Home > Blogs > VMware vCloud Blog > Monthly Archives: March 2013

Monthly Archives: March 2013

VMware Cloud Evaluation and vCloud Hybrid Service – What’s The Difference?

With all the buzz around VMware’s various cloud solutions, we understand it can be difficult to keep track of what’s out there. Here’s a cheat sheet to help you pick the option that’s best for you and your organization’s needs.

The VMware Cloud Evaluation (formerly known as the vCloud Service Evaluation) was launched in 2012 and has been running in beta for the past 6 months. This sandbox environment is built on top of vCloud Director and VMware vSphere and is not a representation of a specific service provider offering.  The purpose of the VMware Cloud Evaluation is to let you explore the capabilities of a VMware-based hybrid cloud and experience the ease of moving workloads without commitment. The VMware Cloud Evaluation is not a production-ready environment.

The vCloud Hybrid Service, which will launch later this year, will be an enterprise-class, production ready service. Because VMware believes the underpinning for cloud is the Software-Defined Data Center (SDDC), VMware will give you, our users, the ability to extend the architecture you’re accustomed to in your private cloud out into the public cloud.

So, if you’re still in the process of learning about the value of hybrid cloud and the capabilities of a VMware-based cloud, the VMware Cloud Evaluation is the way to go. Through the VMware Cloud Evaluation, you get a non-production sandbox where you can move VMware workloads between clouds.

We hope this clears up the differences between the VMware Cloud Evaluation and vCloud Hybrid Service. Have another question to ask? Feel free to tweet us at @vCloud or @VMwareSP, and follow us for future updates.

vCloud Director Hybrid Cloud Design Case Study

By: Chris Colotti

This is a repost from Chris Colotti’s blog, chriscolotti.us

So all week I have been posting tidbits about the vCloud Director Hybrid cloud I have been building.  So what was my purpose for doing so?  Well I did it to make a couple of points of course the following is the final outcome formed into a bit of a case study that you can digest for a while.  The main reason I did this is that I feel we are still struggling with how to CONSUME the hybrid cloud model.   We’ve spent a lot of time architecting the vCloud Director implementations in both the public and private cloud space.  I decided I wanted to take a look at this from the consumer’s point of view.  Those people who would be wanting to come to those of you that are vCloud Director providers and help them understand HOW to use these public clouds.

Setting the Stage For vCloud Director Hybrid Clouds

So who are these consumers and users I am speaking about trying to help?  It can be any one of us but for the purpose of this case study I want to take two specific examples that fit many possible situations out there.

  • A new startup with NO Infrastructure
  • An enterprise that has reached the limit of their current Datacenter

In both cases the need is simple.  They both need to find new infrastructure without having to build it themselves.  In the case of both I am actually focussing on them not building more themselves, but rather leveraging the vCloud Providers out there.  They could consume in either a public cloud fashion, or a hosted private cloud fashion.  For purposes of this study let’s assume they have decided to go to public cloud providers.  I will play the role of the consumer as we continue forward.  I will also be taking the aspect of the second scenario above.  I have a datacenter, that’s met its limits of compute, memory, and storage.

Choosing your Providers

To be clear I am not suggesting where you go, but for my purposes here I happened to already have resources at two vCloud Public providers running vCloud Director 5.1 so I decided I was going to split my Infrastructure as a service (IaaS) between the two for some level of redundancy.  Also I personally think that makes you a smart IT person leveraging two different providers.  For my scenario as we know I have been using:

Obviously you can choose whomever you want, but in this case we are focussing on providers that are using vCloud Director 5.1 for it’s flexibility and simplicity to build your new organization   Once I have decided on the providers I am going to use the next steps are fairly simple and frankly are no different than you would do if you were building a physical datacenter, except now we are doing a Software Defined Datacenter, (SDDC).

Build your SDDC – Start with the Networking

Like any new datacenter you need to get the basic things configured.  As I have shown in previous posts, vCloud Director 5.1 provides a lot of power to the organization administrator….YOU.  The first order of business in my mind is the networking.  You want to design this separately for each site as you would for a new physical site.  Most all your traffic will leverage the Edge Gateway as well.

  • Decide on and configure your routed networks
  • Decide on and configure and isolated networks
  • Configure your SNAT rules
  • Configure basic outbound internet access firewall rules
  • Determine DHCP settings and Static IP Rules if any
  • Be sure to get from your provider various Public IP’s

Once you have gotten this figure out in your design of the two remote datacenters you can move forward.  It goes without saying you don’t want to cross networking subnets between sites or VPN will not work.  At this point you will also want to establish VPN connectivity between the sites and write the basic firewall rules for traffic to pass as you wish.  This will be important as you begin to stand up your infrastructure as a service.

Build your SDDC – Setup vCloud Connector, Import or Build New Templates

Here you can basically download and import the vCloud Connector Nodes into your two Public Clouds.  However, some providers are now building Multi-Tenant Nodes that you can simply leverage based on vCloud Connector 2.0.  If this is the case you only need to build your vCloud Connector Server hosted in one of your clouds, but maybe you want one in both.

