Gain a solid understanding of VMware vCloud Air networking building blocks, and learn about connectivity options to vCloud Air.
Visit the VMware Cloud Academy for more videos and resources delivered by technical subject-matter experts.
http://vcloud.vmware.com/cloud-academy
2. 2
What’s in It for You?
• You will leave with:
– An understanding of the VMware vCloud® Air™ networking building blocks
– A strong networking foundation for building a complex hybrid cloud
– An understanding of advanced networking use cases and security
3. 3
Agenda
vCloud Air Networking
• Services Overview
• Key Components
• Network Virtualization Services
• Connectivity options to vCloud Air
• IPsec VPN
• L2 Stretching
• Direct Connect
• Advanced Use Cases
• Three tier Networking
4. 4
Hybrid Service Basic Networking Constructs
NAT
FW
Load Balancer
IPsec
DHCP
Static routing
Routed/Gateway
networks
(up to 9 networks)
Isolated networks
Customer’s virtual data
center on vCloud Air
5. 5
vCloud Air Cloud Options and Gateway Choices
CONFIDENTIAL
§ Shared Cloud
• Logically separated network,
compute and storage
§ 5GHz CPU (burstable to 10GHz)
§ 20GB RAM, 2TB storage
§ No virtual data center
segmentation
§ One Edge Gateway
§ Dedicated Cloud
• Physically separated hosts
• Logically separated network and
storage
§ 30GHz CPU, 120GB RAM, 6TB
§ Segment virtual data centers
based on orgs
§ Multiple Edge Gateways
VDC1 VDC2
VDC3 VDC4
VDC
10. 10
IP Address Assignment
• IP Pool
– Pool of IPs created by default
on auto generated isolated and
routed networks
– Virtual machines attached to those
networks get IP addresses from that
default pool
• Static IP
– Fixed IP for a virtual machine
– Change configuration in
VMware® vCloud Director®
• DHCP
– Part of Edge Gateway service
– Change configuration in vCloud
Director
– Basic DHCP service
Routed Network
12. 12
Firewall Rules: North-South and East-West Traffic
Routed Network 1 Routed Network 2 Routed Network 3
Firewall Rules:
- By default: Deny all
- Policies for traffic that
passes through the
gateway
Gateway
• 5-tuple firewall policies (Protocol, Source/Dest. IP, Source/Dest. Port )
• Can have multiple policies across multiple networks
• Ideal for enterprise grade application deployment
13. 13
Network Address Translation (NAT)
• Source NAT and Destination NAT rules
– Supports multiple rules on multiple interfaces
• Can use internal/private IP space
– Bring your own internal IP space
– Create/manage subnets within IP space
– Multiple IP spaces under the same gateway
• Need to create firewall rules to
allow traffic
• IPv4 NAT
NAT rules:
- SNAT & DNAT rules
- Options include
protocol/port selection
Gateway
Public IPs
Internal IPs
10.x.x.x 172.16.x.x 192.168.x.x
Organization Net 1 Organization Net 2 Organization Net 3
14. 14
Edge Gateway Services – Load Balancing
Pool Servers
Load Balanced
- Round Robin
- IP Hash
- URI
- Least Connected
Virtual Server –
- Virtual IP (Public IP)
- Frontend traffic
- Assigned to a server pool
Can have multiple virtual servers
and pools
Edge gateway
Load balancer
15. 15
Load Balancer – Pool Servers
• Pool Servers
– HTTP/HTTPS/TCP
– Load Balancing Methods
• IP Hash
• Round Robin
• URI
• Least Connected
– Health Check
• Each with +TCP as mode
• Monitoring Ports
– Add Servers
• Ratio Weight
• Change Ports/Services per Server
16. 16
Load Balancer – Virtual Servers
• Virtual Servers
– Apply on outside network
– Server Pool
– Persistence Method
• HTTP – Cookie
• HTTPS – Session ID
18. 18
Options to Connect to vCloud Air
z
Customer Data Center vCloud Air
Private WAN /
Direct Connect /
Cross Connect
IPsec Tunnel
Public
INTERNET
Many Connectivity Choices
to Support
Many Use Cases
19. 19
INTERNET
Connecting to vCloud Air
• Over the Public Internet
– With Public IPs
– Use NAT for address translation
– By default firewall set to deny all and NAT not configured
INTERNET
• IPsec VPN
– vCloud Air features include IPSEC VPN
