With the new release of VMware vCloud Hybrid Service - Disaster Recovery there is one common question that people keep asking me, and that is “Where do I run needed supporting infrastructure like Active Director, DNS, and other things I need?”
You may, or may not, have seen your Disaster Recovery resources are not “Always-On.” What I mean is you are getting them via a subscription that is only holding replicated placeholders on storage until you fail them over. The machines are not using compute and memory until a failure or test failover occurs. In addition, the default leases on the machines is 30 days. This means you cannot stand up a real-time running machine in this offering to hose something like Active Directory and/or DNS and what I refer to in presentations as 'Infrastructure' machines. There is a way to solve this challenge, and as with all things cloud, you need to think outside the box.
The fact is most people that do Disaster Recovery today using traditional means run these 'Infrastructure' machines hot and always on in the DR site. I've almost never seen a Domain Controller get replicated usually because the DR site has a different IP address range. Instead it's treated as simply another "site" in active directory and certain applications and resources are just running there waiting for failed over machines to use them. This is not always the case, but it's what I have seen and what I set up when I was an administrator. This being said, there are a few options for solving the need for these running machines outside your vCHS-DR specific subscription.
- Option #1 - Connect a VPN from a physical to your vCHS-DR resources.
- Option #2 – Cross Connect to a Cage in a vCHS Data Center where those resources may already be running
- Option #3 – Purchase a vCHS Virtual Private Cloud or Dedicated Cloud to run them and setup a cloud-to-cloud VPN.
VPN from a Physical Site Option
This option really only works if you have more than one physical site. The obvious reason is if you connect to the primary site you are protecting and it goes down, you are left without the infrastructure you initially needed. Instead if you have two sites and you are only protecting one, you can leverage the other for these resources. Below is this example in a diagram.
Cross Connect to a Cage
vCloud Hybrid Service has an add-on option of cross-connect, which is the ability to wire from your vCHS resources directly to a cage you own in the same data center where vCHS is hosted. I’d suspect in most cases if you have a cage, that infrastructure is already connected back to your physical data center and you’ve setup basic resources there you could leverage.
The downside here is that today cross connect is not yet available in all vCHS data centers so you’d have a limited list of choices. However, when it becomes widely available, you will have many more options and this will be a very viable solution.
Cloud to Cloud VPN with a Virtual Private Cloud or Dedicated Cloud
The last option is very good especially if you are already considering additional Infrastructure as a Service resources with vCHS. This option is also good if you will be connecting your new standard vCHS resources back to your on premises data center and creating basic services in the cloud to support your deployed applications. Once you have these you are already setup to simply configure a cloud-to-cloud VPN.
This is in fact the setup I used in the tutorial video series located on the tutorials page. The benefit of this is you can run these resources in any vCHS location and connect them together as well as back to on premises. The idea is you need these resources additionally for new applications. This is part of your initial Hybrid Cloud data center extensibility.
You do have to think about the networking considerations when configuring these VPN connections and things like Active Directory Sites and Services.
- For VPN the endpoint networks cannot be the same.
- You should define the networks in vCHS-DR as a new “Site” and assign the proper domain controller.
- Ensure that your VPN mappings also have the right vCNS Edge Gateway firewall rules for traffic to pass.
In the end, you can solve this problem in more than one way. The intent here is not to give the step-by-step configuration since each setup will be different, but you can see in the diagrams I have tried to show some level of detail on the networking so you can get the basic idea. Hopefully this overview has helped answer your questions and you will decide to give vCloud Hybrid Service Disaster Recovery a try.
Chris is a Principal Technical Marketing Architect with the vCloud Hybrid Services team with over 10 years of experience working with IT hardware and software solutions. He holds a Bachelor of Science Degree in Information Systems from the Daniel Webster College. Prior to VMware he served a Fortune 1000 company in southern NH as a Systems Architect/Administrator, architecting VMware solutions to support new application deployments. At VMware, in the roles of Consulting Architect, Chris has guided partners as well as customers in establishing a VMware practice and consulted on multiple customer projects ranging from datacenter migrations to long-term residency architecture support. Currently, Chris is working on the newest VMware vCloud Hybrid Service solutions and architectures for vSphere customers wishing to migrate to the VMware Hybrid Cloud Service. Chris is also a VMware Certified Design Expert, (VCDX #37).