Once you have this you can choose to move templates you already have in your current datacenter, or build fresh ones.  You can upload ISO images and just build new if you want to be sure things are setup fresh.  Either way you have the option so proceed as you wish.  So at this point, we have networking, templates, and site 2 site VPN connectivity established.  Now we just need to build out the Infrastructure we need to get started.

Build your SDDC – Active Directory

Like any new datacenter the first thing we probably need is localized Active Directory.  Assuming you have Active directory servers in your first datacenter you will want to make sure you setup new Sites and Services with the correct IP ranges.  Now I am now Active Directory expert, I am just trying to at least cover the basics.  Below you can see in my scenario I have set up the three sites, and also gone ahead and installed at least one Active Directory server in each of the new sites.  This will become the local authentication and DNS server for any new Windows infrastructure in that site.

vCloud Director

Once you have pre-configured Active Directory Sites and Services in your Physical Datacenter controllers you can install from templates and promote the ones in the other sites.  At this point you are ready to continue installing application servers, or other IaaS you want to add to your enterprise using your new vCloud Director Hybrid setup.  These can be things like Public DNS, Public SMTP servers, maybe even Desktops at some point although that’s neither tested, nor supported on vCloud Director.

Some Final Thoughts And Diagram

Although this has been a basic study of how you can leverage vCloud Director Hybrid Clouds to expand your enterprise, it should give you a foundation to start thinking about.  The diagram below is a much more expanded view of the possibilities you can reach to host many services in your new public vCloud Director Hybrid cloud.  Really the point is that this is just like building a new physical datacenter, only in most cases it’s much faster.  Of course as Network Virtualization and Storage Virtualization moves along this will only get better.  I will be presenting this on next weeks vBrown Bag as well so we can open up discussion.

vCloud Director

Chris is a Consulting Architect with the VMware vCloud Delivery Services team with over 10 years of experience working with IT hardware and software solutions. He holds a Bachelor of Science Degree in Information Systems from the Daniel Webster College. Prior to VMware he served a Fortune 1000 company in southern NH as a Systems Architect/Administrator, architecting VMware solutions to support new application deployments. At VMware, in the roles of a Consultant and now Consulting Architect, Chris has guided partners as well as customers in establishing a VMware practice and consulted on multiple customer projects ranging from datacenter migrations to long-term residency architecture support. Currently, Chris is working on the newest VMware vCloud solutions and architectures for enterprise-wide private cloud deployments.

To Our VMware Cloud Evaluation Users: We’re Sorry

We are aware of provisioning delays some users have experienced when signing up for the VMware Cloud Evaluation.  We’d like to apologize to our users for exceeding the target provisioning time for new accounts. For those who are ready to give it a try, we are making room for you.

We also want to be clear that the cloud evaluation is not the beta of VMware’s vCloud Hybrid Service, which was previewed at our Strategic Forum for Institutional Investors in New York last week. The VMware Cloud Evaluation (formerly known as the vCloud Service Evaluation) enables users to get hands-on experience of a vCloud Director environment in a non-production sandbox without a contract or commitment; users are also able to try and experience moving VMware based workloads to/from their on-premise environment to an off-premise environment.

Since introducing the 90-day free trial a few weeks ago, we’ve quickly seen a large uptick in evaluation sign-ups. To meet that demand we are adding more capacity to get you up and running.

For future updates, be sure to follow us on Twitter at @vCloud and @VMwareSP.

Liquid Data Center

By: Massimo Re Ferre’, vCloud Architect

This is a repost from Massimo’s personal blog, IT 2.0 – Next Generation IT Infrastructures.

Having worked for about 3 years with vCloud Director I have to admit that the networking subsystem is the one that takes more time to digest. Part of this is because it is fairly complex rich. Part of it is because VMware has not done a great job at trying to expose thatrichness in a simple way to the cloud consumer.

I kept saying for years that vCD should have had more visual support and network layout diagrams in the UI to make it easier to understand and digest that richness. When I sit down with partners and customers to discuss the technology I don’t show the vCD UI.

I rather prefer to use a whiteboard and draw diagrams that often look like, logically, the old good vSphere maps. Do you remember them? How nice.

As part of new responsabilities I am taking inside VMware, I am trying to get a bit deeper on the API side of this cloud thing.

I thought it could have been a good exercise to try to implement a sort of “vCD maps” tool. For the records I end up calling it LiquidDC, more on this later.

A few weeks ago I sat down with my partner in crime Andrea Siviero to build something for real. This was mostly a learning exercise for me on how to code a web application leveraging the vCD APIs. The majority of the coding was done by Andrea. Credit goes where credit is due.

The technical background

A few weeks ago VMware released a fling called Silverlining. That fling contains a few things. In particular it contains a (limited) JavaScript SDK for vCloud Director and a brand new consumer UI for vCloud Director.

So we leveraged the SDK along with some other open source libraries such as JQuerymobile, JQuery and VivaGraph. The figure below illustrates the packaging of Silverlining and how we leveraged it to build the LiquidDC utility package.

We essentially took the overall structure of Silverlining (in particular the JavaScript SDK), complemented it with additional libraries, got rid entirely of the Silverlining UI portal and built from scratch our own new UI.

The end result is a brand new HTML5/JavaScript application.

