VMware vCloud Air: Networking

download VMware vCloud Air: Networking

of 30

  • date post

    12-Jul-2015
  • Category

    Software

  • view

    1.587
  • download

    8

Embed Size (px)

Transcript of VMware vCloud Air: Networking

  • 2014 VMware Inc. All rights reserved.

    VMware vCloud Air: Networking Formerly known as vCloud Hybrid Service

  • 2

    Whats in It for You? You will leave with:

    An understanding of the VMware vCloud Air networking building blocks A strong networking foundation for building a complex hybrid cloud An understanding of advanced networking use cases and security

  • 3

    Agenda

    vCloud Air Networking Services Overview

    Key Components Network Virtualization Services

    Connectivity options to vCloud Air IPsec VPN L2 Stretching Direct Connect

    Advanced Use Cases Three tier Networking

  • 4

    Hybrid Service Basic Networking Constructs

    NAT FW Load Balancer IPsec DHCP Static routing

    Routed/Gateway networks

    (up to 9 networks)

    Isolated networks

    Customers virtual data center on vCloud Air

  • 5

    vCloud Air Cloud Options and Gateway Choices

    CONFIDENTIAL

    Shared Cloud Logically separated network,

    compute and storage

    5GHz CPU (burstable to 10GHz) 20GB RAM, 2TB storage No virtual data center

    segmentation One Edge Gateway

    Dedicated Cloud Physically separated hosts Logically separated network and

    storage

    30GHz CPU, 120GB RAM, 6TB Segment virtual data centers

    based on orgs Multiple Edge Gateways

    VDC1 VDC2

    VDC3 VDC4 VDC

  • 6

    Configuration Access Options

    CONFIDENTIAL

    vCloud Air Management Web Portal for basic networking configurations

  • 7

    Configuration Access Options

    CONFIDENTIAL

    vCloud Air Management Web Portal for basic networking configurations

    For Advanced configurations

  • 8

    Configuration Access Options

    CONFIDENTIAL

    vCloud Air Management Portal for advanced networking configurations

  • 9

    vCloud Air Networking Services IP Addressing Network creation Firewall NAT DHCP Load Balancer VPN

  • 10

    IP Address Assignment IP Pool

    Pool of IPs created by default on auto generated isolated and routed networks

    Virtual machines attached to those networks get IP addresses from that default pool

    Static IP Fixed IP for a virtual machine Change configuration in

    VMware vCloud Director DHCP

    Part of Edge Gateway service Change configuration in vCloud

    Director Basic DHCP service

    Routed Network

  • 11

    Firewall Rules in vCloud Air

  • 12

    Firewall Rules: North-South and East-West Traffic

    Routed Network 1 Routed Network 2 Routed Network 3

    Firewall Rules: - By default: Deny all - Policies for traffic that

    passes through the gateway

    Gateway

    5-tuple firewall policies (Protocol, Source/Dest. IP, Source/Dest. Port ) Can have multiple policies across multiple networks Ideal for enterprise grade application deployment

  • 13

    Network Address Translation (NAT)

    Source NAT and Destination NAT rules Supports multiple rules on multiple interfaces

    Can use internal/private IP space Bring your own internal IP space Create/manage subnets within IP space Multiple IP spaces under the same gateway

    Need to create firewall rules to allow traffic

    IPv4 NAT

    NAT rules: - SNAT & DNAT rules - Options include

    protocol/port selection

    Gateway Public IPs

    Internal IPs

    10.x.x.x 172.16.x.x 192.168.x.x

    Organization Net 1 Organization Net 2 Organization Net 3

  • 14

    Edge Gateway Services Load Balancing

    Pool Servers

    Load Balanced - Round Robin - IP Hash - URI - Least Connected

    Virtual Server - Virtual IP (Public IP) - Frontend traffic - Assigned to a server pool

    Can have multiple virtual servers and pools

    Edge gateway Load balancer

  • 15

    Load Balancer Pool Servers Pool Servers

    HTTP/HTTPS/TCP Load Balancing Methods

    IP Hash Round Robin URI Least Connected

    Health Check Each with +TCP as mode Monitoring Ports

    Add Servers Ratio Weight Change Ports/Services per Server

  • 16

    Load Balancer Virtual Servers Virtual Servers

    Apply on outside network Server Pool Persistence Method

    HTTP Cookie HTTPS Session ID

  • Connecting to vCloud Air

  • 18

    Options to Connect to vCloud Air

    z

    Customer Data Center vCloud Air Private WAN /

    Direct Connect / Cross Connect

    IPsec Tunnel

    Public

    INTERNET

    Many Connectivity Choices to Support

    Many Use Cases

  • 19

    INTERNET

    Connecting to vCloud Air Over the Public Internet

    With Public IPs Use NAT for address translation By default firewall set to deny all and NAT not configured

