Table of Contents - VMware...• Know how to install, configure, and understand the features of...

Table of ContentsLab Overview .................................................................................................................... 2

HOL-HBD-1302 - Advanced Networking and Security ............................................. 3Module 1 - Introduction to vCloud Hybrid Service Networking and Security .....................5

Introduction............................................................................................................. 6vCloud Hybrid Service Portal Networking................................................................ 7vCloud Hybrid Service Networking in vCloud Director ..........................................18Conclusion............................................................................................................. 28

Module 2 - IP Address Portability Between Customer and vCloud Hybrid Service DataCenters (Data Center Extension) .................................................................................... 29

Introduction........................................................................................................... 30vCloud Connector Server and Node Installation and Configuration ......................31vCloud Connector Node ........................................................................................ 34vCloud Connector Server ...................................................................................... 56vCloud Connector User Interface .......................................................................... 72vCloud Connector Data Center Extension (DCE) ................................................... 79Conclusion............................................................................................................. 84

Module 3 - Public and Private Cloud Multi-Tiered Application Networking.......................85Introduction........................................................................................................... 86Configuring VPN tunnel between the Local Datacenter and vCloud HybridService .................................................................................................................. 88Verify and Test Network and Security Configuration ...........................................112Conclusion........................................................................................................... 147

HOL-HBD-1302

VMware Beta Program CONFIDENTIAL

Lab Overview

HOL-HBD-1302


HOL-HBD-1302 - Advanced Networkingand SecurityLab Introduction and Overview

Introduction

This lab builds upon the skills transferred as part of the HOL-HBD-1301 vCloud HybridService Jump Start lab by introducing you to the Advanced Networking and Securityfeatures of the vCloud Hybrid Service. After completing this lab, you will:

• Have an overview of the vCloud Hybrid Service networking and security features• Know how to install, configure, and understand the features of vCloud Connector

in both your local and remote vCloud Hybrid Service hosted data centers• Explore a use-case around a multi-tiered architecture that utilizes the isolation

features of vCloud Networking and Security, Firewall, IPSEC VPN, and vCloudHybrid Service hosting

Module Overview

The concepts introduced in HOL-HBD-1302 are divided up into three modules. Eachmodule is independent and can be completed in any order within the allotted time.

Module 1 - Introduction to vCloud Hybrid ServiceNetworking and Security

Description: In this module we will walk you through the vCloud Hybrid Servicenetworking capabilities and walk though the various access rights and roles available.

Duration: 15 minutes

Lab Captain(s): Erin K. Banks, Eric Hammersley, Raj Jethnani

Module 2 - IP Address Portability Between Customer andvCloud Hybrid Service Data Centers (Data CenterExtension)

Description: In this module we will show you how IP space located within your datacenters can be extended to the vCloud Hybrid Service environment.


HOL-HBD-1302



Module 3 - Public and Private Cloud Multi-TieredApplication Networking

Description: In this module we will help identify and outline for you the networkconfiguration options available for multi-tiered applications, isolated, and public facingnetworks.



HOL-HBD-1302


Module 1 - Introduction tovCloud Hybrid Service

Networking and Security

HOL-HBD-1302


IntroductionIn this module we will give you an introduction to the networking components exposedvia the vCloud Hybrid Service portal, as well as those available and configurable fromwithin vCloud Director. As the vCloud Hybrid Service evolves many tasks still performedwithin vCloud Director, or vShield Manager, will start to be exposed from the vCloudHybrid Service as well, making it an even easier service to consume.

As we progress through the following steps you will become familiar with the high levelaspects of the vCloud Hybrid Service from a networking and security point of view. Thiswill assist you in the coming modules of this lab where we explore vCloud Connector,Data Center Extensions, and Multi-Tiered Application Networking. Thank you for taking amoment to work through and see what the vCloud Hybrid Service has to offer.

HOL-HBD-1302


vCloud Hybrid Service PortalNetworkingIn this module we will give you an introduction to the networking components exposedvia the vCloud Hybrid Service portal, as well as those available and configurable fromwithin vCloud Director.

Launch Portal

To begin, let's launch the vCloud Hybrid Service portal by clicking on Firefox from thedesktop.

HOL-HBD-1302


vCloud Hybrid Service Login

We will login with the [email protected] user which should already be autopopulated on the page.

Click on the "Sign in" button.

PLEASE NOTE: If for some reason this does not auto populate the account information is:

Username: [email protected]

Password: VMware1#

vCloud Hybrid Service Portal

The dashboard is the main overview of resources available for administrators. As youcan see, there is a listing of all the resources that we have available to us. We chose tobreak these resources in to two separate virtual datacenters, Rainpole_Developmentand Rainpole_Production.

In this lab we will be focusing on the networking options, gateways and controls thatadministrators have for the deployed virtual datacenters (vDC).

HOL-HBD-1302


Notice that this screen has additional information below, feel free to scroll down to viewall the options/data.

If you'd like an overall tour of the dashboard and deploying virtual datacenters, weencourage you to take lab HOL-HBD-1301.

NOTE: For the purposes of this lab you have a 2GHz by 2GB by 10GB slice of resourcespurchased. This resource division is not representative of the actual service and usedhere for demonstration purposes only.

HOL-HBD-1302


vDC Network Settings - Rainpole_Development

Click on the "RAINPOLE_DEVELOPMENT" virtual datacenter.

HOL-HBD-1302


vDC Network Settings - Rainpole_Development

Click on the "Gateways" tab.

HOL-HBD-1302


Rainpole_Development Gateway

Here we can see the vCloud Networking and Security Edge gateway instance deployedfor use in the Rainpole_Development vDC.

We have 192.168.210.100 as the external IP for the Edge gateway device. We deployedthe compact Edge gateway. Also note that the Edge gateway is deployed in an HAconfiguration to cover any potential failure of the node.

Rainpole_Development Networks

Now that we've seen our gateway configuration, let's see what networks are availablefor us to deploy VMs on.

Click on the "Networks" tab.