What LiquidDC does

LiquidDC allows you to connect to a vCloud Director 5.1 tenant and, as an output, it will generate a graphical layout of the network subsystem (and more). The utility allows the user to enable and disable the visualization of certain relationships. We have implemented the following relationships:

  • VMs to vApps

  • VMs to Organization Networks

  • Networks to Edge Gateways

LiquidDC will also visualize the relationship of Organization Networks and Edge Gateways with External Networks.

Let’s take, for example, my IT20 vCD organization hosted at Stratogen. If I look at it from the vCD UI, I can depict my organization has one Edge Gateway called Routed Network. Note the name may be misleading as it’s not really a “network” strictly speaking, but rather a gateway where routed networks connect to.

Note this Edge has 6 L2 networks connected to it. You can check how many of them are outbound connections to External Networks by looking at the Properties of the Edge.

You can check how many of them are networks available inside the virtual data center by clicking on the Org VDC Networks tab:

To add confusion, one of the Organization Networks is called Routed Network, just like the Edge Gateway. In a particular scenario like this it is very difficult to not get confused looking at the UI.

I can conclude that my Edge Gateway (again, called Routed Network) has 5 Routed Organization Networks connected to it. The 6th Edge vNIC (shown above) connects to an External Network (in this case it represents the Internet) which is the interface that connects the Edge Gateway to the outside world.

We are not done yet. There is also an additional network inside my vDC that isn’t connected to anything. It’s the Isolated Network. VMs connected to this network can only talk to each others, but not go anywhere else.

Last but not least, as if the confusion was not enough, there is also a Direct Connect Network available in my vDC that represents direct access to the External Network (Internet). Essentially Stratogen entitled the IT20 organization to connect VMs directly on the Internet segment without having to go through the Edge Gateway. Note that if two organization do this they will end up with VMs on the same L2 segment.

I have to say this is very far from being intuitive for someone that isn’t experienced with vCD . And it isn’t very intuitive for me either, to be very honest. Not to mention the troubles when you need to describe this (for training, demo or PoC purposes) to someone that isn’t very much into the parlance vCD uses. This is when a whiteboard becomes very handy.

Enter LiquidDC!

Below is a screenshot of how the same complex rich networking plumbing described above renders in LiquidDC. Note that the VMs to vApps relationship is set to off by default to simplify the first view.

It is now a lot easier to describe to a vCloud Director novice user what he/she can do with the platform., isn’t it?

The tool is also capable of showing, in a similar graphical layout, the relationships between catalogs and vApp templates in those catalogs. In the picture below you can see an organization private catalog with one template and a cloud public catalog with a fairly big set of templates.

Note that when you click on an object a list of details appears on the right hand side. This is, at the moment, a raw list of attributes (associated to the object) that we get from the REST APIs. We haven’t spent too much time to properly parse, select and format those details. They are pretty raw. The vApp template doesn’t have a lot of these details but if you click on other objects the details are a lot richer than this. See the demo below.

Another cool thing is the Search Object field where a user can search dynamically for a string match against the details mentioned above. In the picture above, for example, I have searched in the catalog layout view for “wordpress” and LiquidDC is dynamically highlighting (with a red circle) the vApp template that contains that particular string.

The details pane and the search capability are available in the network layout view as well. Imagine, for example, being able to search for all networks that have a default gateway that matches “192.168″. Very powerful.

Hybrid comes true

We often hear hybrid cloud being defined as the possibility to move workloads seamlessly from private to public and viceversa.

That’s a key characteristic of a hybrid cloud implementation but it’s not the only angle to look at the matter.

To me, hybrid cloud also means the ability to use the same tools and know-how to manage platforms and infrastructures regardless of where they are hosted (on-premises or off-premises).

And by that I don’t mean having to implement a monster overlay software that may cost 2M$ and 2 years to get deployed. By that I rather mean being able to manage raw dispersed infrastructures, public or private, using and reusing the very same single native API call, the very same native script, the very same native command line.

That’s the interesting part of LiquidDC. You can connect to the real production Stratogen cloud as demonstrate above, or you can also choose any other of the 200+ vCloud Powered or vCloud Datacenter partners based on characteristics like for example:

  • Geographic location

  • Service level

  • Network configuration requirements

  • Catalog content

  • Particular add-on services

  • Pricing

In addition to that you can obviously connect LiquidDC to your local private cloud. I have for example used the tool to visualize the network layout of my IT20 organization hosted at my local private cloud (a lab in the office). As you can see in the picture below the end-point is 172.16.100.205.

Not enough?

I have also used LiquidDC to connect to the vCloud Evaluation Service. Note I don’t have control over the name of my organization and one (2215) was automatically generated for me when I enrolled last year .

In order to find the vCloud API end-point of the evaluation service, you have to login into the custom portal and, from there, open the standard vCD UI. There you can see what the URL is. I also had to create (self-service) a new organization administrator account to be able to connect with the tool (the default admin user won’t let me connect directly, based on the quick test I did).

Enough? No, not enough.

Even more interesting, I was able to connect LiquidDC to one of the zones of the newly announced VMware vCloud Hybrid Service (currently in limited beta). This is not the same thing as the vCloud Evaluation Service mentioned above. Note I had to obfuscate the end-point of this service as it’s not publicly available at the moment.

