VMware Cloud on Dell EMC is a hyperconverged hardware and software-defined data center stack that is jointly engineered by VMware and Dell EMC and includes complete lifecycle management. With VMware Cloud on Dell EMC, you can satisfy the latency or locality requirements of your business applications through a streamlined provisioning process, while experiencing the benefit of reduced operational overhead – because it is all delivered as a service to your on-premises data center or edge location.
When you make VMware Cloud on Dell EMC part of your infrastructure, there are several services to consider integrating with the rest of your enterprise. In the last post, we took a look at how the NSX-T DNS forwarders can be pointed to your internal name servers to enable both improved manageability as well as to prepare the way for seamless workload migration when connecting with existing VMware vSphere environments.
For workloads that use dynamic IP addresses, you also have the option to relay DHCP requests from the VMware Cloud on Dell EMC SDDC rack to your existing enterprise IP address management services. In this post, we will take a closer look at how it works.
Each VMware Cloud on Dell EMC SDDC deployment is fully assembled, installed, and configured before it arrives on site. This includes vSphere compute, vSAN storage, and NSX-T network virtualization. Although NSX-T does include built-in DHCP services, many customers prefer to manage the address scopes from a central location to better facilitate troubleshooting, auditing, or reporting. This is accomplished by relaying requests from the SDDC to existing DHCP servers.
It is straightforward to enable the DHCP relay and disable the built-in DHCP service, but keep in mind that the change is an all-or-none global configuration and cannot be applied selectively to different network segments on the SDDC. For that reason, it’s a good idea to decide up front if your infrastructure architects require control of the address management service. The configuration can be changed afterwards, but it will disrupt running workloads since the network segments must be reconfigured.
In the sections below, you will see the steps required to configure the relay service and the compute gateway firewall.
Create a New DHCP Scope
The first step is to add a new scope for the dynamic IP addresses and related attributes for the new network segment that will be created on the VMware Cloud on Dell EMC SDDC. In the example below, you can see a standard Windows DHCP server configuration. The key items to double-check are the default gateway and DNS servers that you intend the clients on the remote side to use.
Enable the DHCP Relay Service and Create New Network Segment
As stated above, it’s best to enable DHCP relay before any workload network segments are created on the VMware Cloud on Dell EMC SDDC. Otherwise, any existing network segments will need to be temporarily placed into the disconnected state, which will be disruptive to running applications. Configuring the relay to point to the central DHCP server is straightforward, as seen in the following microdemo.
One thing to note that is admittedly unintuitive: when you create a network segment, the user interface currently does require that a DHCP address range be entered, although the values are effectively ignored when using the relay.
Configure Firewall to Permit DHCP Service Access
With the default configuration using the built-in DHCP service, no DHCP traffic leaves the SDDC, so no additional firewall rules are needed. However, when changing over to a DHCP relay, the lease request needs to travel out to the enterprise network, so the firewall must be configured to allow this communication.
Some customers may opt to create an any/any/any rule that will permit all traffic in and out of the new VMware Cloud on Dell EMC SDDC – just as similar traffic would typically be allowed on existing infrastructure in a data center. If that is the case, it would not be necessary to create a rule specifically for DHCP relay. On the other hand, sites with a higher security posture will employ firewalls and access-control lists throughout the network. The instructions below will follow the principle of least privilege to facilitate more granular control.
On a technical note, it helps to remember that a DHCP relay communicates on behalf of the client to obtain a lease from a server – the relay, not the client, is the source IP address of the request. In this scenario the relay IP is also the address of the compute gateway interface that was specified during creation, as seen in the previous step.
Using the VMware Cloud Service portal, create two new inventory groups, each containing a single IP address – one to match the network segment compute gateway interface and the other to identify the destination DHCP server on your network. In the future, if additional network segments require relay access, those gateway addresses can be added to the group.
Once the groups are created, the last step is to create a new firewall rule on the compute gateway to specify that the relay traffic should be allowed. See the full firewall configuration workflow in the microdemo below.
Takeaways
VMware Cloud on Dell EMC is part of the broader VMware Hybrid Cloud, which provides consistent infrastructure so that your applications can run anywhere using the same processes, procedures, automation, and staff skill everywhere. You can integrate your existing enterprise services with a new VMware Cloud on Dell EMC SDDC rack for seamless management, migration, and other workflows.
