VMware vCloud Air Networking Guide vCloud Air This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
VMware vCloud Air Networking Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2015 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents About this Networking Guide 5 1 Overview of Gateways and Networks 7 Network Virtualization in vCloud Air 7 Default Setup for Gateways and Networks 8 Allocation of Public IP Addresses 11 About Networking Services for Gateways 12 Network Address Translation (NAT) 14 DHCP 14 Load Balancer 15 DNS 16 Static Routing 17 2 About Managing Gateways and Networks 19 View and Edit Gateway Details 19 Add a Gateway to a Virtual Data Center 20 Delete a Gateway 21 View Networks in a Virtual Data Center 21 Add a
VMware vCloud Air Networking Guide Reasons to Order Direct Connect 42 Direct Connect Service Overview 43 Direct Connect with Cross Connect 44 Direct Connect for Network Exchange 45 Direct Connect Use Cases 46 About the Ordering and Provisioning Workflow 47 Work with Your Provider to Set up Connection 49 Order Direct Connect to vCloud Air 50 Work with VMware to Complete Order 51 View Direct Connect in vCloud Air 52 Route Traffic Through Direct Connect 52 Index 55 4 VMware, Inc.
About this Networking Guide The vCloud Air Networking Guide provides information about configuring networking and gateways for ® VMware vCloud Air (formerly known as vCloud Hybrid Service), including how to add gateways to virtual data centers, add networks to gateways, and set up network security by using the gateway's networking services. Additionally, this guide describes hot to set up secure access to vCloud Air from remote sites.
VMware vCloud Air Networking Guide 6 VMware, Inc.
Overview of Gateways and Networks 1 vCloud Air networking replicates traditional network technologies and design. Networking in vCloud Air is based on the software-defined networking (SDN) technologies used by VMware products, including VMware vSphere, VXLAN, vCloud Networking and Security, and vCloud Director.
VMware vCloud Air Networking Guide Default Setup for Gateways and Networks The default setup for gateways and networks varies in vCloud Air depending on which service you purchased—Dedicated Cloud service or Virtual Private Cloud service. See Types of vCloud Air in vCloud Air User's Guide for information about the service options. With both services, you configure networks for each virtual data center.
Chapter 1 Overview of Gateways and Networks Figure 1‑1. Default Networks in vCloud Air Default Settings for Gateway Networks By default, vCloud Air creates a gateway network when you assign a public IP address to a virtual data center or gateway and configures it with the following properties: n Named DATACENTER_NAME-DEFAULT-ROUTED n Connects to the gateway through the public IP address n Created on the 192.168.109.0 subnet n Has the default gateway IP address 192.168.109.
VMware vCloud Air Networking Guide Default Settings for Internal Networks An internal network is not connected to a gateway. An internal network has an internal IP address and subnet. Virtual machines attached to an internal network can communicate only with each other. DHCP is the only service that can be enabled on an internal network. You use DHCP to get IP addresses for your virtual machines.
Chapter 1 Overview of Gateways and Networks Allocation of Public IP Addresses When you subscribe to vCloud Air, you are given public IP addresses as part of the subscription service with both offerings. You can purchase additional public IP addresses at any time through your Subscription Services in My VMware.
VMware vCloud Air Networking Guide NOTE When you add a network in vCloud Air, you configure the IP Pool for that network, as shown in the following screenshot: See “Add a Network to a Virtual Data Center,” on page 21 and “Add a Network to a Gateway,” on page 23 in this guide for information. About Networking Services for Gateways Internal and gateway networks provide the following services.
Chapter 1 Overview of Gateways and Networks n DNS: vCloud Director n Firewall Rules: vCloud Air or vCloud Director n VPN: vCloud Director (IPsec VPN) and vCloud Connector (SSL VPN) n Static Routing: vCloud Director You can find information about how these services are implemented in vCloud Air from the following sources. Table 1‑2. Related Information in this Guide and Other Sources Networking Service See this related information...
VMware vCloud Air Networking Guide Network Address Translation (NAT) Gateways in vCloud Air supports NAT for the virtual machines connected to gateway networks. Create a NAT rule to translate a public IPv4 address to and from the private IPv4 address of a virtual machine on your internal network in vCloud Air. vCloud Air supports source NAT (SNAT) and destination NAT (DNAT) rules. When you configure an SNAT or a DNAT rule, you always configure the rule from the perspective of vCloud Air.
Chapter 1 Overview of Gateways and Networks vCloud Air Dashboard > Gateway tab > click the gateway > Manage Advanced Gateway Settings > vCloud Director Administration page > Edge Gateways tab > select the gateway, right-click and choose Edge Gateway Services > DHCP tab Enable and configure DHCP for a gateway network to automatically assign an IP address to a virtual machine when it is added to a gateway network. The virtual machine gets assigned an IP address based on the DHCP parameters configured.
