The VMware vArchitect Blog has posted instructions for how to setup vShield Edge (VSE) in vCloud for firewall policies and external routing at the org level without using NAT (behind the VSE external interface).

Speaking of static routes and layer-3 routing (yep, that’s the best transition I can come up with), I have found many of my customers questioning what is actually possible with the use of these features. My favorite argument of all is, “NAT does not equal routing!”. This misconception is probably due to the confusing label of “NAT-Routed” when referring to an external org network behind an auto-provisioned VSE appliance. That may have been the case with previous versions, but not so today. In fact, a VSE appliance can perform basic L3 routing functions independent of NAT’ing. I prefer to avoid NAT’ing (when it’s an option) — and some enterprises have banned it all together across internal networks — so this capability often comes in handy.