VMware vCloud Air: Networking
6 likes4,513 views
The document outlines the features and components of VMware vCloud Air networking, focusing on its building blocks and advanced use cases for hybrid cloud setups. It covers topics such as IP addressing, firewall rules, load balancing, VPN connectivity options, and security roles for user management. The key takeaway emphasizes a strong foundational understanding of complex networking configurations and the importance of advanced security in the cloud environment.
VMware vCloud Air: Networking
- 1. © 2014 VMware Inc. All rights reserved. VMware vCloud Air: Networking Formerly known as vCloud Hybrid Service
- 2. 2 What’s in It for You? • You will leave with: – An understanding of the VMware vCloud® Air™ networking building blocks – A strong networking foundation for building a complex hybrid cloud – An understanding of advanced networking use cases and security
- 3. 3 Agenda vCloud Air Networking • Services Overview • Key Components • Network Virtualization Services • Connectivity options to vCloud Air • IPsec VPN • L2 Stretching • Direct Connect • Advanced Use Cases • Three tier Networking
- 4. 4 Hybrid Service Basic Networking Constructs NAT FW Load Balancer IPsec DHCP Static routing Routed/Gateway networks (up to 9 networks) Isolated networks Customer’s virtual data center on vCloud Air
- 5. 5 vCloud Air Cloud Options and Gateway Choices CONFIDENTIAL § Shared Cloud • Logically separated network, compute and storage § 5GHz CPU (burstable to 10GHz) § 20GB RAM, 2TB storage § No virtual data center segmentation § One Edge Gateway § Dedicated Cloud • Physically separated hosts • Logically separated network and storage § 30GHz CPU, 120GB RAM, 6TB § Segment virtual data centers based on orgs § Multiple Edge Gateways VDC1 VDC2 VDC3 VDC4 VDC
- 6. 6 Configuration Access Options CONFIDENTIAL vCloud Air Management Web Portal – for basic networking configurations
- 7. 7 Configuration Access Options CONFIDENTIAL vCloud Air Management Web Portal – for basic networking configurations For Advanced configurations
- 8. 8 Configuration Access Options CONFIDENTIAL vCloud Air Management Portal – for advanced networking configurations
- 9. 9 vCloud Air Networking Services • IP Addressing • Network creation • Firewall • NAT • DHCP • Load Balancer • VPN
- 10. 10 IP Address Assignment • IP Pool – Pool of IPs created by default on auto generated isolated and routed networks – Virtual machines attached to those networks get IP addresses from that default pool • Static IP – Fixed IP for a virtual machine – Change configuration in VMware® vCloud Director® • DHCP – Part of Edge Gateway service – Change configuration in vCloud Director – Basic DHCP service Routed Network
- 11. 11 Firewall Rules in vCloud Air
- 12. 12 Firewall Rules: North-South and East-West Traffic Routed Network 1 Routed Network 2 Routed Network 3 Firewall Rules: - By default: Deny all - Policies for traffic that passes through the gateway Gateway • 5-tuple firewall policies (Protocol, Source/Dest. IP, Source/Dest. Port ) • Can have multiple policies across multiple networks • Ideal for enterprise grade application deployment
- 13. 13 Network Address Translation (NAT) • Source NAT and Destination NAT rules – Supports multiple rules on multiple interfaces • Can use internal/private IP space – Bring your own internal IP space – Create/manage subnets within IP space – Multiple IP spaces under the same gateway • Need to create firewall rules to allow traffic • IPv4 NAT NAT rules: - SNAT & DNAT rules - Options include protocol/port selection Gateway Public IPs Internal IPs 10.x.x.x 172.16.x.x 192.168.x.x Organization Net 1 Organization Net 2 Organization Net 3
- 14. 14 Edge Gateway Services – Load Balancing Pool Servers Load Balanced - Round Robin - IP Hash - URI - Least Connected Virtual Server – - Virtual IP (Public IP) - Frontend traffic - Assigned to a server pool Can have multiple virtual servers and pools Edge gateway Load balancer
- 15. 15 Load Balancer – Pool Servers • Pool Servers – HTTP/HTTPS/TCP – Load Balancing Methods • IP Hash • Round Robin • URI • Least Connected – Health Check • Each with +TCP as mode • Monitoring Ports – Add Servers • Ratio Weight • Change Ports/Services per Server
- 16. 16 Load Balancer – Virtual Servers • Virtual Servers – Apply on outside network – Server Pool – Persistence Method • HTTP – Cookie • HTTPS – Session ID
- 18. 18 Options to Connect to vCloud Air z Customer Data Center vCloud Air Private WAN / Direct Connect / Cross Connect IPsec Tunnel Public INTERNET Many Connectivity Choices to Support Many Use Cases