    INTERNET

    IPsec VPN vCloud Air features include IPSEC VPN Multiple VPN tunnels can terminate to Edge Gateway Can connect to most of the major on-premises VPN

    devices

  • 20

    Connecting via VPN

    VMware vSphere (On-Premises)

    SharePoint-Routed Network (10.0.10.0/24)

    vCloud Air Edge Gateway

    LEP 69.194.137.230 Peer ID 10.0.1.150 Peer IP 68.108.102.47

    10.0.1.150

    10.0.10.1

    Customers edge Router

    10.0.1.1

    68.108.102.47

    SharePoint-Default Routed Network (192.168.109/24)

    192.168.109.1

    Virtual Machine 1

    vCloud Air

    Virtual Machine 2

    69.194.137.230

    vSphere Edge Gateway

    LEP 10.0.1.150 Peer ID 69.194.137.230 Peer IP 69.194.137.230

    IP Protocol ID 50 (ESP) IP Protocol ID 51 (AH) UDP Port 500 (IKE) UDP Port 4500

    VPN Traffic

  • 21

    Stretching L2 to vCloud Air - Logical Architecture

    (192.168.50.0/24)

    184.61.71.155

    74.204.180.41

    VPN Traffic

    INTERNET

    Edge Gateway

    Edge Gateway

    Edge Gateway

    Corp Firewall

    (192.168.50.0/24)

    Default Gateway =

    192.168.50.10 50.34 50.35

    50.34 50.35

    50.33

    100.33

    (192.168.50.0/24)

    50.10

    100.10

  • 22

    vCloud Air Direct Connect

    Customer Cage in CoLo vCloud Air

    Cross Connection

    Direct Connect Partner Device

    Customer Data Center vCloud Air

    Private WAN connectivity

    Direct Connect Partner Device

  • 23

    Direct Connect vCloud Air Connectivity

    1 or 10 Gbps Direct Connect Traffic

    DMZ Network (192.168.52.0/24)

    Private Network

    (192.168.50.0/24)

    Private Network

    (192.168.110.0/24)

    Headquarters

    Direct Connect Line

    Edge Gateway

    INTERNET

  • 24

    Direct Connect Connecting to Existing Security

    1 Gbps Direct Connect Traffic

    DMZ Network (192.168.52.0/24)

    Internet

    Private Network

    (192.168.50.0/24)

    Private Network

    (192.168.110.0/24)

    10.1.1.x/24 10.1.1.x/24

    On-Premises

    Edge Gateway

    IDS

    Existing Security Policies and Appliances

    IGW

    Direct Connect Private Line

    IPS

  • 25

    Direct Connect Cross Connect

    1 or 10 Gbps Direct Connect Traffic

    DMZ Network (192.168.52.0/24)

    Private Network

    (192.168.50.0/24)

    Private Network

    (192.168.110.0/24)

    CUSTOMER CAGE

    Direct Connect Line

    Edge Gateway

    Note: Storage connection must be In-

    Guest based connectivity with NFS or Software iSCSI Initiator

  • 26

    User Level Rights and Security Role Rights Cannot do Ideal for

    Account Administrator

    Can add/edit users and user rights

    Virtual data center resource management, Network mgmt etc.

    Account management

    Virtualization Infrastructure Administrator

    Create virtual data centers Add/edit compute and storage resources

    Cannot create users, manage networking

    Virtual infrastructure admin App admin

    Network Administrator

    Create networks Add gateways Add gateway services

    User management, Virtual data center resource management

    Network admin

    Read-only Administrator

    Read only rights for all setups/configurations

    Any adds/edits Supervisor

    Subscription Administrator

    Access to myVMware. Purchase resources, file support tickets

    No vCloud Air management rights

    For all personnel with purchasing rights and/or support needs

  • 27

    Application Security Access Rights Administration rights

    Clearly identify individuals, and rights that the individuals get

    An enterprise administrator can have more than one type of right

    Rights help enforce secure cloud usage

    User rights End user rights for virtual

    machine owners End user cannot do any

    admin activity Users have limited visibility to

    cloud resources

  • 28

    Summary You will leave with:

    An understanding of the vCloud Air networking building blocks A strong networking foundation for building a complex hybrid cloud An understanding of advanced networking use cases and security

    Key Takeaways Building blocks you are used to vSphere, VXLAN, VMware vCloud

    Networking and Security ManagervCNS, VMware vCloud Director Flexible and Powerful Supports all your complex networking

    IPSEC VPN Stretched Applications Layer 2 Extension - BYOIP

    Advanced application security

  • Go To VMware Cloud Academy

    See a video of this presentation and others to learn more about vCloud Air