VMware vCloud Air Networking Guide To view the public IP address allocation for the gateway by using vCloud Director, see View IP Use for an Edge Gateway in vCloud Director Administrator's Guide for information. Additionally, view the Sub-allocated IP Pool configured for the gateway. (A gateway uses the Suballocated IP Pool for NAT configuration. A Sub-allocated IP Pool contains a sub-set of IP addresses from the IP Pool that is already assigned to the gateway's external network.
Chapter 1 Overview of Gateways and Networks See Modify an Organization Virtual Datacenter Network DNS Settings in vCloud Director Administrator’s Guide for information. NOTE If the DNS settings on a DHCP-enabled gateway are changed, the gateway no longer provides DHCP services. To correct this issue, disable and re-enable DHCP on the gateway.
VMware vCloud Air Networking Guide For the steps to configure static routing by using vCloud Director, see the following topics in vCloud Director Administrator's Guide: 18 n Enable Static Routing on an Edge Gateway n Add Static Routes Between vApp Networks Routed to the Same Organization Virtual Datacenter Network VMware, Inc.
About Managing Gateways and Networks 2 The vCloud Air console is the primary portal for managing gateways and networks. Additionally, you can use vCloud Director to manage your gateways and networks at a more granular level. The vCloud Air console provides single sign-on access to vCloud Director.
VMware vCloud Air Networking Guide Procedure 1 Click the Gateways tab. All gateways are listed. The virtual data center to which each gateway belongs is displayed next to the gateway name. 2 Click a gateway to access its details. 3 In the upper right of the pane, view the gateway IP, configuration, VMware High Availability settings, and the activity status. 4 View and configure gateway details. 5 Option Description NAT Rules tab View SNAT or DNAT details. Disable, enable or delete rules.
Chapter 2 About Managing Gateways and Networks 5 Specify the number of IP addresses that you want to allocate to the gateway. 6 Click Add Gateway. The gateway is created. You can click on the gateway to view its details. Delete a Gateway You can delete gateways from virtual data centers in the Dedicated Cloud service. When you delete a gateway, all gateway networks associated with it are deleted. Networking services such as NAT rules, firewall settings, and load balancing settings are also deleted.
VMware vCloud Air Networking Guide Procedure 1 In the Dashboard tab, click the virtual data center to which you want to add a network. 2 Click the Networks tab. 3 Click Add One. The Add Network dialog box appears. 4 5 Complete the following settings for the network: Option Description Network name Enter a name for the gateway. Description (Optional) Enter a description for the gateway.
Chapter 2 About Managing Gateways and Networks Add a Network to a Gateway You can view a list of the networks added to a gateway. For each network, you can view the default gateway IP address, IP range, and the number of virtual machines attached to it and the number of public IP addresses allocated to the gateway. Prerequisites Verify that you have network adminstrator privileges. Procedure 1 From the Dashboard tab, click the Gateways tab. 2 Click the gateway for which you want to add a network.
VMware vCloud Air Networking Guide Procedure 1 In the Dashboard tab, click the virtual data center from which you want to delete a network. Alternatively, if you are deleting a gateway network, you can navigate to the gateway and delete the network there. Click the Gateway tab > select the gateway that contains the network you want to delete > click the Network tab. 2 Click the Network tab. The list of networks appears.
Chapter 2 About Managing Gateways and Networks 4 5 Click the Add button and from the drop-down menu, choose one of the following options: Option Description Source NAT (SNAT) An SNAT rule changes the source IP address and, optionally, port of outgoing packets. When you create an SNAT rule in vCloud Air, by default the port and protocol are set to “any.” To change the default the port and protocol settings for an SNAT rule, edit the settings in vCloud Director.
VMware vCloud Air Networking Guide 26 VMware, Inc.
Network Security and Secure Access 3 vCloud Air provides features and functionality to ensure network security and secure access to your resources in the cloud.
VMware vCloud Air Networking Guide Table 3‑2. Security Differences Between Network Types Gateway Network Internal Network REQUIRED FOR n Virtual machines that need access to external networks. n n Workloads that need to be isolated. Workloads subject to specific security policies; for example, compliance rules that a particular application cannot be connected directly to the Internet.
Chapter 3 Network Security and Secure Access n Are ideal for enterprise-grade application deployment IMPORTANT By default, gateways are deployed with firewall rules configured to deny all network traffic to and from the virtual machines on the gateway networks. Attempting to ping a virtual machine on a network after configuring a NAT rule will fail without adding a firewall rule to allow the corresponding traffic.