Here we can see 2 different networks:

1. The Default-Routed network allows VMs to access the external environment.

2. The Default-Isolated network keeps VM communication within it's own environment.

HOL-HBD-1302


Routed networks within vCloud Hybrid Service provide a gateway and network services,such as DHCP, NAT, Firewall, etc. These services, with the exception of DHCP, are notavailable on isolated type networks within vCloud Hybrid Service, or vCloud Director.Additionally, take note of the IP Range shown in the picture, and on your screen. Thisrange represents the range of network addresses available, and assigned, to VirtualMachines provisioned to this network. The network range, and IP addresses, areconfigurable from within vCloud Director.

Notice that this screen has additional information below, feel free to see the secondnetwork.

HOL-HBD-1302


vCloud Hybrid Service Dashboard

Let's return back to the main dashboard by either clicking on the "DASHBOARD"breadcrumb or on the main "Dashboard" icon.

Next we will explore the same settings but for the Rainpole_Production vDC.

HOL-HBD-1302


vDC Network Settings - Rainpole_Production

Click on the "Rainpole_Production" vDC.

We will explore the network configuration for this vDC just like we did in the earliersteps.

HOL-HBD-1302


Rainpole_Production Gateway

Here we can see the vCloud Networking and Security Edge gateway instance deployedfor use in the Rainpole_Production vDC.

We have 192.168.210.102 as the external IP for the Edge gateway device. We deployedthe compact Edge gateway. Also note that the Edge gateway is deployed in an HAconfiguration to cover failure of the node.

Rainpole_Production Networks

Now that we've seen our gateway configuration, let's see what networks are availablefor us to deploy VMs on.

Click on the "Networks" tab.

Here we can see 2 different networks:

1. The Default-Routed network allows VMs to access the external environment.

2. The Default-Isolated network keeps VM communication within it's own environment.

HOL-HBD-1302


Notice that this screen has additional information below, feel free to see the secondnetwork.

Conclusion

We have just reviewed the networking components available via the vCloud HybridService portal.

In the next module, we will explore in greater detail these networking settings fromwithin the vCloud Director instance. Managing the network settings via vCloud Director,allows the administrator to manage the network settings of their vDC with greatergranularity.

To continue with this lab module, do not close the Firefox browser.

HOL-HBD-1302


vCloud Hybrid Service Networking invCloud DirectorNow that we have have explored the networking views in vCloud Hybrid Services, let'sreview the networking capabilities available to us via vCloud Director for your twovirtual datacenters.

Note that in addition to the default routed and isolated networks that vCloud HybridService creates automatically you can create up to nine total networks for use withinyour virtual data center. These can be used for the creation of multi-tiered networkenclaves to isolate data, or various other reasons. Due to space and size restrictionwithin the lab environment we will not be creating additional networks today; howeverwe will call out the appropriate screen later in this module.

Accessing the vCloud Director views

If you are continuing this lab from the previous chapter, click the "Manage in vCloudDirector" button.

This will automatically log you into vCloud Director.

HOL-HBD-1302


Rainpole_Production Networks via vCloud Director

The image above shows you the networks that are available for the Rainpole_ProductionOrganization. You will notice that there are two networks available here as well.(Remember that we showed you two networks via the vCloud Hybrid Service portal).

In addition to the two default networks (routed and isolated) that vCloud Hybrid Servicecreates you may also create additional ones, as indicated in the introduction, from thisscreen. In your own environment this would be done by clicking the green plus (+) iconand walking through the wizard. Please do not add a new network to this labenvironment.

Note: vCloud Director provides role based security and therefore the view above maynot necessarily be available to all users and roles.

HOL-HBD-1302


Routed network - Configure Services

Highlight the Rainpole_Production-default-routed network.

Click the arrow to the right of the blue wheel. A drop down menu will appear.

select "Configure Services".

Services available for the routed network

As you can see, there are six services available for configuration within vCloud Director.Let's walk through each of these individually.

HOL-HBD-1302


DHCP Services

The DHCP services tab allows you to automate the IP address assignments for thevirtual machines connected to this network.

Note that you can "add" DHCP configurations from this screen as well.

The IP Range, Lease information, and whether it is enabled, is viewable from this screen.

HOL-HBD-1302


NAT Services

The NAT screen gives you the ability to add a Source NAT and Destination NAT for thevCloud Networking and Security Edge gateway.

The Source NAT translates the source address of a packet before leaving the gateway.

The Destination NAT translates the destination IP address/port of a packet received bythe gateway.

HOL-HBD-1302


Firewall Services

In this Firewall tab, we have the ability to add, edit, or delete firewall rule ids.

You will see in subsequent chapters of this lab that we use the firewall rules to establishgreater security for our virtual machines that are located in the local datacenter and invCloud Hybrid Services.

HOL-HBD-1302


Static Routing Services

As you can see in this tab, you have the ability to add Static Routing to this network.

HOL-HBD-1302


VPN Services

In the VPN tab, we have the ability to add an IPSEC VPN to connect two vCloudNetworking and Security Edge Gateways.

There is also the ability to Configure Public IPs for the external networks.

HOL-HBD-1302


Load Balancer Services - Pool Servers

In the Load Balancer tab we have the ability to configure Pool Servers and VirtualServers.

Note that a pool is a construct used to manage and share backend member instances. Apool manages its backend members, health-check monitors and load balancerdistribution method.

This also allows you to see the service and health check for the individual loadbalancing member pools.

Let's review the Virtual Servers screen.

HOL-HBD-1302


Load Balancer Services - Virtual Servers

In this Load Balancer section, we can configure the Load Balancer for the virtual servers.A virtual server is a highly scalable and highly available server built on a cluster of realservers called members.

Click the "Cancel" button to exit out of this screen.

HOL-HBD-1302


ConclusionIn conclusion, we have shown you the network and security capabilities for vCloudHybrid Services that are available in vCloud Director.

There are two additional modules available in this lab. We will discuss the vCloudConnector Node and Server capabilities and configurations. We will show you a multi-tier environment that utilizes both vCloud Hybrid Service and the local datacenter. Wewill also set up firewall rules to ensure the environment is secure.

It is going to be a great lab!!! Let's begin.

