vmware vcloud air: networking

© 2014 VMware Inc. All rights reserved.

VMware vCloud Air: Networking Formerly known as vCloud Hybrid Service

2

What’s in It for You? •  You will leave with:

–  An understanding of the VMware vCloud® Air™ networking building blocks –  A strong networking foundation for building a complex hybrid cloud –  An understanding of advanced networking use cases and security

3

Agenda

vCloud Air Networking •  Services Overview

•  Key Components

•  Network Virtualization Services

•  Connectivity options to vCloud Air •  IPsec VPN

•  L2 Stretching

•  Direct Connect

•  Advanced Use Cases •  Three tier Networking

4

Hybrid Service Basic Networking Constructs

NAT FW Load Balancer IPsec DHCP Static routing

Routed/Gateway networks

(up to 9 networks)

Isolated networks

Customer’s virtual data center on vCloud Air

5

vCloud Air Cloud Options and Gateway Choices

CONFIDENTIAL

§  Shared Cloud •  Logically separated network,

compute and storage

§  5GHz CPU (burstable to 10GHz) §  20GB RAM, 2TB storage §  No virtual data center

segmentation §  One Edge Gateway

§  Dedicated Cloud •  Physically separated hosts •  Logically separated network and

storage

§  30GHz CPU, 120GB RAM, 6TB §  Segment virtual data centers

based on orgs § Multiple Edge Gateways

VDC1 VDC2

VDC3 VDC4 VDC

6

Configuration Access Options

CONFIDENTIAL

vCloud Air Management Web Portal – for basic networking configurations

7

Configuration Access Options

CONFIDENTIAL

vCloud Air Management Web Portal – for basic networking configurations

For Advanced configurations

8

Configuration Access Options

CONFIDENTIAL

vCloud Air Management Portal – for advanced networking configurations

9

vCloud Air Networking Services •  IP Addressing •  Network creation

•  Firewall •  NAT

•  DHCP

•  Load Balancer •  VPN

10

IP Address Assignment •  IP Pool

–  Pool of IPs created by default on auto generated isolated and routed networks

–  Virtual machines attached to those networks get IP addresses from that default pool

•  Static IP –  Fixed IP for a virtual machine –  Change configuration in

VMware® vCloud Director® •  DHCP

–  Part of Edge Gateway service –  Change configuration in vCloud

Director –  Basic DHCP service

Routed Network

11

Firewall Rules in vCloud Air

12

Firewall Rules: North-South and East-West Traffic

Routed Network 1 Routed Network 2 Routed Network 3

Firewall Rules: -  By default: Deny all

-  Policies for traffic that passes through the gateway

Gateway

•  5-tuple firewall policies (Protocol, Source/Dest. IP, Source/Dest. Port )

•  Can have multiple policies across multiple networks

•  Ideal for enterprise grade application deployment

13

Network Address Translation (NAT)

•  Source NAT and Destination NAT rules –  Supports multiple rules on multiple interfaces

•  Can use internal/private IP space –  Bring your own internal IP space –  Create/manage subnets within IP space –  Multiple IP spaces under the same gateway

•  Need to create firewall rules to allow traffic

•  IPv4 NAT

NAT rules: -  SNAT & DNAT rules

-  Options include protocol/port selection

Gateway Public IPs

Internal IPs

10.x.x.x 172.16.x.x 192.168.x.x

Organization Net 1 Organization Net 2 Organization Net 3

14

Edge Gateway Services – Load Balancing

Pool Servers

Load Balanced - Round Robin - IP Hash - URI - Least Connected

Virtual Server – - Virtual IP (Public IP) - Frontend traffic - Assigned to a server pool

Can have multiple virtual servers and pools

Edge gateway Load balancer

15

Load Balancer – Pool Servers •  Pool Servers

–  HTTP/HTTPS/TCP –  Load Balancing Methods

•  IP Hash •  Round Robin •  URI •  Least Connected

–  Health Check •  Each with +TCP as mode •  Monitoring Ports

–  Add Servers •  Ratio Weight •  Change Ports/Services per Server

16

Load Balancer – Virtual Servers •  Virtual Servers

–  Apply on outside network –  Server Pool –  Persistence Method

•  HTTP – Cookie •  HTTPS – Session ID

Connecting to vCloud Air

18

Options to Connect to vCloud Air

z

Customer Data Center vCloud Air Private WAN /

Direct Connect / Cross Connect

IPsec Tunnel

Public

INTERNET

Many Connectivity Choices to Support

Many Use Cases

19

INTERNET

Connecting to vCloud Air •  Over the Public Internet

–  With Public IPs –  Use NAT for address translation –  By default firewall set to deny all and NAT not configured

