When you sign up for a public vCloud service they setup your Organization and deploy a vShield Edge device for your Organization. All of your VM's will run within an internal network on a VLAN just for you (usually 192.168.x.x). The VM's have access to the internet but there is no access into the VM's from the internet by default. YOU have to configure Firewall and NAT rules on the Edge device to allow traffic into your VDC. You usually get a few Public IP Addresses with your VCD service. You pic one and setup the NAT or Port Forwarding rules.
Eric