HOL-HBD-1302


Module 2 - IP AddressPortability Between

Customer and vCloudHybrid Service DataCenters (Data Center

Extension)

HOL-HBD-1302


IntroductionIn this module we will explore how vCloud Connector delivers an integrated andimproved operations center for your hybrid cloud environment. With improved transferspeeds and integration with vCloud Hybrid Service.

vCloud Connector is an enterprise product that provides a single user interface foroverseeing multiple public and private clouds and for transferring cloud content fromone cloud to another. It allows you to connect multiple clouds, both internal andexternal, in a single user interface. Using vCloud Connector, you can stop and startvirtual machines, check their performance, and transfer virtual machines, vApps, andtemplates from one cloud to another.

vCloud Connector consists of three distinct components: vCloud Connector UserInterface (UI), vCloud Connector Server, and vCloud Connector Nodes.

vCloud Connector UI is produced by vCloud Connector Server. It can be surfaced invSphere Client.

vCloud Connector Server is a virtual appliance that coordinates the activity of vCloudConnector, controls vCloud Connector Nodes, and produces vCloud Connector UI. Onlyone vCloud Connector Server is needed.

vCloud Connector Nodes are virtual appliances that handle transferring content fromone cloud to another. Transfers between clouds that are interrupted, for examplebecause of network problems, can be resumed at the point that they were interrupted. AvCloud Connector Node must be installed in every vSphere or vCloud cloud that vCloudConnector oversees.

This module is broken into four sections.

Section 1 : A pre-recorded video showing you how you deploy vCloud Connector Serverand vCloud Connector Node. You DO NOT need to repeat these steps in the lab, theyhave already been done.

Section 2 : Now that vCloud Connector Node is installed, we will walk you through theconfiguration steps.

Section 3: We walk you through vCloud Connector Server configuration steps.

Section 4: Now that vCloud Connector Node and Server are configured, we will connectthem together. Connecting the two will allow us to move virtual machines from the localdatacenter to our vCloud Hybrid Services Datacenter.

HOL-HBD-1302


vCloud Connector Server and NodeInstallation and ConfigurationIn this portion of the lab you will review the requirements and procedures necessary toinstall both vCloud Connector Server and vCloud Connector Node inside yourenvironment. Due to the length and process involved we have provided this informationto you in a series of short videos.

vCloud Connector Server Installation

This video will cover the installation of vCloud Connector Server from within vSphere.Steps in this video include:

• Deploying vCloud Connector Server via the provided OVF template• Booting up and showing the web-based configuration screen

Configuration of vCloud Connector, beyond that needed for basic installation, will becovered in subsequent videos and lab topics.

Please note, the above video does not contain audio.

HOL-HBD-1302


vCloud Connector Node Installation

This video will cover the installation of vCloud Connector Node.

• Deploying vCloud Connector Node via the provided OVF template• Booting up and showing the web-based configuration screen

Configuration of vCloud Connector, beyond that needed for basic installation, will becovered in subsequent videos and lab topics.


HOL-HBD-1302


vCloud Connector Configuration

This video will cover the configuration of the node and server above, as well as theaddition of the local data center serviced by the node into vCloud Connector UserInterface in vSphere.

• Configure vCloud Connector Node, connecting it to the local vSphere instance• Configure vCloud Connector Server, adding the Node above as a resource• Configure the vCloud Connector User Interface, adding the local vSphere instance

as a cloud resource


Conclusion

In this article we provided a series of videos illustrating how vCloud Connector Serverand vCloud Connector Node were installed into this lab. After the installation we walkedthough configuring one Node to connect to the local vSphere instance, and added it tovCloud Connector User Interface. Subsequent modules within this lab will have vCloudConnector Server and Nodes configured for you, except for the next module in this lab.There we have you configure a vCloud Connector Node to a vCloud Hybrid Servicevirtual data center so you can see how it is configured against vCloud Director, and in apublic setting. Let's move forward and see what it can do...

HOL-HBD-1302


vCloud Connector NodeIn this module you will configure vCloud Connector Node. In the previous video weinstalled vCloud Connector Server and Node within the local data center. Here we willconfigure an already deployed vCloud Connector Node within vCloud Hybrid Service.

Just a reminder that vCloud Connector nodes are virtual appliances that handletransferring content from one cloud to another. Transfers between clouds that areinterrupted, for example because of network problems, can be resumed at the point thatthey were interrupted. A vCloud Connector Node must be installed in every vSphere orvCloud Director cloud that vCloud Connector oversees.

Launch Google Chrome

On the desktop, double click the "Google Chrome" shortcut.

HOL-HBD-1302


vCloud Connector Node Login

Proceed to the second tab and log in with:

Username: admin

Password: vmware

vCloud Connector Node Interface

You use vCloud Connector (vCC) Node admin web console for each of your nodes to dobasic configuration tasks, such as defining your time zone, specifying proxy servers, orsetting log levels.

vCC Node admin web console is divided into "System", "Network", "Update", and "Node"subtabs. Let's review these subtabs individually.

System Tab

The System tab provides general information on the virtual appliance, allows you toconfigure time zones, and gives you buttons to shutdown and reboot the appliance.

HOL-HBD-1302


As you can see, the System tab is broken into "Information" and "Time Zone" subtab.

Let's look at these subtab individually.

System Information tab

We will not be making any changes to this lab but please feel free to review theinformation.

The system information section provides general information on the virtual appliancesuch as the version number and the hostname. It also contains Reboot and Shutdownbuttons.

System Time Zone tab


The System Time Zone section allows you to set your local time zone. The Time Zonesetting displays all the time zones of the world.

HOL-HBD-1302


Note that the changes in time zone settings are not reflected in logs, etc. until theservice is reset.

The virtual hardware clock is always maintained in UTC, which the virtual applianceconverts to local time. Correct local time is important for the update repository andVMware Update Manager.

Network tab

The Network tab allows you to view network related information about the appliance,switch between DHCP and static IP addresses, and set up proxy information.

As you can see, the Network tab is broken into "Status", "Address" and "Proxy" subtab.

Let's look at these subtab individually.

HOL-HBD-1302


Network Status tab

The Network Status section provides already configured network information about yourappliance, such as DNS servers, network interfaces, and IP addresses.

HOL-HBD-1302


Network Address tab


The Network Address settings section allows you to specify static IP information for yourappliance or to retrieve IP settings from a DHCP server.


HOL-HBD-1302


Network Proxy Tab


The Network Proxy Settings allows you to set up any necessary proxy settings, includingaddress and port.

