The virtual machines in a vApp can connect to vApp networks (isolated or routed) and organization vDC networks (direct or fenced). You can add networks of different types to a vApp to address multiple networking scenarios.Virtual machines in the vApp can connect to these networks. If you want to connect a virtual machine to a different network, you must first add it to the vApp.A vApp can include vApp networks and organization vDC networks. A vApp network can be isolated by selecting None in the Connection drop-down menu. An isolated vApp network is totally contained within the vApp. You can also route a vApp network to an organization vDC network to provide connectivity to virtual machines outside of the vApp. For routed vApp networks, you can configure network services, such as a firewall and static routing.You can connect a vApp directly to an organization vDC network. If you have multiple vApps that contain identical virtual machines connected to the same organization vDC network and you want to start the vApps at the same time, you can fence the vApp. This allows you to power on the virtual machines without conflict, by isolating their MAC and IP addresses.You can configure certain vApp networks to provide IP translation by adding a NAT mapping rule. When you create an IP translation rule for a network, vCloud Director adds a DNAT and SNAT rule to the vShield Edge associated with the network's port group. The DNAT rule translates an external IP address to an internal IP address for inbound traffic. The SNAT rule translates an internal IP address to an external IP address for outbound traffic. If the network is also using IP masquerade, the SNAT rule takes precedence.You can configure certain vApp networks to provide port forwarding by adding a NAT mapping rule. Port forwarding provides external access to services running on virtual machines on the vApp network. When you configure port forwarding, vCloud Director maps an external port to a service running on a port on a virtual machine for inbound traffic.