VMware vCloud Air: Networking
Transcript of VMware vCloud Air: Networking
© 2014 VMware Inc. All rights reserved.
VMware vCloud Air: Networking Formerly known as vCloud Hybrid Service
2
What’s in It for You? • You will leave with:
– An understanding of the VMware vCloud® Air™ networking building blocks – A strong networking foundation for building a complex hybrid cloud – An understanding of advanced networking use cases and security
3
Agenda
vCloud Air Networking • Services Overview
• Key Components
• Network Virtualization Services
• Connectivity options to vCloud Air • IPsec VPN
• L2 Stretching
• Direct Connect
• Advanced Use Cases • Three tier Networking
4
Hybrid Service Basic Networking Constructs
NAT FW Load Balancer IPsec DHCP Static routing
Routed/Gateway networks
(up to 9 networks)
Isolated networks
Customer’s virtual data center on vCloud Air
5
vCloud Air Cloud Options and Gateway Choices
CONFIDENTIAL
§ Shared Cloud • Logically separated network,
compute and storage
§ 5GHz CPU (burstable to 10GHz) § 20GB RAM, 2TB storage § No virtual data center
segmentation § One Edge Gateway
§ Dedicated Cloud • Physically separated hosts • Logically separated network and
storage
§ 30GHz CPU, 120GB RAM, 6TB § Segment virtual data centers
based on orgs § Multiple Edge Gateways
VDC1 VDC2
VDC3 VDC4 VDC
6
Configuration Access Options
CONFIDENTIAL
vCloud Air Management Web Portal – for basic networking configurations
7
Configuration Access Options
CONFIDENTIAL
vCloud Air Management Web Portal – for basic networking configurations
For Advanced configurations
8
Configuration Access Options
CONFIDENTIAL
vCloud Air Management Portal – for advanced networking configurations
9
vCloud Air Networking Services • IP Addressing • Network creation
• Firewall • NAT
• DHCP
• Load Balancer • VPN
10
IP Address Assignment • IP Pool
– Pool of IPs created by default on auto generated isolated and routed networks
– Virtual machines attached to those networks get IP addresses from that default pool
• Static IP – Fixed IP for a virtual machine – Change configuration in
VMware® vCloud Director® • DHCP
– Part of Edge Gateway service – Change configuration in vCloud
Director – Basic DHCP service
Routed Network
11
Firewall Rules in vCloud Air
12
Firewall Rules: North-South and East-West Traffic
Routed Network 1 Routed Network 2 Routed Network 3
Firewall Rules: - By default: Deny all
- Policies for traffic that passes through the gateway
Gateway
• 5-tuple firewall policies (Protocol, Source/Dest. IP, Source/Dest. Port )
• Can have multiple policies across multiple networks
• Ideal for enterprise grade application deployment
13
Network Address Translation (NAT)
• Source NAT and Destination NAT rules – Supports multiple rules on multiple interfaces
• Can use internal/private IP space – Bring your own internal IP space – Create/manage subnets within IP space – Multiple IP spaces under the same gateway
• Need to create firewall rules to allow traffic
• IPv4 NAT
NAT rules: - SNAT & DNAT rules
- Options include protocol/port selection
Gateway Public IPs
Internal IPs
10.x.x.x 172.16.x.x 192.168.x.x
Organization Net 1 Organization Net 2 Organization Net 3
14
Edge Gateway Services – Load Balancing
Pool Servers
Load Balanced - Round Robin - IP Hash - URI - Least Connected
Virtual Server – - Virtual IP (Public IP) - Frontend traffic - Assigned to a server pool
Can have multiple virtual servers and pools
Edge gateway Load balancer
15
Load Balancer – Pool Servers • Pool Servers
– HTTP/HTTPS/TCP – Load Balancing Methods
• IP Hash • Round Robin • URI • Least Connected
– Health Check • Each with +TCP as mode • Monitoring Ports
– Add Servers • Ratio Weight • Change Ports/Services per Server
16
Load Balancer – Virtual Servers • Virtual Servers
– Apply on outside network – Server Pool – Persistence Method
• HTTP – Cookie • HTTPS – Session ID
Connecting to vCloud Air
18
Options to Connect to vCloud Air
z
Customer Data Center vCloud Air Private WAN /
Direct Connect / Cross Connect
IPsec Tunnel
Public
INTERNET
Many Connectivity Choices to Support
Many Use Cases
19
INTERNET
Connecting to vCloud Air • Over the Public Internet
– With Public IPs – Use NAT for address translation – By default firewall set to deny all and NAT not configured