Update Tab

The Update tab allows you to check your update status of the virtual appliance and toset your update policy.

Update Status tab


The Update Status section allows you to view information about the virtual applianceand to check for and install updates.

HOL-HBD-1302


By clicking "Check Updates", the system will check for updates from the updaterepository. This repository is shown in the Available Updates pane.

HOL-HBD-1302


Update Settings Tab



The Update Settings section allows you to determine when you want to check forupdates. You should leave the Use Default Repository button selected.

Node tab

On the Node tab you can change the Node administrative password, adjust log levels,and manage SSL certificates.

HOL-HBD-1302


Node Cloud Tab

In the Node Cloud tab we have the ability to specify vSphere or vCloud Directorconfiguration.

We will be working in the tab later in the lab but feel free to review it now.

HOL-HBD-1302


Node General Tab


In the Node General Tab you can change the administrative password for the Node.

You can also set log levels and download logs using this section. Use the drop-downmenu to select the log level from TRACE, DEBUG, INFO, WARN, or ERROR and the clickChange Log Level.

Please note that we will not be working with the logs in this lab so please do not change.Feel free to review the options by scrolling down on the screen.

HOL-HBD-1302


Node SSL tab



In the Node SSL tab you can manage your certificates. vCloud Connector Node includesself-signed certificate.

In this section, you can see the certificate currently assigned to your vCloud ConnectorNode.

You can create a Certificate Signing request or use your own self-signed certificatethrough this screen.

HOL-HBD-1302


Cloud Registration

Proceed back to the "Node" / "Cloud" tab.

Change "Cloud Type" to vCloud Director.

DO NOT UPDATE CONFIGURATION AT THIS TIME, please proceed to the next step.

HOL-HBD-1302


Launch Firefox

Click on the Mozilla Firefox icon on your desktop.

HOL-HBD-1302


vCloud Hybrid Service

The login credentials are already populated so click "Sign in".

HOL-HBD-1302


RAINPOLE_DEVELOPMENT Virtual Datacenter

Double click in the RAINPOLE_DEVELOPMENT Virtual Datacenter box

HOL-HBD-1302


vCloud Director URL

Select the "vCloud Director URL" and a box will appear below with our appropriate URLto be placed in vCloud Connector Node section.

Note: If the URL does not show up on your first click, try again.

HOL-HBD-1302


Copy vCloud Director URL

Right mouse click the URL and select copy.

HOL-HBD-1302


Cloud Registration

Proceed back to Chrome and paste the URL in the "Cloud URL" section.

Check the box for "Ignore SSL Cert".

Leave "Use Proxy" in default setting.

DO NOT UPDATE CONFIGURATION AT THIS TIME, please proceed to the next step.

HOL-HBD-1302


Remove :443

Proceed back to the "Cloud URL:" section and highlight " :443 " in the URL and delete it.

HOL-HBD-1302


Update Configuration

Now you can click the "Update Configuration" box.

HOL-HBD-1302


Cloud Registration Updated

Note that you will receive a "Cloud Registration updated." message in the top of thewindow once this registration is complete.

We will now proceed with configuring the vCloud Connector Server.

HOL-HBD-1302


vCloud Connector ServerThe vCloud Connector Server is a virtual appliance that coordinates the activity ofvCloud Connector, controls vCloud Connector nodes, and produces vCloud Connectoruser interface. Only one vCloud Connector Server is needed.

vCloud Connector Server login

Go back to the first tab in Google Chrome and login with:

User name: admin

Password : vmware

Click "Login"

vCloud Connector Server Introduction

You use vCloud Connector Server admin web console to do basic configuration taskssuch as defining time zone, specifying proxy servers, or setting log levels.

vCloud Connector Server admin web console is divided into "System", "Network","Update", "Server", and "Nodes" subtabs. Let's review these subtabs individually.

HOL-HBD-1302


System tab

As you can see, the System tab is broken into "information" and "Time Zone" subtabs.

The System Information tab provides general information on the virtual appliance,allows you to configure time zones, and gives you buttons to shutdown and reboot theappliance.

Let's take a closer look at the two subtabs.

System Information tab

As you can see the screen is broken into various tabs, we will review all of tabsindividually but will do the majority of our work in the "Nodes" tab.

The main "Information" section provides general information on the virtual appliancesuch as the version number and hostname. It also contains the "Reboot" and"Shutdown" buttons.

HOL-HBD-1302


System Time Zone tab

Under the "System" tab, click the "Time Zone" subtab. The Time Zone subtab allows youto set your local time zone. Feel free to click the arrow to see the options but leave thedefault (Etc/UTC) for this lab.

Network tab

The network tab is broken up in to "Status", "Address", and "Proxy".

In this tab you can view network related information about the appliance, switchbetween DHCP and Static IP address, and set up proxy information.

Let's take a closer look at the three subtabs.

HOL-HBD-1302


Network Status tab

The network status section provides already configured network information about theappliance such as DNS servers, network interfaces, and IP addresses. Notice the refreshbutton for updating the information.

HOL-HBD-1302


Network Address tab

The network address subtab allows you to specify static IP information. Note that theeth0 info IPv4 Address Type can be changed.

If you set a static IP address you must make sure that there are values for all of thedisplayed fields. In vCD installations, you must set Preferred and Alternate DNS serversmanually.

Ensure that "Static" is selected.


Network Proxy tab

Although we have no changes to make in the screen, it is important to understand that"Proxy Settings" are available.

HOL-HBD-1302


The Proxy Settings section allows you to set up any necessary proxy settings, includingaddress and port. Set this if the appliance must use a proxy to reach systems beyondthe firewall at the installation location.

Update tab

The update tab is broken up in to "Status" and "Settings".

The update tab allows you to check your update status of your virtual appliance and setyour update policy.

Let's take a closer look at the two subtabs.

HOL-HBD-1302


Update Status tab

The "Update Status" tab allows you to view information about your virtual appliance orto check for and install updates.

The "check updates" checks for updates in the update repository shown in the"Available Updates" pane.

The "install updates" button installs the updates.

DO NOT TAKE ANY ACTIONS AT THIS TIME, please proceed to the next step.

HOL-HBD-1302


Update Settings tab

The Update Setting sub tab allows you to determine when you want to check forupdates.

You should leave the "Use Default Repository" button selected.