- 19. 19 INTERNET Connecting to vCloud Air • Over the Public Internet – With Public IPs – Use NAT for address translation – By default firewall set to deny all and NAT not configured INTERNET • IPsec VPN – vCloud Air features include IPSEC VPN – Multiple VPN tunnels can terminate to Edge Gateway – Can connect to most of the major on-premises VPN devices
- 20. 20 Connecting via VPN VMware vSphere® (On-Premises) SharePoint-Routed Network (10.0.10.0/24) vCloud Air Edge Gateway § LEP – 69.194.137.230 § Peer ID – 10.0.1.150 § Peer IP – 68.108.102.47 10.0.1.150 10.0.10.1 Customer’s edge Router 10.0.1.1 68.108.102.47 SharePoint-Default Routed Network (192.168.109/24) 192.168.109.1 Virtual Machine 1 vCloud Air Virtual Machine 2 69.194.137.230 vSphere Edge Gateway § LEP – 10.0.1.150 § Peer ID – 69.194.137.230 § Peer IP – 69.194.137.230 IP Protocol ID 50 (ESP) IP Protocol ID 51 (AH) UDP Port 500 (IKE) UDP Port 4500 VPN Traffic
- 21. 21 Stretching L2 to vCloud Air - Logical Architecture (192.168.50.0/24) 184.61.71.155 74.204.180.41 VPN Traffic INTERNET Edge Gateway Edge Gateway Edge Gateway Corp Firewall (192.168.50.0/24) Default Gateway = 192.168.50.10 50.34 50.35 50.34 50.35 50.33 100.33 (192.168.50.0/24) 50.10 100.10
- 22. 22 vCloud Air Direct Connect Customer Cage – in CoLo vCloud Air Cross Connection Direct Connect Partner Device Customer Data Center vCloud Air Private WAN connectivity Direct Connect Partner Device
- 23. 23 Direct Connect – vCloud Air Connectivity 1 or 10 Gbps Direct Connect Traffic DMZ Network (192.168.52.0/24) Private Network (192.168.50.0/24) Private Network (192.168.110.0/24) Headquarters Direct Connect Line Edge Gateway INTERNET
- 24. 24 Direct Connect – Connecting to Existing Security 1 Gbps Direct Connect Traffic DMZ Network (192.168.52.0/24) Internet Private Network (192.168.50.0/24) Private Network (192.168.110.0/24) 10.1.1.x/2410.1.1.x/24 On-Premises Edge Gateway IDS Existing Security Policies and Appliances IGW Direct Connect – Private Line IPS
- 25. 25 Direct Connect – Cross Connect 1 or 10 Gbps Direct Connect Traffic DMZ Network (192.168.52.0/24) Private Network (192.168.50.0/24) Private Network (192.168.110.0/24) CUSTOMER CAGE Direct Connect Line Edge Gateway Note: Storage connection must be In- Guest based connectivity with NFS or Software iSCSI Initiator
- 26. 26 User Level Rights and Security Role Rights Cannot do Ideal for Account Administrator Can add/edit users and user rights Virtual data center resource management, Network mgmt etc. Account management Virtualization Infrastructure Administrator Create virtual data centers Add/edit compute and storage resources Cannot create users, manage networking Virtual infrastructure admin App admin Network Administrator Create networks Add gateways Add gateway services User management, Virtual data center resource management Network admin Read-only Administrator Read only rights for all setups/configurations Any adds/edits Supervisor Subscription Administrator Access to myVMware. Purchase resources, file support tickets No vCloud Air management rights For all personnel with purchasing rights and/or support needs
- 27. 27 Application Security – Access Rights • Administration rights – Clearly identify individuals, and rights that the individuals get – An enterprise administrator can have more than one type of right – Rights help enforce secure cloud usage • User rights – End user rights for virtual machine owners – End user cannot do any admin activity – Users have limited visibility to cloud resources
- 28. 28 Summary • You will leave with: ü An understanding of the vCloud Air networking building blocks ü A strong networking foundation for building a complex hybrid cloud ü An understanding of advanced networking use cases and security • Key Takeaways – Building blocks you are used to – vSphere, VXLAN, VMware vCloud® Networking and Security Manager™vCNS, VMware® vCloud Director® – Flexible and Powerful – Supports all your complex networking • IPSEC VPN • Stretched Applications • Layer 2 Extension - BYOIP – Advanced application security
- 29. Go To VMware Cloud Academy • See a video of this presentation and others to learn more about vCloud Air • Condensed VMworld jump start presentations delivered by technical subject-matter experts • Free and ungated to learn at your own pace • All videos under 15 mins! • Test your knowledge by taking a quiz • Download vCloud Air eBook and other assets and tools 29 http://vcloud.vmware.com/cloud-academy
- 30. Thank You