INTERNET
• IPsec VPN – vCloud Air features include IPSEC VPN – Multiple VPN tunnels can terminate to Edge Gateway – Can connect to most of the major on-premises VPN
devices
20
Connecting via VPN
VMware vSphere® (On-Premises)
SharePoint-Routed Network (10.0.10.0/24)
vCloud Air Edge Gateway § LEP – 69.194.137.230
§ Peer ID – 10.0.1.150 § Peer IP – 68.108.102.47
10.0.1.150
10.0.10.1
Customer’s edge Router
10.0.1.1
68.108.102.47
SharePoint-Default Routed Network (192.168.109/24)
192.168.109.1
Virtual Machine 1
vCloud Air
Virtual Machine 2
69.194.137.230
vSphere Edge Gateway § LEP – 10.0.1.150
§ Peer ID – 69.194.137.230
§ Peer IP – 69.194.137.230
IP Protocol ID 50 (ESP) IP Protocol ID 51 (AH) UDP Port 500 (IKE) UDP Port 4500
VPN Traffic
21
Stretching L2 to vCloud Air - Logical Architecture
(192.168.50.0/24)
184.61.71.155
74.204.180.41
VPN Traffic
INTERNET
Edge Gateway
Edge Gateway
Edge Gateway
Corp Firewall
(192.168.50.0/24)
Default Gateway =
192.168.50.10 50.34 50.35
50.34 50.35
50.33
100.33
(192.168.50.0/24)
50.10
100.10
22
vCloud Air Direct Connect
Customer Cage – in CoLo vCloud Air
Cross Connection
Direct Connect Partner Device
Customer Data Center vCloud Air
Private WAN connectivity
Direct Connect Partner Device
23
Direct Connect – vCloud Air Connectivity
1 or 10 Gbps Direct Connect Traffic
DMZ Network (192.168.52.0/24)
Private Network
(192.168.50.0/24)
Private Network
(192.168.110.0/24)
Headquarters
Direct Connect Line
Edge Gateway
INTERNET
24
Direct Connect – Connecting to Existing Security
1 Gbps Direct Connect Traffic
DMZ Network (192.168.52.0/24)
Internet
Private Network
(192.168.50.0/24)
Private Network
(192.168.110.0/24)
10.1.1.x/24 10.1.1.x/24
On-Premises
Edge Gateway
IDS
Existing Security Policies and Appliances
IGW
Direct Connect – Private Line
IPS
25
Direct Connect – Cross Connect
1 or 10 Gbps Direct Connect Traffic
DMZ Network (192.168.52.0/24)
Private Network
(192.168.50.0/24)
Private Network
(192.168.110.0/24)
CUSTOMER CAGE
Direct Connect Line
Edge Gateway
Note: Storage connection must be In-
Guest based connectivity with NFS or Software iSCSI Initiator
26
User Level Rights and Security Role Rights Cannot do Ideal for
Account Administrator
Can add/edit users and user rights
Virtual data center resource management, Network mgmt etc.
Account management
Virtualization Infrastructure Administrator
Create virtual data centers Add/edit compute and storage resources
Cannot create users, manage networking
Virtual infrastructure admin App admin
Network Administrator
Create networks Add gateways Add gateway services
User management, Virtual data center resource management
Network admin
Read-only Administrator
Read only rights for all setups/configurations
Any adds/edits Supervisor
Subscription Administrator
Access to myVMware. Purchase resources, file support tickets
No vCloud Air management rights
For all personnel with purchasing rights and/or support needs
27
Application Security – Access Rights • Administration rights
– Clearly identify individuals, and rights that the individuals get
– An enterprise administrator can have more than one type of right
– Rights help enforce secure cloud usage
• User rights – End user rights for virtual
machine owners – End user cannot do any
admin activity – Users have limited visibility to
cloud resources
28
Summary • You will leave with:
ü An understanding of the vCloud Air networking building blocks ü A strong networking foundation for building a complex hybrid cloud ü An understanding of advanced networking use cases and security
• Key Takeaways – Building blocks you are used to – vSphere, VXLAN, VMware vCloud®
Networking and Security Manager™vCNS, VMware® vCloud Director® – Flexible and Powerful – Supports all your complex networking
• IPSEC VPN • Stretched Applications • Layer 2 Extension - BYOIP
– Advanced application security
Go To VMware Cloud Academy
• See a video of this presentation and others to learn more about vCloud Air
• Condensed VMworld jump start presentations delivered by technical subject-matter experts
• Free and ungated to learn at your own pace
• All videos under 15 mins!
• Test your knowledge by taking a quiz
• Download vCloud Air eBook and other assets and tools
29
http://vcloud.vmware.com/cloud-academy
Thank You