HOL-HBD-1302


Server tab

The Server tab is broken up in to "General", "SSL", and "vSphere Client".

The Server tab allows you to change the Server administration password, adjust loglevels, and manage SSL certificates.

Let's take a closer look at the three subtabs.

HOL-HBD-1302


Server General Settings

We will not be making any changes to this tab but please feel free to review theinformation.

In the Server General tab you can change the administrative password for the Node.

You can also set log levels and download logs using this section. Use the drop-downmenu to select the log level from TRACE, DEBUG, INFO, WARN, or ERROR and the clickChange Log Level.

Please note that we will not be working with the logs in this lab so please do not change.Feel free to review the options by scrolling down on the screen.

Server SSL tab

We will not be making any changes to this tab but please feel free to review theinformation.


HOL-HBD-1302


In the Server SSL tab you can manage your certificates. vCloud Connector Serverincludes self-signed certificate.

In this section, you can see the certificate currently assigned to your vCloud ConnectorServer.

You can create a Certificate Signing request or use your own self-signed certificatethrough this screen.

HOL-HBD-1302


Server vSphere Client tab

Please wait for the information to fill in. You will see that vCloud Connector Server isalready registered to the vCenter in Site A.

In the Server vSphere Client subtab we have vCenter configuration information that canbe filled in. We will not be filling in this information at this time.

HOL-HBD-1302


Nodes tab

The Nodes tab identifies all the nodes that are already registered to vCloud ConnectorServer. We will proceed by connecting another node to this server.

Register Node

Click on "Register Node" to add the Rainpole Development vCloud Connector node.

Cloud Type Configuration

In the "Name" field enter in Rainpole Development.

In the "Description" field enter in "Connects to the Rainpole Development cloud hostedby VMware".

In the URL box type "https://vccn-l-01b.vmware.com" (that is a small L and a zero).

HOL-HBD-1302


Check the "Public" box (select because the cloud is a public cloud outside of the firewallwhere the vCC server is installed).

Leave the proxy box as the default (unchecked) (This is selected if the vCC server needsto use a proxy to reach the vCC node you are registering).

"ignore SSL certificate" should be checked.

HOL-HBD-1302


Cloud Info

In "Cloud Type" select vCloud Director.

VCD Org Name enter in "Rainpole_Development".

Username : rp-dev_connector

Password: VMware1!

Select "Register".

HOL-HBD-1302


Registration Complete

Notice it says up. We have successfully configured vCloud Connector Server. YAY!!!!

We will continue the lab by adding our connection to vCloud Connector user interface.

Let's begin...

HOL-HBD-1302


vCloud Connector User InterfaceIn this lesson, you will connect our previously configured vCloud Connector Node andvCloud Connector Server to vCloud Connector user interface.

vSphere Client

Open vSphere client that is on the desktop.

HOL-HBD-1302


vSphere Client login

connect to "vc-l-01a.corp.local".

HOL-HBD-1302


vSphere Client login (cont'd)

Ensure that "use windows session credentials" is selected.

Click "Login".

HOL-HBD-1302


vCloud Connector

From Home screen in the vSphere client,

click "vCloud Connector", under Solutions and Applications.

Adding Datacenter

Launching vCloud Connector from the vSphere client, ensures an automatic login.

Notice that "Rainpole Local Datacenter" and "Rainpole Production" are already there.

Proceed to Clouds -> objects.

HOL-HBD-1302


Select the green "+" symbol.

Configuring Datacenter

The "Add Cloud" box will appear. Please fill in in the following information.

In Name section type " Rainpole Development".

Username: rp-dev_connector

Password: VMware1!

Click "Add".

HOL-HBD-1302


Confirmation

You can see that Rainpole Development is now included in our Clouds.

HOL-HBD-1302


Confirming configuration

Notice under "clouds" that Rainpole Development is there.

Click on it and you will see the templates available in vCloud Hybrid Service.

SmallXP is in vCloud Hybrid Service cloud and now if we wanted, we could copy the VMto our local datacenter. Please note that it may take a couple of seconds for the virtualmachine to show up.

You have successfully connected vCloud Connector and vCloud Server, that wasn't sobad was it?

Let's now conclude with a follow to what we have accomplished and learned in this lab.

HOL-HBD-1302


vCloud Connector Data CenterExtension (DCE)Now that we have successfully installed, configured and provided an overview of thevCloud Connector Server and Node let's take a look at a new feature, Data CenterExtension (DCE).

By extending the logical boundaries of the data center, you can now accelerate thedeployment time of your workloads, while maintaining consistency across clouds. DataCenter Extension allows for the transfer of workloads across clouds without needing toreconfigure the network settings in the destination. This increases operational agility ofthe cloud, realizing ‘one network’ to deliver your applications. Data center Extension isan advanced feature of vCloud Connector, available with the VMware vCloud Suites andthe vCloud Hybrid Service.

HOL-HBD-1302


Data Center Extension Architecture

HOL-HBD-1302


vCloud Connector Stretch

This video walks you through initiating a Stretch (Data Center Extension) feature ofvCloud Connector with the vCloud Hybrid Service. This functionality is only viewable viathis video and lab segment.

Post-Stretch Settings and Configuration

What you may not have been able to see in the previous video is what happens behindthe scenes during a stretch deploy.

When you start the Stretch Deploy command, a main task named Stretch Deployappears in the Tasks panel. The Stretch Deploy command has three phases and there isa corresponding sub-task for each phase:

• Infrastructure task• Copy task• Deploy task

Covering each of these tasks and steps in detail would be be beneficial in the labenvironment; however the steps within each task have been outlined below for yourviewing pleasure.

HOL-HBD-1302


Infrastructure Task

Infrastructure Phase

When you stretch deploy from a vSphere instance to a public vCloud Director instance,vCloud Connector does the following:

1. Creates an empty routed vApp in the public cloud.2. Starts the empty routed vApp.3. Creates DNAT and Firewall rules, if required, in the Edge gateway of the

Organization Virtual DataCenter that you selected in the public vCloud Directorinstance.

