By: vCloud Hybrid Service ISV Team and Chris Colotti

(This blog is Part 2 in Chris Colotti’s series, “Journey to Hybrid Architecture.” Visit Part 1 of this series, “Journey To A Full Scale Hybrid Architecture with vCloud Hybrid Service.”)

Maintaining application availability and performance while moving workloads to the cloud can pose challenges in maintaining seamless user experience across a hybrid environment.  To address this challenge,  today F5 is making BIG-IP Global Traffic Manager (GTM) available for vCloud Hybrid Service. With this validated offering, F5 brings its comprehensive set of application delivery tools to the enterprise-grade vCloud Hybrid Service platform.

Some of the key benefits of this solution include :

• Continuous availability of applications across globe to enable user transparent application failover and disaster recovery
• High application performance across hybrid environment irrespective of changing network and user volume conditions
• Simplified Management across hybrid environments provides a single, global namespace for user connections.

To learn more about how F5 and vCloud Hybrid Service enhance application availability, visit F5 on the vCloud Hybrid Service Marketplace.

You can also get a free 30 day trial license of F5 BIG-IP GTM, by sending an email to vchstrial@f5.com. If you are currently using F5 GTM on premise you can Bring Your Own License to vCloud Hybrid Service.

In the remainder of this post, Chris Colotti, Principal Technical Marketing Architect with the vCloud Hybrid Services team explains the necessary steps in utilizing F5 Global Traffic Manager as part of the hybrid cloud architecture in vCloud Hybrid Service. 

In the previous post Journey To A Full Scale Hybrid Architecture with vCloud Hybrid Service, I mentioned that we used both DYN.com and F5 Global traffic managers to test load balancing of the Horizon View Security Servers.  What I wanted to do was provide a little detail on how specifically you deploy the GTM appliances inside vCloud Hybrid Service and how you would use them instead of the vCloud Networking and Security built in load balancing.  What I will not do a lot of here is explain the actual F5 configuration options as those are pretty well documented on the F5 site, of most people with F5 experience know how to write them.  This is just how to get the appliance deployed and configured on vCloud Hybrid Service so you can use it.

Logical Architecture

Below is a diagram showing logically how you insert the F5 appliance into vCHS.  Bare in mind for the current use we are only leveraging the DNS capabilities and we have not yet deployed virtual machines behind the F5 itself, that will come later.

I want to point out a few important things about this deployment.  Generally when you deploy the appliance it will ask you to assign four network interfaces named:

• Management
  • Used for device management on the “private” routable network
  • Internal
    • This is where web servers or other servers would sit and use the F5 as their default gateway.  This is a NON routable isolated network in vCHS so all outbound access is routed through the F5.
    • External
      • This is the “Public” subnet where other servers may live that also needs DMZ access.
      • HA
        • Used for Traffic Manager replication and is optional.

We deiced we only need three as you see pictured and the mappings from the appliance names above to the networks shown is pretty simple to follow and these were the IP addresses assed to the interfaces on the F5 appliance itself as I deployed it in vCHS.

1. Management = 192.168.100.100
2. External = 192.168.200.100
3. Internal = 10.10.10.100
4. HA = Not Used

vCloud Hybrid Service Firewall Rules

Once deployed you need to forward traffic from external IP addresses you chose to the F5.  In our case we only needed to use a single one for now so the firewall rules are pretty simple as you can see below.

DNAT Rule:

Original 192.240.157.21:ANY         Translated 192.168.200.100:Any   Protocol:Any

Firewall Rule:

Source Any:Any                                 Destination 192.240.157.21:Any    Protocol:Any

Essentially what this rule does is allow all traffic on any port through the Edge Gateway on the selected external IP to the “External” port of the F5.  From there we are able to write all the rules you want on the F5 for pools of servers or the DNS functionality.  If you needed additional Public IP’s to map to additional internal public IP’s you can do so as needed but the premise is the same.

Configure External DNS for GTM DNS Load Balancing

One thing I learned in using the F5 for DNS load balancing is you do need to delegate the F5 as the authoritative DNS server for a Wide IP sub domain.  This is all actually documented by F5 in this article about delegating sub domains, but for my personal purposes I will explain what I did.  We host the external DNS for a lab domain on DYN.com.  So the process was pretty simple and once complete you can use the F5 documentation to configure the actual Wide IP Pools.

• Create a DNS A-Record for gtm1.companyname.com on external DNS
• Create a Subdomain zone called wip.companyname.com
• Delegate NS (Name Server) Authority for the new subdomain to gtm1.companyname.com

What this does is tell all DNS lookups that anything looking for *.wip.companyname.com that the name server to go to is gtm1.companyname.com.  This is pretty standard if you understand DNS management.  Then you will configure wide IP pools and other DNS related records in the F5 itself since it is now the authoritative DNS server for all records in the subdomain.

Routing Traffic For Load Balanced Pools

Now here is the trick, which I have not yet deployed.  If you want to use this F5 to place servers actually behind it, you need to manually assign IP addresses on the isolated network.  When created an isolated network is configured for DHCP which actually deploys an Edge to do DHCP.  If you deactivate DHCP the Edge will be removed, but your static IP pool cannot be configured to push the F5’s interface as the machines Default Gateway.

In this case you would use the “Static – Manual” setting on the virtual machine and simply assign an IP, DNS, and Default Gateway of the F5 in the machine.  Then traffic will route out from the machine, to the F5, and off through the primary Edge Gateway, finally out to the Internet.  At some point I will put a machine behind the F5 and do this very thing and setup a local load balanced pool on the 10.10.10.x network.

Once you get through the basics you can see that this is pretty straight forward and allows you to now use F5 traffic managers in vCHS for multiple use cases.  Please see the F5 documentation for more specific configuration details.

For more information about VMware vCloud Hybrid Service, visit vCloud.VMware.com.

Follow us on Twitter and Facebook at @vCloud and Facebook.com/VMwarevCloud for future hybrid cloud updates and resources.

Chris is a Principal Technical Marketing Architect with the vCloud Hybrid Services team with over 10 years of experience working with IT hardware and software solutions. He holds a Bachelor of Science Degree in Information Systems from the Daniel Webster College. Prior to VMware he served a Fortune 1000 company in southern NH as a Systems Architect/Administrator, architecting VMware solutions to support new application deployments. At VMware, in the roles of Consulting Architect, Chris has guided partners as well as customers in establishing a VMware practice and consulted on multiple customer projects ranging from datacenter migrations to long-term residency architecture support. Currently, Chris is working on the newest VMware vCloud Hybrid Service solutions and architectures for vSphere customers wishing to migrate to the VMware Hybrid Cloud Service. Chris is also a VMware Certified Design Expert, (VCDX #37).