I think this is pretty cool and, if nothing it’s been an interesting exercise.

The funny thing is that it wouldn’t take too much (all relative) to improve LiquidDC to show more than one single organization in one single cloud in the same UI. Perhaps with VPN relationships as well?

Something like this.

Isn’t this the single “pain” of glass everyone would love to have? And it’s only roughly roughly 400 lines of JavaScript code (without comments)! It’s not a Frankencloud by any means!

LiquidDC use cases

So what would you use LiquidDC for? As I said and Andrea have developed the tool as a coding exercise. However I see a few practical use cases for it. Some are listed below.

- LiquidDC may be a great training and demo tool to illustrate the complexity richness of the vCloud Networking subsystem. Instead of getting on a whiteboard and draw all possible networking configurations nuances in front of someone that doesn’t know vCD one could create the plumbing of an environment including External Networks, Edge Gateways, Organization Networks (Direct Connected, Routed and Isolated) and eventually connect dumb VMs to those networks. LiquidDC can then visualize real-time the layout of that network topology which is far easier to “get” compared to the out of the box vCD UI experience.

- LiquidDC may facilitate basic operations for small customers with small vDCs hosted in public clouds or private clouds. Navigating through the vCD UI may require dozens of clicks to get to the object you need to manipulate or get a particular information from. LiquidDC has what I refer to as a great “time-to-object” (at least compared to the native vCD UI). The search capability is very powerful and can help a lot in this respect.

- LiquidDC could serve as a basis for private cloud administrators and public SP that would like to provide this add-on service to their tenants. If I stretch my imagination a bit I can see SPs taking this code, making it better and more stable and hosting it in their facilities hard coding their end-points. This would allow them to give their tenants an alternative view to browse their organizations and this could be a differentiated service for them.

LiquidDC deployment scenarios

The fun didn’t end with writing the code.

As I said this is a traditional HTML/JavaScript application. For good or bad.

In order to make this whole exercise even more interesting, we decided to distribute it in a couple of ways. A hosted version and an on-premises version.

Did you know you can upload an HTML/JavaScript application to CloudFoundry and host it there? I didn’t think this was possible butAndy Piper, one of my fellow colleagues at VMware, documented a way to do just that.

So LiquidDC is, right now, up and running on CloudFoundry at liquiddc.cloudfoundry.com! Make sure you read below the instructions on how to use it (RTFM!).

I and Andrea are also going to make it available on GitHub hopefully soon. I just need to clean up the code a bit and remove all the embarrassing comments in it. In reality I’d like to document as much as possible the source code so that you know what we were doing and hopefully make it easier for you to modify it if you want to. I’ll update this post when the code is available for download.

Finally, we did not spend time to package this tool so that it could be installed on the vCD cells. Silverlining does come with such a setup utility though. You may try to install Silverlining on vCD and manually change the files (essentially replacing the Silverlining portal with the LiquidDC code). This is really just a after thought I had while writing this blog post. It would need to be vetted.

Instructions and Limitations

Being this a JavaScript application all the cross-domain calls limitations apply. Since this is somehow a derivate of Silverlining ,which has the same limitations, you can use the tricks that William Lam already documented.

At a minimum you’ll need to open your browser with security disabled.

Optionally, if the cloud you are connecting to is using self-signed certificates, you need to accept self-signed certificates in a browser window (very likely situations for demo and PoC environments).

A few known gotchas to take into account.

  • We have noticed weird behaviors when you have vApps and VMs that have failed to deploy in the organization you are trying to connect to

  • It’s always a good practice to reload the application in the browser whenever you try to re-connect (either to the same organization or to a different organization)

  • VMs that are not connected to any Organization Network will render in the graphic as if connected to a dumb non existent network called “none”

  • VMs that are connected to a private vApp Network will render in the graphic as if connected to a dumb non existent network called “none”

  • VMs that have more than one vNIC will render with only one vNIC

  • I have primarily used and tested LiquidDC with Chrome for Mac with the proper flag to disable web security. I haven’t tested other browsers / client platforms.

These hold true for LiquidDC version 0.9.8.5 (the latest available at the time of this writing).

The controls and exception management in the application is… non existent. All in all this tool has gone through very limited testing. And it’s been tested against a very limited number of vCD use cases so we are certainly not considering a lot of exceptions.

I have created a short 4 minutes video that will allow you to see how it works end-to-end, just in case you have problems connecting to your cloud but yet you are curious to see it in action.

If nothing, at least you’ll appreciate why we called it “liquid“!

A Who’s Who of Companies That Have Moved to the Cloud with VMware

A year ago we launched our “Another VMware Cloud” blog series to highlight the great stories from our customers, both large and small, that have successfully moved to the cloud with VMware. As VMware continues to make private, public and hybrid cloud a reality for organizations looking to take advantage of enterprise-ready cloud solutions, we’ll continue to feature their stories right here on the vCloud blog.