– Multiple VPN tunnels can terminate to Edge Gateway
– Can connect to most of the major on-premises VPN
devices
20. 20
Connecting via VPN
VMware vSphere® (On-Premises)
SharePoint-Routed Network
(10.0.10.0/24)
vCloud Air Edge
Gateway
§ LEP – 69.194.137.230
§ Peer ID – 10.0.1.150
§ Peer IP – 68.108.102.47
10.0.1.150
10.0.10.1
Customer’s
edge Router
10.0.1.1
68.108.102.47
SharePoint-Default Routed
Network (192.168.109/24)
192.168.109.1
Virtual
Machine 1
vCloud Air
Virtual
Machine 2
69.194.137.230
vSphere Edge Gateway
§ LEP – 10.0.1.150
§ Peer ID – 69.194.137.230
§ Peer IP – 69.194.137.230
IP Protocol ID 50 (ESP)
IP Protocol ID 51 (AH)
UDP Port 500 (IKE)
UDP Port 4500
VPN Traffic
22. 22
vCloud Air Direct Connect
Customer Cage – in CoLo vCloud Air
Cross Connection
Direct Connect
Partner
Device
Customer Data Center vCloud Air
Private WAN connectivity
Direct Connect
Partner
Device
23. 23
Direct Connect – vCloud Air Connectivity
1 or 10 Gbps Direct Connect Traffic
DMZ Network
(192.168.52.0/24)
Private Network
(192.168.50.0/24)
Private Network
(192.168.110.0/24)
Headquarters
Direct Connect Line
Edge
Gateway
INTERNET
24. 24
Direct Connect – Connecting to Existing
Security
1 Gbps Direct Connect Traffic
DMZ Network
(192.168.52.0/24)
Internet
Private Network
(192.168.50.0/24)
Private Network
(192.168.110.0/24)
10.1.1.x/2410.1.1.x/24
On-Premises
Edge
Gateway
IDS
Existing Security Policies and Appliances
IGW
Direct Connect –
Private Line
IPS
25. 25
Direct Connect – Cross Connect
1 or 10 Gbps Direct Connect Traffic
DMZ Network
(192.168.52.0/24)
Private Network
(192.168.50.0/24)
Private Network
(192.168.110.0/24)
CUSTOMER CAGE
Direct Connect Line
Edge
Gateway
Note:
Storage connection must be In-
Guest based connectivity with NFS
or Software iSCSI Initiator
26. 26
User Level Rights and Security
Role Rights Cannot do Ideal for
Account
Administrator
Can add/edit users and
user rights
Virtual data center
resource management,
Network mgmt etc.
Account
management
Virtualization
Infrastructure
Administrator
Create virtual data centers
Add/edit compute and
storage resources
Cannot create users,
manage networking
Virtual infrastructure
admin
App admin
Network
Administrator
Create networks
Add gateways
Add gateway services
User management,
Virtual data center
resource management
Network admin
Read-only
Administrator
Read only rights for all
setups/configurations
Any adds/edits Supervisor
Subscription
Administrator
Access to myVMware.
Purchase resources, file
support tickets
No vCloud Air
management rights
For all personnel
with purchasing
rights and/or support
needs
27. 27
Application Security – Access Rights
• Administration rights
– Clearly identify individuals, and
rights that the individuals get
– An enterprise administrator
can have more than
one type of right
– Rights help enforce secure
cloud usage
• User rights
– End user rights for virtual
machine owners
– End user cannot do any
admin activity
– Users have limited visibility to
cloud resources
28. 28
Summary
• You will leave with:
ü An understanding of the vCloud Air networking building blocks
ü A strong networking foundation for building a complex hybrid cloud
ü An understanding of advanced networking use cases and security
• Key Takeaways
– Building blocks you are used to – vSphere, VXLAN, VMware vCloud®
Networking and Security Manager™vCNS, VMware® vCloud Director®
– Flexible and Powerful
– Supports all your complex networking
• IPSEC VPN
• Stretched Applications
• Layer 2 Extension - BYOIP
– Advanced application security
29. Go To VMware Cloud Academy
• See a video of this presentation and
others to learn more about vCloud
Air
• Condensed VMworld jump start
presentations delivered by technical
subject-matter experts
• Free and ungated to learn at your
own pace
• All videos under 15 mins!
• Test your knowledge by taking a
quiz
• Download vCloud Air eBook and
other assets and tools
29
http://vcloud.vmware.com/cloud-academy