INTERNET

•  IPsec VPN –  vCloud Air features include IPSEC VPN –  Multiple VPN tunnels can terminate to Edge Gateway –  Can connect to most of the major on-premises VPN

devices

20

Connecting via VPN

VMware vSphere® (On-Premises)

SharePoint-Routed Network (10.0.10.0/24)

vCloud Air Edge Gateway §  LEP – 69.194.137.230

§  Peer ID – 10.0.1.150 §  Peer IP – 68.108.102.47

10.0.1.150

10.0.10.1

Customer’s edge Router

10.0.1.1

68.108.102.47

SharePoint-Default Routed Network (192.168.109/24)

192.168.109.1

Virtual Machine 1

vCloud Air

Virtual Machine 2

69.194.137.230

vSphere Edge Gateway §  LEP – 10.0.1.150

§  Peer ID – 69.194.137.230

§  Peer IP – 69.194.137.230

IP Protocol ID 50 (ESP) IP Protocol ID 51 (AH) UDP Port 500 (IKE) UDP Port 4500

VPN Traffic

21

Stretching L2 to vCloud Air - Logical Architecture

(192.168.50.0/24)

184.61.71.155

74.204.180.41

VPN Traffic

INTERNET

Edge Gateway

Edge Gateway

Edge Gateway

Corp Firewall

(192.168.50.0/24)

Default Gateway =

192.168.50.10 50.34 50.35

50.34 50.35

50.33

100.33

(192.168.50.0/24)

50.10

100.10

22

vCloud Air Direct Connect

Customer Cage – in CoLo vCloud Air

Cross Connection

Direct Connect Partner Device

Customer Data Center vCloud Air

Private WAN connectivity

Direct Connect Partner Device

23

Direct Connect – vCloud Air Connectivity

1 or 10 Gbps Direct Connect Traffic

DMZ Network (192.168.52.0/24)

Private Network

(192.168.50.0/24)

Private Network

(192.168.110.0/24)

Headquarters

Direct Connect Line

Edge Gateway

INTERNET

24

Direct Connect – Connecting to Existing Security

1 Gbps Direct Connect Traffic

DMZ Network (192.168.52.0/24)

Internet

Private Network

(192.168.50.0/24)

Private Network

(192.168.110.0/24)

10.1.1.x/24 10.1.1.x/24

On-Premises

Edge Gateway

IDS

Existing Security Policies and Appliances

IGW

Direct Connect – Private Line

IPS

25

Direct Connect – Cross Connect

1 or 10 Gbps Direct Connect Traffic

DMZ Network (192.168.52.0/24)

Private Network

(192.168.50.0/24)

Private Network

(192.168.110.0/24)

CUSTOMER CAGE

Direct Connect Line

Edge Gateway

Note: Storage connection must be In-

Guest based connectivity with NFS or Software iSCSI Initiator

26

User Level Rights and Security Role Rights Cannot do Ideal for

Account Administrator

Can add/edit users and user rights

Virtual data center resource management, Network mgmt etc.

Account management

Virtualization Infrastructure Administrator

Create virtual data centers Add/edit compute and storage resources

Cannot create users, manage networking

Virtual infrastructure admin App admin

Network Administrator

Create networks Add gateways Add gateway services

User management, Virtual data center resource management

Network admin

Read-only Administrator

Read only rights for all setups/configurations

Any adds/edits Supervisor

Subscription Administrator

Access to myVMware. Purchase resources, file support tickets

No vCloud Air management rights

For all personnel with purchasing rights and/or support needs

27

Application Security – Access Rights •  Administration rights

–  Clearly identify individuals, and rights that the individuals get

–  An enterprise administrator can have more than one type of right

–  Rights help enforce secure cloud usage

•  User rights –  End user rights for virtual

machine owners –  End user cannot do any

admin activity –  Users have limited visibility to

cloud resources

28

Summary •  You will leave with:

ü An understanding of the vCloud Air networking building blocks ü A strong networking foundation for building a complex hybrid cloud ü An understanding of advanced networking use cases and security

•  Key Takeaways –  Building blocks you are used to – vSphere, VXLAN, VMware vCloud®

Networking and Security Manager™vCNS, VMware® vCloud Director® –  Flexible and Powerful –  Supports all your complex networking

•  IPSEC VPN •  Stretched Applications •  Layer 2 Extension - BYOIP

–  Advanced application security

Go To VMware Cloud Academy

•  See a video of this presentation and others to learn more about vCloud Air

•  Condensed VMworld jump start presentations delivered by technical subject-matter experts

•  Free and ungated to learn at your own pace

•  All videos under 15 mins!

•  Test your knowledge by taking a quiz

•  Download vCloud Air eBook and other assets and tools

29

http://vcloud.vmware.com/cloud-academy

Thank You