4. Creates the SSL VPN object in the vShield Edge of the routed vApp in the publicvCloud Director.

5. Creates the SSL VPN object in the vShield Edge of the source network in thevSphere instance.

When you stretch deploy from a private vCloud Director instance to a public vCloudDirector instance, vCloud Connector does the following:

1. Creates an empty routed vApp in the public vCloud Director instance.2. Starts the empty routed vApp.3. Creates DNAT and Firewall rules in the Edge gateway of the Organization VDC

that you selected in the public cloud, if required.4. Creates SNAT and Firewall rules in the Edge gateway of the Organization VDC in

the source vCloud, if required.5. Creates the SSL VPN object in the vShield Edge of the routed vApp in the public

vCloud Director instance.6. Creates the SSL VPN object in the vShield Edge of the routed vApp in the source

vCloud Director instance.

Copy Task

When you stretch deploy from a vSphere instance to a public vCloud Director instance,vCloud Connector does the following:

1. Exports the selected virtual machine or vApp from the source vSphere instance.2. Copies the OVF file to the public vCloud Director instance.3. Imports the OVF file as a vApp template into the catalog that you selected in the

public vCloud Director.

When you stretch deploy from a private vCloud Director cloud to a public vCloudDirector, vCloud Connector does the following:

1. Creates a temporary vApp with the name <sourceVMname>_<randomNumber>in the source cloud.

2. Moves the selected virtual machine from its vApp to this temporary vApp.

HOL-HBD-1302


3. Adds the temporary vApp as a vApp template to the source catalog that youselected.

4. Copies the vApp template to the public vCloud.5. Imports the OVF file as a vApp template into the catalog that you selected in the

public vCloud Director instance.

Deploy Task

When you stretch deploy from a vSphere environment to a public vCloud Directorinstance, vCloud Connector does the following:

1. Creates a temporary vApp (with the name tempVapp-xyz-<randomNumber>) inthe public vCloud from the vApp template that was created during the Copyphase.

2. Moves the virtual machine from this temporary vApp to the empty routed vAppthat was created during the Infrastructure phase.

3. Deletes the temporary vApp.4. Deletes the vApp template from the catalog.5. Powers on the virtual machine (if you selected this option).6. Sets the metadata on the routed vApp in the public vCloud Director.7. Sets the metadata on the VM or vApp that is being stretch-deployed, in the

source cloud.

When you stretch deploy from a private vCloud Director cloud to a public vCloudDirector instance, vCloud Connector does the following:

1. Creates a temporary vApp (with the name tempVapp-xyz-<randomNumber>) inthe public vCloud from the vApp template that was created during the Copyphase.

2. Moves the virtual machine from this temporary vApp to the empty routed vAppthat was created during the Infrastructure phase.

3. Deletes the temporary vApp.4. Deletes the vApp template from the catalog.5. Powers on the virtual machine (if you selected this option).6. Sets the metadata on the routed vApp in the destination vCloud.7. Sets the metadata on the virtual machine in the source vCloud Director cloud.

Conclusion

As you can see from the video series above the new Data Center Extension, or StretchDeploy capabilities add a great deal of flexibility in the consumption vCloud HybridService with your local data center components. Additional information on Data CenterExtension is available online at http://vcloud.vmware.com or at the main vCloud HybridService booth at VMworld 2013. Details on the requirements of vCloud ConnectorStretch Deploy can be found within the vCloud Connector 2.5 Users Guide.

HOL-HBD-1302


ConclusionIn this lab, we watched videos showing you how vCloud Connector Node and vCloudConnector Server were installed.

We walked you through the user interfaces for both vCloud Connector Node and Serverand identified all the options available to you. You configured both vCloud ConnectorNode and vCloud Connector Server and lastly, we connected these to vCloud Connectoruser interface.

Connecting these two together allows us to copy our virtual machines between our localdatacenter and vCloud Hybrid Service. We also get to publish the catalogs across all thesites.

If you want to see the vCloud Connector Node and Server in action, feel free to proceedto the next module in this lab.

Please be aware that there are TWO other vCloud Hybrid Service Hands on Labs,HBD-1301 and HBD-1303. (But not until you finish our lab please... our lab is cooler. :)Either way.. HAVE FUN!!!

HOL-HBD-1302


Module 3 - Public andPrivate Cloud Multi-Tiered

Application Networking

HOL-HBD-1302


IntroductionThe purpose of this lab is to show you how your organization can utilize a localdatacenter and a public cloud such as VMware vCloud Hybrid Service, for a multi-tierenvironment. We will be utilizing the local datacenter for the App and Database virtualmachines and the Web virtual machine will be located in VMware vCloud HybridServices.

We will test the firewall rules that are initially established and make the appropriatechanges to ensure that the Web virtual machine can only talk to the App virtual machineand not the Database virtual machine.

You see security is really important to us at VMware and we want to ensure that whenyou put your virtual machines in our vCloud Hybrid Services, that they have the samesecurity policies that they would have if they were located in your virtual datacenter. Wewant to ensure mobility between the two sites and that your virtual datacenter runs asefficiently as possible and as securely as possible because.... wait for it... that is whatwe do at VMware!

If you are interested in seeing the Architecture Diagram for module, feel free to reviewthe diagram below.

Please note that we also included on the desktop as file HOL-HBD-1302_Diagrams.pdf

HOL-HBD-1302


Architecture Diagram for Module 3

HOL-HBD-1302


Configuring VPN tunnel between theLocal Datacenter and vCloud HybridServiceIn this lab we will configure a VPN connection between the local datacenter and vCloudHybrid Service. In the second part of this module, we will test and change the firewallconfiguration between our two sites. Let us test the most important part of anydatacenter... SECURITY! Let's begin!!!

Launching Firefox

Double click on the Mozilla Firefox icon on the desktop.

HOL-HBD-1302


Logging into vCloud Hybrid Services

Click the "sign in" button as the Username and Password have already been entered foryou.



Password: VMware1!

HOL-HBD-1302


Select virtual machines

Click on "Virtual Machines" in order to see all the virtual machines available to you.

HOL-HBD-1302


Powering on virtual machine

Highlight the Web_Rainpole-Portal virtual machine and

select the "Power On" option.

HOL-HBD-1302


Powered on virtual machine

Once the machine is powered on, the window above will appear.

Please do NOT shut down the Firefox browser as we will use it in later steps.

Open vSphere Client

Open vSphere Client on the desktop.

