posted

0 Comments

VMware vCloud Air offers different ways to purchase and consume cloud resources based on whether you need resources physically isolated from other tenants or on a multi-tenant platform, and whether you purchase via a subscription or based on consumption in a pay-as-you-go manner. However, there are times where you have workloads that are better fit for a Dedicated Cloud and projects that make more sense with VPC OnDemand. For example, you may run a database in Dedicated Cloud for security, licensing or performance reasons, while a nightly data warehousing job on that database may be more economical on VPC OnDemand. Most people know that they can create IPsec VPN tunnels across two different virtual data centers for a Layer 3 site-to-site connection and that they can use vCloud Connector to create a stretched Layer 2 network across different nodes. However, you can also connect multiple services together on the same Layer 2 network programmatically as well. StretchLayer2

In the above scenario, we may have two virtual machines – one deployed in one virtual data center in a Dedicated Cloud and one deployed in a different virtual data center in VPC OnDemand. We’ll call the database in the Dedicated Cloud the source and the virtual machine in VPC OnDemand the destination. Both virtual machines are created as part of a vApp which means that they are deployed with a vApp edge gateway automatically by vCloud Air (the square box in the diagram, not to be confused with the vCloud Air edge gateway).

To create an extended network across these two environments, we are creating an SSL VPN tunnel between the two vApp edge gateways with a common address space in both the source and destination. The procedure to accomplish this is outlined below. It assumes you have already built your vApp containers with source and destination virtual machines to map to the settings above. The actual IP addresses for the virtual machines can vary, but the two network ranges should match.

Step 1. Open routing and firewalls between the vCloud Air edge gateway and vApp edge gateway

As the tunnel is actually formed between the two vApp edge gateways, we need to create NAT rules and firewall rules to pass traffic at the vCloud Air edge to the vApp edge. By creating both SNAT and DNAT rules at both the source and destination, we can ensure traffic gets routed appropriately. For example, at the source VDC, we want traffic originating from 192.168.1.150 to be routed through the public IP address of 60.204.12.5 and at the destination VDC we want to route traffic hitting our external IP address of 107.189.86.250 to 192.168.2.150.

Create an SNAT at the source VDC:

Create a SNAT

Create DNAT rule at the destination VDC:

DNAT Rule

You can also create the reverse rules (DNAT at the source VDC and SNAT at the destination VDC) to enable two-way traffic between the two locations. While not typical in production, for ease in this example, we will actually disable the vCloud Air edge firewall. That will allow all traffic to flow through the vCloud Air edge gateways. In a real scenario, you would want to limit traffic to only the ports necessary (i.e. port 443).

Step 2. Retrieve your vApp gateway network configurations at the source virtual data center (the Dedicated Cloud).

To configure the vApp gateway, we’ll need to first retrieve the source vApp’s network configuration (Summary of vApp Reconfiguration Requests):

GET https://Your_VDC_URL.vchs.vmware.com/api/vApp/vapp-UUID/ networkConfigSection/

Step 3. Insert the new SSL VPN settings into the network configuration and post back to your source virtual data center.

To update the configuration, take the readout from the previous API call and modify the returned values (Update a vApp Network Configuration)

First, you’ll need to match the vApp network IP pool, edge IP address, DNS settings and parent networks to the vApp diagram:

Source_Config

Then, we’ll need to replicate all the features in the gateway, including firewall and NAT rules. The example below has an open Any:Any rule — you may want to limit the traffic to certain ports. The key here is the setting for IPsec VPN which uses the special prefix __SSL_VPN_SOURCE in the description:Source_Features

Step 4. Retrieve your vApp gateway network configurations at the destination virtual data center (the OnDemand environment).

Similar to step 2, to configure the vApp gateway, we’ll need to first retrieve the destination vApp’s network configuration (Summary of vApp Reconfiguration Requests):

GET https://vca.vmware.com/api/compute/api/vApp/vapp-UUID/ networkConfigSection/

Step 5. Insert the new SSL VPN settings into the network configuration and post back to your destination virtual data center.

To update the configuration, take the readout from the previous API call and modify the returned values (Update a vApp Network Configuration)

First, you’ll need to match the vApp network IP pool, edge IP address, DNS settings and parent networks to the vApp diagram:

Destination_Config

Then, we’ll need to replicate all the features in the gateway, including firewall and NAT rules. The example below has an open Any:Any rule — you may want to limit the traffic to certain ports. The key here is the setting for IPsec VPN which uses the special prefix __SSL_VPN_DESTINATION in the description:

Destination_Features

For more information about VMware vCloud Air, visit vcloud.vmware.com, and keep an eye on the blog for upcoming tips and best practices for using vCloud Air.

Be sure to subscribe to the vCloud blog with your favorite RSS reader, or follow our social channels at @vCloud and Facebook.com/VMwarevCloud for the latest updates.