In case you’re just joining us for the first time, here are highlights from the Another VMware Cloud customers we’ve featured in the last year:

The National Democratic Institute has been able to leverage vCloud Director to deploy applications in clouds from Bluelock, as well as other VMware vCloud Datacenter partners, clone them and customize them without overtaxings its engineering team.

Gratifón managed to save over $100k by moving to the cloud with vCloud Datacenter partner, Dell – $50k in costs, by not having to buy server hardware, as well as $60k per year in operating efficiencies, electricity, Internet bandwidth and IT man hours.

Publishers Clearing House took advantage of Hosting.com’s vCloud Powered hosting solutions to scale their public cloud platform in a secure manner when additional computing resources are needed, without having to commit to additional costs associated with buying new hardware or software (resulting in a 40-50% decrease in IT costs for PCH.com).

Subaru and Minivegas were able to launch the online marketing campaign, www.firstcarstory.com, with a high-performance and scalable cloud infrastructure that supported the creation of 10,000 animations, and that’s just within the first month of the campaign!

Popular retail company, Columbia Sportswear, leveraged a VMware-based hybrid cloud solution to allow the business to scale instantly and reduce infrastructure costs, as well as to provide zero downtime to users through significant disaster recovery capabilities.

Seven Corners served as a great example of how even SMBs can take advantage of a VMware-centric infrastructure to rapidly engineer its IT capabilities, and even achieve a $900k ROI!

MicroStrategy has been able to cut its internal operating costs by $1M each year and generate new revenue streams that were previously inaccessible through its VMware-based cloud solution.

By working with provider of vCloud Powered services, iland, eMix’s hospital provider customers are able to achieve anywhere from $14-18k in reduced costs per ER visit – allowing them to not only do a better job of treating their patients, but also save operating dollars in the process.

NYSE Euronext developed its Capital Markets Community Platform with VMware-based cloud technology, and in doing so has been able to target the needs of Wall Street IT leaders and their customers in ways hitherto unseen in the financial services industry.

Revlon, a giant in the beauty industry, has been able to achieve $70 million in cost avoidance and cost savings, as well as solve the problem of big-data management and disaster recovery within the company, by moving to the cloud with VMware.

eMeter, a Siemens Business, can easily spin up or down data center services in multiple countries, based on business demand and need, all thanks to its VMware-based hybrid cloud deployment with vCloud Datacenter partner, Bluelock.

Provider of credit reporting services, Experian, shared that implementing infrastructure-as-a-service through VMware vCloud “is the next phase in the evolution of virtualization technology,” as it puts more of the power of virtualization into the hands of VMware customers.

When it comes to the cloud, VMware customer Seven Principles (7P) believes that, “It is not a question of whether you will save, it is just a question of how much.” By working with vCloud Datacenter partner, Colt, 7P has been able to achieve faster time to market and a 30% cost savings.

GxPi has also been able to see significant savings from operations due to its VMware-based cloud solution, as well as improved security, thanks to working with vCloud Service Provider, iland.

F5 Networks DevCentral’s move to Bluelock’s public cloud has been able to increase the company’s DevOps agility, resulting in faster, more frequent application updates that optimize development cycles.

Last but certainly not least, Kaseya has benefited from a 500% increase in capacity and performance and an 80% reduction in hardware investments and running costs, resulting in improved productivity and faster response times.

Stay tuned for even more Another VMware Cloud customer stories! Visit We Speak Cloud to learn more about the success of these customers, and follow @vCloud and @VMwareSP on Twitter for future updates.

How To Configure vCloud 5.1 Hybrid Cloud Site 2 Site VPN

By: Chris Colotti

This is a repost from Chris Colotti’s blog, chriscolotti.us

In the process of building my experimental “MonsterCloud” vCloud Director Hybrid setup I obviously needed to do some site to site VPN between the following locations:

The trick here is that this is now turning into a true Hybrid cloud as two sites are running vCloud Director, and my house is not.  It’s a standard datacenter with a Cisco Firewall for IPsec VPN.  The idea is to connect the two vCloud Director clouds first, then connect the home datacenter to each of the two vCloud providers.  Let’s look at the vCloud to vCloud VPN setup as that is the easiest thing to configure in the world with both ends are vCloud Director.

Configure vCloud 2 vCloud VPN

Select your Edge Gateway in your vCloud organization and select the VPN tab.  Once there select “Add” and you will see the following screen.

vcloud_vpn

Select “A Network in another Organization, and then select ” Log Into Remote vCD”

vcloud_connection

Fill in the required fields for just the vCloud URL and the org with your credentials.  Once you log in you will be presented with the other vCloud Organization’s networks so you can multi-select the mappings for the networks in each Organization.  The rest of the options you can pretty much leave the defaults as they are populated.

Once this is done the two sites should come up with VPN between them.  However, you will need to configure the firewall rules in the Edge Gateway before you can connect the networks.  I will cover that last after the IPsec VPN setup.