VMware vCloud Air Networking Guide 6 Option Description Source Choose an option from the drop-down menu: n Any: allows traffic from any source on the external network to reach the virtual machines. n Internal: apply this rule to all internal traffic. n External: apply this rule to all external traffic. n Specific CIDR, IP, or IP Range: type the CIDR notation of traffic to apply this rule on.
Chapter 3 Network Security and Secure Access About IPsec VPN Internet Protocol Security (IPsec) is a protocol suite for securing the IP packets of a communication session. vCloud Air supports using IPsec to create a secure VPN connection between your vCloud Air service and a remote site, such as your on-premises data center.
VMware vCloud Air Networking Guide n Peer ID: specifies the public IP address of the remote device terminating the VPN connection. If the peer IP address is from another organization VDC network, you enter the peer's native IP address. If NAT is configured for the peer, you enter the private peer IP address. n Peer IP: specifies the public IP address of the remote device to which you are connecting. If NAT is configured for the peer, you enter the public IP address that the devices uses for NAT.
Chapter 3 Network Security and Secure Access Prerequisites Verify that you have networking administration privileges in vCloud Air. If a firewall is between the connection endpoints, you must configure it to allow the following IP protocols and UDP ports: n IP Protocol ID 50 (ESP) n IP Protocol ID 50 (ESP) n IP Protocol ID 51 (AH) n UDP Port 500 (IKE) n UDP Port 4500 Procedure 1 In vCloud Air, click the Gateways tab. The complete list of gateways configured for vCloud Air appears.
VMware vCloud Air Networking Guide 9 Option Description Peer IP Enter the peer IP, which is the public IP address of the remote device to which you are connecting. NOTE If NAT is configured for the peer, you enter the public IP address that the devices uses for NAT. Encryption protocol Select the encryption type from the drop-down list. NOTE The encryption type you select must match the encryption type configured on the remote site VPN device.
Chapter 3 Network Security and Secure Access n n Microsoft Active Directory Sites and Services: n The extended network is part of the on premise site in Active Directory. n DNS and Active Directory communication with vCloud servers traverses the SSL VPN connection. n You cannot split a network between sites . vApp Limitations: n An extended network supports 128 virtual machines per vApp. n An extended network supports power operations for one vApp.
VMware vCloud Air Networking Guide 36 VMware, Inc.
Network Connectivity for Virtual Machines 4 When deploying a virtual machine from vCloud Air, the virtual machine is created without a network. A virtual machine without a network is isolated from communicating with other virtual machines and servers both in and outside of the service. When you create a virtual machine, you have the choice of assigning the virtual machine to a gateway network or to an internal network. An internal network does not have Internet connectivity.
VMware vCloud Air Networking Guide Connect a Virtual Machine to a Network You can connect virtual machines to internal networks or gateway networks in your virtual data center. To get connectivity to the Internet and to use networking services such as NAT, firewall, or load balancing, connect virtual machines to a gateway network. When you connect a virtual machine to a network, it is assigned an IP address from the network's predefined private IP address pool.
Chapter 4 Network Connectivity for Virtual Machines 7 When selecting more than one network for the virtual machine, specify the virtual machines primary network by click the Primary NIC option for that network. By default, the primary network is set to the first network you selected for the virtual machine. 8 Click Save. Connect a Virtual Machine to the Internet You can connect virtual machines to gateway networks in your virtual data center so that the virtual machines have access to the Internet.
VMware vCloud Air Networking Guide 40 VMware, Inc.
Direct Connect for vCloud Air 5 For vCloud Air, you can order a direct network connection between your premises or colocation center and a vCloud Air region. Using a direct network connection ensures a degree of dedicated bandwidth to a Dedicated Cloud and a Virtual Private Cloud. In vCloud Air, route traffic from your virtual machines through your direct network connection. NOTE Read this section when you have ordered Direct Connect from VMware for your vCloud Air instance.
VMware vCloud Air Networking Guide When transferring corporate data and customer information, using Direct Connect provides increased security; for example, you require that vCloud Air appear as an extension of your MPLS network or as a secure access location on your corporate network.
Chapter 5 Direct Connect for vCloud Air Direct Connect Service Overview VMware delivers Direct Connect jointly with our vCloud Air network partners. The partner network service providers (NSPs) Customers work with NSPs to set up end-to-end private connections from their locations to vCloud Air. (To set up a connection from a customer cage in the same data center as vCloud Air, customers work with the data center owner to connect to a patch panel in the Meet Me Room.
VMware vCloud Air Networking Guide The connect from your customer equipment to the vCloud Air switch is configured as an untagged layer 2 connection (VLAN). Within your vCloud Air cloud, networking is implemented using software-defined networking (VxLANbased networks). Standard Connection versus Direct Connect The following table summarizes the differences between the standard connection to vCloud Air and a Direct Connect connection. Table 5‑1.
