posted

2 Comments

By: Chris Colotti

This is a repost from Chris Colotti’s blog, chriscolotti.us

Okay I admit sometimes I spend too many late nights coming up with some goofy ideas.  However this one actually panned out as a real world vCloud Director Networking example where you can use to see how flexible vCloud Director Networking can be. The idea started from me wanting to rebuild my WordPress installation from a single server stack to a distributed two server Apache Web and MySQL setup. Pretty standard use case for a two server setup. Now I will NOT be covering the installs, setup etc of the applications here, maybe that will be another day.

The idea was to have a single vCloud vApp with two virtual machines in it. That itself is pretty easy and you can see below the single vApp container with the two virtual machines.

Let’s take a look at the network diagram below so I can explain what I got set up and working.

What we see is that the Web Server is connected to the 1743-Public network, which is what my Organization network provided for me. That’s an easy enough one to understand for sure. You can also see the three basic firewall rules needed below for web access to the server for HTTP/SSL/SSH. It goes without saying that there is an external IP assigned on the internet side of the Organization Network as well.

Next we can examine the virtual machine view and see that the two virtual machines are in fact connected to two different vCloud Network interfaces.

Note that the MySQL virtual machines also have an External IP Address assigned. This is done automatically by the vApp vShield Edge when the virtual machine is assigned to it, which we will see next. The vCloud vApp Networking tab is where we can see that the vApp network was created before assigning it to the MySQL virtual machine. Note that the ‘Always use assigned IP Addresses…” check box is enabled. This is important because when you power cycle the vApp, you want to maintain the networking! You can also see that the vApp Network is attached to the Provided Organization Network so it will route outbound to the internet for patches and updates.

This is where the really cool part comes in. We now have a Web Server connected to the org Network with an External IP and three firewall rules. We need to now allow the Web Server to connect to the MySQL server on Port 3306 and SSH so we can manage it from the  Web Server and connect to MySQL. That’s as easy as writing two rules in the vApp Network Firewall.

These rules basically show that ONLY the Web Server IP Address can access ONLY the MySQL Server IP Address on Port 22 and 3306.

Solution Summary:

What this simple example shows is that you can create a single vApp in a flexible way, but also create a vApp based DMZ for virtual Machines as part of that vApp. Provided the N-Tier servers only need to be accessed by the first tier, this works really well and now I have a setup where only the Web Server is exposed to the internet, yet the MySQL tier is again protected by its own firewall. What this really shows you is that as vCloud Administrators and Application folks, we need to not only understand networking, but now routing, and firewall rules as well. This structure is no different from if these had been physical servers in a data center on physical switches with hardware firewalls between them.

This shows a great use case on a small-scale of what you can do for a real word application. How do I know it is a real world scenario? You are reading about it hosted from these very two servers shown in the diagrams. Pretty cool right? Next will be duplicating the setup in a second cloud connected by vShield VPN between Organization Edge Devices and putting MySQL Replication in place with a backup Web Server….just for fun.

Some may ask why I did all this with a small set of WordPress sites that only get about 900 hits a day….. because I can…..that’s why….and it’s a fun learning experience.

Chris is a Consulting Architect with the VMware vCloud Delivery Services team with over 10 years of experience working with IT hardware and software solutions. He holds a Bachelor of Science Degree in Information Systems from the Daniel Webster College. Prior to VMware he served a Fortune 1000 company in southern NH as a Systems Architect/Administrator, architecting VMware solutions to support new application deployments. At VMware, in the roles of a Consultant and now Consulting Architect, Chris has guided partners as well as customers in establishing a VMware practice and consulted on multiple customer projects ranging from datacenter migrations to long-term residency architecture support. Currently, Chris is working on the newest VMware vCloud solutions and architectures for enterprise-wide private cloud deployments.