101, 102, and 104, respectively. Similarly, VMs S1-1 and S1-2 are hosted on hosts 101 and 102, respectively.
The VMs T1-1, T1-2, and T1-3 of tenant T1 form a logical network. The logical network is identified by a logical network identifier (also known as virtual network identifier or VNI) and includes a NAT gateway 150. In order for the VMs of tenant T1 to access VMs of service S1, the communication packets have to travel through NAT gateway 150 (as shown by paths 140-147 identified by bold arrows), which creates a bottleneck. In addition, although T1-1 and S1-1 are on the same host 101, packets sent from T1-1 has to through gateway 150 in order to reach S1-1.