Chapter 5 Direct Connect for vCloud Air You can set up your direct network connection to use an end-to-end virtual circuit from your premises. The type of connection and bandwidth you provision from your site (such as a colocation facility, headquarters, or branch office) to the data center in which vCloud Air is located depends on the capabilities and service catalog from the network service provider you choose to provide the connectivity.
VMware vCloud Air Networking Guide For the list of all Network Exchange Network Service Providers for Direct Connect and the vCloud Air locations where it is available, see Dedicated Connectivity – Direct Connect.
Chapter 5 Direct Connect for vCloud Air n Connecting to multiple vCloud Air offerings Using one, shared Direct Connect connection to connect from on-premises to multiple vCloud Air offerings (namely, Dedicated Cloud, Virtual Private Cloud, Desktop as a Service (DaaS), and Disaster Recovery as a Service (DRaaS)) is not supported. To connect multiple vCloud Air offerings, order a cross connection for each of your vCloud Air environments and configure static routing between them.
VMware vCloud Air Networking Guide n “Direct Connect for Network Exchange,” on page 45 High-level Workflow for a Private WAN Connection The hand-offs between you, your network service provider (or telecommunications carrier), and VMware use the following high-level workflow and timeline. The following diagram shows the workflow for provisioning a logical private WAN connection.
Chapter 5 Direct Connect for vCloud Air For details about setting up your connection to the vCloud Air data center, see “Work with Your Provider to Set up Connection,” on page 49. NOTE If you require an intra data center cross connection, work with the data center owner to set up the connection from your equipment in your customer cage to vCloud Air. 2 Log into your My VMware account and order Direct Connect to the vCloud Air data center where you want to connect.
VMware vCloud Air Networking Guide The data centers in which Direct Connect is available provide a Meet Me Room. The Meet Me Room within the data center provides an area where network service providers and telecommunications companies can physically connect to one another and customers, and exchange data without incurring local loop fees.
Chapter 5 Direct Connect for vCloud Air 3 From the Available Add-ons tab, select the Direct Connect SKU for the connection you require.
VMware vCloud Air Networking Guide n IP Pool—Reserve the pool of IP addresses from the Direct Connect subnet The IP address range to use in vCloud Air NOTE If you have a Dedicated Cloud service and more than one gateway configured for the virtual data center containing the Direct Connect network, determine which gateway to use to terminate the Direct Connect connection. You cannot use one Direct Connect connection to terminate at multiple virtual data centers or gateways.
Chapter 5 Direct Connect for vCloud Air Prerequisites n Your network service provider has physically provisioned your direct network connection to the vCloud Air data center and VMware has completed the set up. n You have Network Administrator privilege in vCloud Air. Procedure 1 In the Gateway tab, click the gateway name that you provided to your vCloud Air Customer Success Team to configure as the gateway for termination. 2 Click the NAT Rules tab.
VMware vCloud Air Networking Guide 54 VMware, Inc.
Index A Active Directory 34 add networks 21 antivirus appliances 17 B bandwidth 8 C CIDR, firewall rules 29 D Data Center Extension 30, 34 Dedicated Cloud service deleting gateways 21 IP addresses 11 security 27 default firewall setup 28 isolated network 8 routed network 8 setup 8 destination NAT 14 DHCP changing DNS settings 16 IP addresses 11 IP pools 14 overview 14 virtual machines 37 Direct Connect completing order 51 connection technology 46 deleting network 23 direct connection 51 features 41 netw
VMware vCloud Air Networking Guide I ICMP type 24 intended audience 5 interfaces, primary NIC 39 internal networks default setup 8 DHCP 14 security 27 Internet connectivity 8 secure connectivity 30 virtual machine access 39 IP pools suballocated 15 virtual machines 37 virtual machines using 38 IP addresses Dedicated Cloud service 11 DHCP 14 free or allocated 19 overlapping 31 peer 31 public 11 static 11 static pool 37 suballocation from multiple subnets 11 Virtual Private Cloud service 11 IP range, See IP
Index T third-party appliances 17, 27 threat mitigation 27 U unicast traffic 31 V vApps 34 vCloud Director configuring network services 12 deleting gateways 21 IPsec configuration 31 static routing 17 vCloud Networking and Security Edge Gateway 8 vCloud Air offerings, connecting 46 virtual machines connecting to networks 38 DHCP 37 editing networks 38 virtual servers 15 virtual data centers deleting networks 23 gateways 20 viewing networks 21 Virtual Private Cloud service IP addresses 11 security 27 virt
VMware vCloud Air Networking Guide 58 VMware, Inc.