HOL-HBD-1302


Login to vSphere Client

Select the "Login" button.

Ensure that the "Use Windows session credentials" is checked.

Home button

Select the "Home" button.

HOL-HBD-1302


Open vShield Manager (Local Datacenter)

Select "vShield" under "Solutions and Applications".

Accept Security Alert

If a "Security Alert" appears, click "Yes".

Logging into vShield Manager (Local Datacenter)

Log in to vShield Manager with the following credentials (sorry we could not auto logyou in :( )

HOL-HBD-1302


User name: admin

Password: default

Select the "Login" button.

HOL-HBD-1302


Edge view (Local Datacenter)

Proceed to the View: option, hit the down arrow and select "Edges".

Edge device (Local Datacenter)

Double click the "edge-5".

HOL-HBD-1302


Configuration and VPN

Review the configuration detail for the Edge device in our local datacenter. For instance,this is a compact Edge device and HA is disabled.

Select the "VPN" button.

HOL-HBD-1302


Adding a VPN (Local Datacenter)

Select the green " + " symbol to add the VPN configuration information.

VPN Configuration for Local Datacenter

Fill in the following information. Note that you may need to scroll down the screen inorder fill in all the steps. When completed, it should look like the picture above:

Name: Portal Backend to vCHS

Local Id: 192.168.110.102

Local Endpoint: 192.168.110.102

Local Subnets: 10.0.1.0/24

Peer Id: 192.168.210.102

Peer Endpoint: 192.168.210.102

Peer Subnets: 192.168.109.0/24

HOL-HBD-1302


Encryption Algorithm: AES256 (NOTE: you will need to select the down arrow in order tochoose this option)

Pre-shared Key: VMworld2013isagreatconference123

Feel free to scroll through the rest of the configuration options but note that the defaultvalues should be applied.

When finished click the "ok" button (on the bottom of the screen).

HOL-HBD-1302


Publish Changes

Click the "Publish Changes" button in order for this VPN configuration to be enabled.

HOL-HBD-1302


Enable the VPN (Local Datacenter)

Notice that the IPSEC VPN Service Status is disabled.

Although we published the changes, we need to Enable the configuration. Please selectthe "Enable" button... please... I beg you!

HOL-HBD-1302


Publish Changes

And we have to publish these changes again so please click the "Publish Changes"button.

(you could have hit the enable button by accident you know).

Return to vCloud Hybrid Service

Return to the Firefox browser and select the "Dashboard" tab

HOL-HBD-1302


Rainpole Production

Double click the "Rainpole_Production" virtual datacenter

HOL-HBD-1302


Launching vCloud Director

You should automatically be taken to the "Networks" tab. If you are not at the"Networks" tab, please proceed to it and select "Manage in vCloud Director"

HOL-HBD-1302


Routed Network in vCloud Director

Highlight the Routed Rainpole_Production-default-routed network.

HOL-HBD-1302


Select Configure Services

Select the down arrow on the blue gear and select "Configure Services".

HOL-HBD-1302


Enabling VPN

Proceed to "VPN" tab.

Ensure the "Enable VPN" box is selected.

Click "Add...".

VPN Configuration for vCloud Hybrid Service

Configure the VPN for vCloud Hybrid Service with the following information. Please notethere are TWO scroll bars that you may need to adjust in order to add all theconfigurations.

Name: vCHS to Portal Backend

Establish VPN to: a remote network (NOTE: you will need to select the down arrow toselect this option)

Click to select the network "Rainpole_Production-default-routed" under Local Networks:

Peer Networks: 10.0.1.0/24

HOL-HBD-1302


Local ID: 192.168.210.102

Peer ID: 192.168.110.102

Peer IP: 192.168.110.102

Encryption protocol: AES-256

Shared Key: VMworld2013isagreatconference123

HOL-HBD-1302


VPN OK

In order to verify that the Status is up, click the "OK" button

HOL-HBD-1302


Configure Services

NOTE: Before continuing on with the following steps please wait for at least one minutefor the VPN settings to synchronize with the vShield Edge Device.

Select the Rainpole_Production-default-routed network.

Select the down arrow to the right of the blue gear.

Select "Configure Services".

HOL-HBD-1302


Confirming Status

Once you have gone back into the VPN tab, you should see the status is now UP... Isn'tthat great!

PLEASE NOTE: If it continues to show down and you have verified your settings you canverify tunnel status via vShield Manager on the local datacenter. Remember that youlaunched vShield Manager via the vSphere Client.

HOL-HBD-1302


Verify and Test Network and SecurityConfigurationNow that we have configured the VPN tunnel between our local datacenter and vCHS,we will walk through the process of ensuring network connectivity and that the securityis implemented correctly. Again.... we want the Web VM to talk to the APP VM and onlythe APP VM.

Let's do this!

Logging in to the vCloud Hybrid Service

Proceed back to the Firefox browser and the first tab (vCloud Hybrid Service).

Click "Sign in".



Password: VMware1!

HOL-HBD-1302


Virtual Machines in the vCloud Hybrid Service

Click on the Virtual Machines tab.

Options for VM

Do you notice the down arrow for the virtual machine? If not, move the mouse over tothe right side of the row and the arrow will appear.

Select the down arrow.

HOL-HBD-1302


Launch Console for Web_Rainpole-Portal VM

Click the "Launch Console" option for this particular machine please.

HOL-HBD-1302


Log into Web_Rainpole VM

Now that the console is open, the screen may be black so you will need to click in thescreen and hit "enter" in order to get it to respond.

Log into the virtual machine with the following credentials:

portal login: root

Password: VMware1!

Test Connectivity to DB_Rainpole-Portal

At the prompt sign enter in:

ping 10.0.1.11

This is the DB_Rainpole-Portal VM.

You will see the the ping is not responding. In other words, the Web VM can not accessthe DB_Rainpole-Portal.

Press Ctrl+c in order to get the ping attempt to stop.

Test Connectivity to App_Rainpole-Portal

At the prompt sign enter in:

ping 10.0.1.12

This is the App_Rainpole-Portal VM.

HOL-HBD-1302


You will see that again the ping is not responding. Or shall we say, the Web VM can notaccess the App_Rainpole-Portal.

Press Ctrl+c in order to get the ping attempt to stop.