Configure IPsec VPN From Cisco RV042

Now I am sure everyone has a different router or IPsec firewall, but I have located and found the correct IPsec settings to use that seem to work best for this which are listed below.  I have included the RV042 specific settings as well.

vCloud Edge Gateway IPSEC Setup:

For this end it’s pretty simple but there are a few things I noticed and this is what I configured that worked for me.  When you add the new VPN simply Select “A Remote Network” and use settings similar to these:

Peer Networks:  List the remote networks for mapping
Local ID:  I have found using the external IP of the Edge Works
Peer ID:  Also use the External Address of the Peer Firewall
Peer IP: Same as the Peer ID
Encryption: 3DES seems to work best
Shared Key: <Various>

vcloud_vpn2

RV042 IPsec Setup:

Phase 1 Mode:  IKE with pre-shared Key
Phase 1 DH Group: Group 2
Phase 1 Encryption: 3DES
Phase 1 Authentication: SHA1
Phase 1 SA Life: 28800

Perfect Forward Secrecey: On

Phase 2 DH Group: Group 2
Phase 2 Encryption: 3DES
Phase 2 Authentication: SHA1
Phase 2 SA Life: 3600

Pre-Shared Key:  <Various>

Configure the vCloud Edge Gateway Firewall Rules

This is probably the SINGLE most missed area by people setting this up.  Even with the connections made, nothing will pass for traffic through the vCloud Director Edge Gateway to the peer networks without firewall rules.  Last month I wrote about the Changing Role of the VMware Admin, and this section alone is why I think many people will struggle.  I was an ex-admin for checkpoint in my day so I personally like writing firewall rules.  It’s sad but true.  Below are the rules I have in both the Stratogen and VMware Eval Cloud Edge Gateways for traffic to pass between the two clouds as well as to the ‘Server’ network back at my house.

vcloud_vpn_FWRules

This is a screen shot from the VMware Eval Cloud, and you can see I have allowed traffic on both directions from the Stratogen Cloud to and from the Desktop and Private networks as well as from the Home Server network to the Private network.  You MUST create rules in the vCloud Edge Gateway or you will not have connectivity just with the VPN connections.  I cannot stress this enough, and you can control which networks are accessible from the other sites through the VPN this way.

In my case I also use vShield App rules in the home lab to prevent traffic from the Hybrid Active Directory server to my “Corporate” network while allowing it to access the Server Network and the router.  This is an added step I took to isolate the Active Directory server on the Server segment from the rest of my network.

vshield_app_firewall

The bottom line here from this step?  You really must brush up on your firewall rule skills for both the Edge Gateway and App Firewall for that matter.  These are both tools that the new vSphere Administrator really must understand how to use.  Personally, I like creating and figuring out firewall rules for some reason, and I was a Checkpoint Admin for years.  Get these things under your belt and the next and last post will be the final Hybrid Cloud Configuration with the final Visio Diagram for what I have built.  I really do hope to maybe turn this into a couple of VMworld 2013 submissions, so if you think these topics are useful, be on the lookout!

Chris is a Consulting Architect with the VMware vCloud Delivery Services team with over 10 years of experience working with IT hardware and software solutions. He holds a Bachelor of Science Degree in Information Systems from the Daniel Webster College. Prior to VMware he served a Fortune 1000 company in southern NH as a Systems Architect/Administrator, architecting VMware solutions to support new application deployments. At VMware, in the roles of a Consultant and now Consulting Architect, Chris has guided partners as well as customers in establishing a VMware practice and consulted on multiple customer projects ranging from datacenter migrations to long-term residency architecture support. Currently, Chris is working on the newest VMware vCloud solutions and architectures for enterprise-wide private cloud deployments.

An Enterprise’s Journey to IT-as-a-Service: From Virtualization to ITaaS

As an IT Admin, you’re in charge of meeting the demands of your business. You have started the process by virtualizing your servers with VMware (According to IDC, more than 60 percent of all workloads running on global servers are virtualized, with over 80 percent of those servers virtualized by VMware. It’s incredible: More than half of all the applications running on servers throughout the world are running on top of a VMware platform), which has decreased costs, decreased maintenance and decreased time to build and provision new applications, but you are still being asking to deliver IT faster and now through a service portal.

At this point, you may be contemplating exactly how to meet these requests to take your company’s infrastructure toward a service-based model. You may be investigating cloud computing (private, public or hybrid cloud solution) to deliver  IT-as-a-Service (ITaaS). With the help of VMware’s vCloud Suite, ITaaS is made easy with a Software-Defined Datacenter (SDDC) which provides an effective and proven solution.

What might surprise you is that you’ve already taken the first step towards ITaaS with a Software Defined Datacenter by virtualizing your servers with VMware.

While the leap from virtualization to the cloud may seem intimidating, the transition can be a simple process with the right executive sponsorship and a strategic plan.

Thinking Outside the Box: Virtualization is not just for Servers

The ITaaS journey to the cloud represents an evolution from rigid, inflexible architecture to a modern and agile infrastructure.

Virtualization was once only thought of as a catalyst for consolidating hardware infrastructure but now is recognized as the foundation for SDDC. Some vendors may have you think that the virtualization of servers is all you need. However, in order for your company to truly be ready for the cloud, virtualization needs to go beyond just your servers to impact your organization’s storage, networking and security resources in addition to your computing environment.

With each phase of the journey to the cloud, virtualization will penetrate every layer of your infrastructure to achieve the SDDC.