In order to get out of the console, select Ctrl+Alt.

Return to vCloud Hybrid Service

Return to the Firefox browser and select the "Dashboard" tab

HOL-HBD-1302


Rainpole Production

Double click the "Rainpole_Production" virtual datacenter

HOL-HBD-1302


Launching vCloud Director

You should automatically be taken to the "Networks" tab. If you are not at the"Networks" tab, please proceed to it and select "Manage in vCloud Director"

HOL-HBD-1302


Routed Network in vCloud Director

Highlight the Routed Rainpole_Production-default-routed network.

HOL-HBD-1302


Select Configure Services

Select the down arrow on the blue gear and select "Configure Services".

HOL-HBD-1302


Enabling Firewall Services

Select the Firewall tab.

Select the "Enable Firewall" box.

Click "Add..."

Adding Source 1

Please fill in the information as it appears in the screen with the following information:

Name: Web_Rainpole-Production

Source: 192.168.109.10

Source port: 443 (you must enter this port id in)

Destination: 10.0.1.11

Destination port: 443 (you must enter this port id in)

Protocol: TCP

HOL-HBD-1302


Click "OK".

HOL-HBD-1302


Adding Firewall Services

Click "Add...".

HOL-HBD-1302


Adding Source 2


Name: Web_Rainpole-Production

Source: 192.168.109.10

Source port: any


Destination port: any

Protocol: ICMP

Click "OK"

HOL-HBD-1302



Click "Add...".

HOL-HBD-1302


Adding Source 3


Name: App_Rainpole-Production

Source: 10.0.1.11

Source port: 443 (you must enter this port id in)


Destination port: 443 (you must enter this port id in)

Protocol: TCP

Click "OK".

HOL-HBD-1302



Click "Add...".

HOL-HBD-1302


Adding Source 4


Name: App_Rainpole-Production

Source: 10.0.1.11

Source port: any


Destination port: any

Protocol: ICMP

Click "OK".

HOL-HBD-1302


Saving All Firewall Settings

Click "OK".

HOL-HBD-1302


Firewall at Local Datacenter

Return to vSphere Client.

Note that the VPN section shows the Channel Status as a green checkbox.

Click the Firewall button.

Note that vSM may log you out. The credentials to log back in are:

User name: admin

Password: default

HOL-HBD-1302


Add rule

Hit the green " + " symbol.

Note that I already highlighted rule #4 and therefore a new rule will be added above it.

Firewall Rule Configuration (Local Datacenter)

Click the top right corner of the Name column in order to add the Name.

HOL-HBD-1302


Rule Name (Local Datacenter)

For Rule Name, add App_VM to portal.

Click "OK".

HOL-HBD-1302


Adding Source 1

In the Source column, click the " + " in the top right corner.

HOL-HBD-1302


Adding IP Addresses

As we did in the previous steps, we need to add the new IP Addresses.

Click the "New IP Addresses..." link.

HOL-HBD-1302


Web_Rainpole-Portal IP

Enter in the following information:

Name: Web_Rainpole-Portal

IP Addresses: 192.168.109.10

Click "OK".

HOL-HBD-1302


Adding Source 2

Click the " + " symbol again in order to add the second source.

HOL-HBD-1302


Adding IP Addresses (Local Datacenter)

The configuration window will appear. Notice that our previous name appears on the topof the screen.

In order to add the configuration,

please select the "New IP Addresses..." option.

HOL-HBD-1302


App_Rainpole-Portal IP

Enter in the following information:

Name: App_Rainpole-Portal

IP Addresses: 10.0.1.11

Click "OK".

HOL-HBD-1302


Adding Destination 1

In the Destination column, click the " + " symbol, like we did in the previous steps.

HOL-HBD-1302


Adding Sources

In previous steps we created the IP addresses. In the top right corner, enter in"Rainpole" and select the two options:

Web_Rainpole-Portal and

App_Rainpole-Portal

Click "OK".

HOL-HBD-1302


Adding Service 1

In the Service column, click the " + " in the top right corner like we did in previous steps.

HOL-HBD-1302


Adding ICMP Echo

In the top right screen, enter "ICMP".

The ICMP names will appear.

Select "ICMP Echo".

Click "OK".

HOL-HBD-1302


Adding Service 2

Select the " + " in the top right corner in order to add the second service.

HOL-HBD-1302


Adding HTTPS Service

In the top right box enter in HTTPS.

The HTTPS names will appear.

Select "HTTPS".

Click "OK".

HOL-HBD-1302


Publish Firewall Rule

Now that our rule is completed in the Local Datacenter, we can publish it.

Click the "Publish" button.

Test Connectivity to DB_Rainpole-Portal

Proceed back to the Web_Rainpole-Portal VM to test the firewall rules via a pingcommand to the DB_Rainpole-Portal.

Click in the box if the screen has gone black. You may also need to hit the "enter" key inorder to get a response.

At the prompt enter:

ping 10.0.1.12

You will see the ping still does not respond.

Again, ctri+c to exit you out of the ping command.

HOL-HBD-1302


Test Connectivity to App_Rainpole-Portal

Now let's test the firewall rules via a ping command to the App_Rainpole-Portal.

At the prompt enter:

ping 10.0.1.11

You will see the ping DOES work. Isn't that great? You did it!!!

Enter ctrl+c to cancel.

HOL-HBD-1302


ConclusionIn conclusion, we created a tunnel between the local datacenter and vCloud HybridService. We wanted to make sure the security policy still works.

We set up some firewall rules to ensure that the Web_Rainpole-Portal can onlycommunicate with App_Rainpole-Portal and this configuration is common becausehaving a virtual machine in the public cloud, you want to make sure your localdatacenter stays safe and we believe we have proven that.

We hope you enjoy our lab and again, if interested in other vCloud Hybrid Service labs,HBD-1301 and HBD-1303 are available.

Thank you so much for taking our lab!! We really appreciate it!!!

HOL-HBD-1302


ConclusionThank you for participating in the VMware 2013 Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-HBD-1302

Version: 20140213-183531

HOL-HBD-1302


http://hol.vmware.com/

Table of Contents - VMware...• Know how to install, configure, and understand the features of...

Documents

Transcript of Table of Contents - VMware...• Know how to install, configure, and understand the features of...