Self-service IT: From Reactivity to Proactivity

Traditionally, IT has been for the most part a reactive process: A request comes in, and IT works to solve the problem by scrambling and pulling together the resources to support the request. Depending on how virtualized the servers are, resolving an issue can take several days or even up to several weeks.

ITaaS with a SDDC is all about abstracting, pooling and automating your infrastructure.  This puts IT ahead of the game and gives them the power to deliver the appropriate service based on Service Level Agreements (SLAs) to meet the demands of the business .

With the combination of virtualization, automation and operations and a service catalog gives IT the environment to provide the right level of service at the right time. Virtualizing and automating all aspects of your infrastructure with integrated operations gives your IT department the ability to manage by application requirements and provides flexibility and cost savings for your end-users.

Making Your Way to the Cloud with VMware

Business is demanding a more proactive IT that revolves around services. The journey to ITaaS means viewing IT as an agile software based service delivery model.

If you’re ready for the cloud, we’re ready to get you there with the VMware vCloud Suite which is built on vSphere, one of the must robust platforms in the history of IT.. As we previously discussed, the vCloud Suite is an all-encompassing cloud IT infrastructure solution that includes our virtualization, cloud infrastructure and management solutions and operates each within Software-Defined Datacenter

Remember, if you’ve already VMware virtualized your servers, you’re well on your way to the cloud. If you’re not quite sure where to start, take advantage of our consulting and education services, and we’ll help you determine which VMware virtualization solutions you need to get you there.

Some of today’s leading organizations that are VMware virtualized have already successfully moved to the cloud with VMware. For more information on their virtualization to cloud journeys, check out our success stories at Another VMware vCloud and the case studies below:

For future updates, be sure to follow us on Twitter at @vCloud and @VMwareSP!

How To Run vCloud Connector 2.0 Hosted With NAT

By: Chris Colotti

This is a repost from Chris’ personal blog, ChrisColotti.us.

As I have been building out this crazy vCloud Director Hybrid setup in a few of the public clouds I am using from VirtacoreStratogen, and the VMware Evaluation Cloud, I decided to try hosting all the vCloud Connector components in the various clouds.  One thing I remember from the vCloud Connector 1.0 days was the Server component was not happy behind a NAT.  That’s because the online web interface for vCloud.vmware.com tried to connect to the local IP address and it really just did now work behind NAT.  Now for me I am trying to use ALL online access to all these things so this is what I setup so far:

vCloud Connector Nodes Installed in:

  • Virtacore’s IAD Cloud
  • Virtacore’s LAX Cloud
  • VMware IAD Eval Cloud
  • Stratogen Cloud

Each of these nodes is on a “Public” network with external IP Addresses and firewall rules for the following ports:

  • 443
  • 5480 (Management)

vCloud Connector Server Installed in:

  • VMware IAD Eval Cloud
  • Same vApp as the Node

Now the firewall rules for the server are a little different and I did get an error on vCloud.vmware.com that it does need an additional port open but it does work 100% from the online vcloud.vmware.com portal

Firewall Rules for the Connector Server:

  • 443
  • 5480 (Management)
  • 80 for vCloud.vmware.com

NOTE:  These are not deployed from OVF with the VMXNET3 interface so for giggles be sure to remove the current interface and add a new one that is using VMXNET3 specifically by checking the “Show Network Adapter Type” box.

Configuring the vCloud Connector Server

Now something I was messing with was getting the vCloud Connector Server connected to the local vCloud Connector Node.  Due to the Edge Gateway I could not use the external IP on in the vCloud Connector Server config as you can see below.  I needed to use the local IP for the Node that’s in the same vCloud Director Cloud and in the same vApp as shown above.  I think there was some routing issue but it does not really matter since the Node and the Server are in the same network you can use the local IP address or local DNS for the connection.  The other nodes you can see are true external entries.

Once I did that the server is now connector to all 4 clouds through the online portal vcloud.vmware.com.

Migrating Templates

Now I was ready to move my Windows template from one cloud to Stratogen so I can continue to work on this expanded vCloud Director Hybrid Cloud setups.  As I continue with this experiment I will add more blog posts so people can really understand the power of how to use all this technology.

Chris is a Consulting Architect with the VMware vCloud Delivery Services team with over 10 years of experience working with IT hardware and software solutions. He holds a Bachelor of Science Degree in Information Systems from the Daniel Webster College. Prior to VMware he served a Fortune 1000 company in southern NH as a Systems Architect/Administrator, architecting VMware solutions to support new application deployments. At VMware, in the roles of a Consultant and now Consulting Architect, Chris has guided partners as well as customers in establishing a VMware practice and consulted on multiple customer projects ranging from datacenter migrations to long-term residency architecture support. Currently, Chris is working on the newest VMware vCloud solutions and architectures for enterprise-wide private cloud deployments.

How To Design Your vCloud Director Hybrid Cloud

By: Chris Colotti

This is a repost from Chris’ personal blog, ChrisColotti.us.

So last week I started on sort of an experiment that was really to investigate the new Organization Administrator features of the Edge Gateway in vCloud Director 5.1.  I happen to have several public vCloud Director organizations, but for this purposes I am using the VMware vCloud Service Evaluation as it was just upgraded to version 5.1.  As I started poking, some things became very clear to me about the new power and features available to TRULY build a hybrid cloud.  In the original versions some of what I have built could have been done, but it would have taken a lot of work with vApp Networks and other multi-edge based design.  I have successfully built what I would consider a vCloud Director Hybrid Cloud Architecture that essentially mimics some of the things you would do if you simply built a new physical datacenter.  Some of the things that make this possible are:

  • vShield Edge Gateway multi-interfaces
  • vShield Edge Gateway full firewall capabilities
  • vShield Edge Gateway VPN
  • Organization Administrator ability to create new networks

Below is a rather large vCloud Director Hybrid Cloud Logical Network diagram that shows the various vApps and the various networks.  This has been made possible solely by the new Organization Administrator capability for adding net routed and isolated networks.

vCloud Director Hybrid Cloud Architecture – Leveraging vApps

What you will notice is I have various vApps by application type.  What you can also see is that there are Virtual Machines in those vApps where some are on the Public and others are on the Private networks.  I can keep different vApps for construct purposes and containers for backup and restore with future 3rd party integrations.  I can add Virtual Machines on the fly to any given vApp and maintain the organizational construct of them for other users.  You can see there is a CentOS Test vApp that is owned by another user.

vCloud Director Hybrid Cloud Architecture – The New Edge Gateway

To some this may look no different from what some current organizations do to create multiple firewalled networks with their primary edge firewall device.  Some of this is pulled from my past experience as a Checkpoint administrator for PC Connection, and how I know we had much of our original networks setup.  The power from 1.5 to 5.1 comes in the ability for the organization Administrator to create and define the different network segments you see.  In the previous version this was not possible and some could argue was a barrier to truly building your public cloud based Software Defined Datacenter, (SDDC).

vCloud Director Hybrid Cloud Architecture – Firewall Rules

Something that has been there for a while in the Edge Gateway was the ability to define the basic firewall rules.  However, in 5.1 you can see that we can now create and define multiple SNAT and DNAT rules, along with very finite network source and destination based rules.  This is one function that again will facilitate a design like this working.  What you will also notice, and I found this through trial and error, is you can even define Network Protocols with the new Edge Gateway.  In the case below notice the rule for ESP from the View Security Server to the View Connection Server to that they can establish IPSEC.  The ESP Protocol does not use a port rather it is an IP protocol with the ID 50.  This took me about a day to figure out I can just use the ESP name or the IP Protocol ID’s that are standards.  Did anyone else know this was possible?

vCloud Director Hybrid Cloud Architecture – Next Steps

Now that I have built this remote vCloud Director Hybrid Cloud, complete with multiple networks, firewall rules, and vApps I am going to try to connect it to a physical datacenter.  That will be another Software Defined Datacenter running in my home lab or possibly another location.  Once I can get the VPN component established I should be able to show the full multi-site functionality of such a design where some workloads like web servers are in the vCloud Direction Hybrid Cloud and others are in the primary datacenter.  At that point it’s all a matter of some networking and possible Active Directory configuration.  I should mention I literally built this in about 3 days and it could have gone much faster with the use of existing server templates and other means of migrating workloads to the cloud itself.  I spent a good portion of the build just getting new templates spun up.  Also all of this was done manually, but you could automate much of the creation through tools and the vCloud API.

There is so much here to talk about that I may use some of it on an upcoming vBrown Bag, but I am trying to think about how I can also use this for some upcoming presentations like VMUG’s and other venues.  I want people to see that you can now do a lot with vCloud Director and the Software Defined Datacenter if you just think about the design and the requirements.  I’m sure I could do even more with this given the time, but it’s enough to show the point I think.

Chris is a Consulting Architect with the VMware vCloud Delivery Services team with over 10 years of experience working with IT hardware and software solutions. He holds a Bachelor of Science Degree in Information Systems from the Daniel Webster College. Prior to VMware he served a Fortune 1000 company in southern NH as a Systems Architect/Administrator, architecting VMware solutions to support new application deployments. At VMware, in the roles of a Consultant and now Consulting Architect, Chris has guided partners as well as customers in establishing a VMware practice and consulted on multiple customer projects ranging from datacenter migrations to long-term residency architecture support. Currently, Chris is working on the newest VMware vCloud solutions and architectures for enterprise-wide private cloud deployments.

Share Your “Two Cents”on IaaS and You Could Win a $250 Visa Gift Card!

As companies make the venture from virtualization to the cloud, Bluelock, one of our vCloud Datacenter partners, wants to know how you feel about the value of IaaS solutions.

Share your “two cents,” and it could result in a $250 Visa Gift Card!

Bluelock wants to hear your insight on cloud: 

  • What do you value most about cloud Infrastructure-as-a-Service?
  • What do you want from cloud?
  • What do you plan to use cloud for in the future?

Bluelock has created a brief market research survey that aims at understanding the true value of Infrastructure-as-a-Service from the perspective of the end-user – what values do enterprise consumers seek from IaaS cloud solutions?

So take a few minutes out of your day and contribute your “two cents”. You may just get a $250 Visa gift card for your time!

Be sure to follow @VMwareSP and @vCloud on Twitter for future updates!