vCloud Air - Virtual Private Cloud OnDemand Networking Guide vCloud Air This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2015 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents About this Networking Guide 5 1 Overview of Gateways and Networks 7 Network Virtualization in Virtual Private Cloud OnDemand Default Setup for Gateways and Networks 8 Allocation of IP Addresses 11 About Networking Services for Gateways 12 Network Address Translation (NAT) 13 DHCP 14 Load Balancer 15 DNS 16 Static Routing 17 7 2 About Managing Gateways and Networks 19 View Networks in a Virtual Data Center 19 Add a Network to a Virtual Data Center 20 View and Edit Gateway Details 21 Add a Netw
vCloud Air - Virtual Private Cloud OnDemand Networking Guide 4 VMware, Inc.
About this Networking Guide The vCloud Air – Virtual Private Cloud OnDemand Networking Guide provides information about configuring ® networking and gateways for VMware vCloud Air – Virtual Private Cloud OnDemand, including how to add networks to gateways, set up network security by using the gateway’s networking services, and configure networking for virtual machines. Additionally, this guide describes how to set up secure access to Virtual Private Cloud OnDemand from remote sites.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide 6 VMware, Inc.
Overview of Gateways and Networks 1 Virtual Private Cloud OnDemand networking replicates traditional network technologies and design. Virtual Private Cloud OnDemand utilizes the software-defined networking (SDN) technologies used by VMware products, including VMware vSphere, VXLAN, vCloud Networking and Security, and vCloud Director.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide vSphere is the foundation on which Virtual Private Cloud OnDemand is built. On top of vSphere, Virtual eXtensible Local Area Network (VXLAN), part of VMware vCloud Networking and Security, provides the functions necessary to implement a flexible virtual network in the data center. VXLAN—dynamic and encapsulated—provides the ability to deploy networks in Virtual Private Cloud OnDemand rather than requiring complex VLAN architectures.
Chapter 1 Overview of Gateways and Networks Figure 1‑2. Networking Components in Virtual Private Cloud OnDemand External network (VMware controlled) Gateway Gateway network (customer controlled) Internal network (customer controlled) Gateways When you create an account for the Virtual Private Cloud OnDemand service, VMware creates your first virtual data center (named VDC1 by default) for you, and adds a default gateway and routed network to that virtual data center.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide Default Settings for Routed Networks By default, Virtual Private Cloud OnDemand creates a routed network when you create a virtual data center. Virtual Private Cloud OnDemand configures this auto-generated routed network with the following properties: n Connects to the gateway through the public IP address n Has the default gateway IP address 192.168.12.1 n Has the subnet mask 255.255.252.0 n Has an IP address pool in the range192.168.12.
Chapter 1 Overview of Gateways and Networks Table 1‑1.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide n n Static IP Address: configure a static IP address for a virtual machine when you create it or change its network settings. n Provides a fixed IP address for a virtual machine. n Set a static IP address for a virtual machine in vCloud Director. DHCP: provides basic DHCP service for a gateway. n Part of the networking services for a gateway. n Disabled by default. n Change the configuration in vCloud Director.
Chapter 1 Overview of Gateways and Networks Table 1‑2. Related Information in this Guide and Other Sources (Continued) Networking Service See this related information...
vCloud Air - Virtual Private Cloud OnDemand Networking Guide n Translated (Internal) IP/Range: 10.0.0.2 This NAT example shows the translation of IP addresses on the private network on the inside of the gateway. When the virtual machine at 10.0.0.2 sends a packet to the Web server at 209.165.200.225, the virtual machine’s real address (10.0.0.2) is translated to 209.165.200.1. When the Web server responds, it sends the response to IP address 209.165.200.1, and the gateway translates 209.165.200.
Chapter 1 Overview of Gateways and Networks See Configure DHCP for an Edge Gateway in vCloud Director Administrator’s Guide for more information. NOTE Before you enable DHCP for a routed network and add an IP address pool, you must determine a valid range for the IP addresses assigned by DHCP.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide To view the public IP address allocation for the gateway by using vCloud Director, see View IP Use for an Edge Gateway in vCloud Director Administrator’s Guide for information. Additionally, view the Sub-allocated IP Range configured for the gateway. (A gateway uses the Suballocated IP Range for NAT configuration.
Chapter 1 Overview of Gateways and Networks See Modify an Organization Virtual Datacenter Network DNS Settings in vCloud Director Administrator’s Guide for information. NOTE If the DNS settings on a DHCP-enabled gateway are changed, the gateway no longer provides DHCP services. To correct this issue, disable and re-enable DHCP on the gateway.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide For the steps to configure static routing by using vCloud Director, see the following topics in vCloud Director Administrator’s Guide: 18 n Enable Static Routing on an Edge Gateway n Add Static Routes Between vApp Networks Routed to the Same Organization Virtual Datacenter Network VMware, Inc.
About Managing Gateways and Networks 2 The Virtual Private Cloud OnDemand Web UI is the primary portal for managing gateways and networks. Additionally, you can use vCloud Director to manage your gateways and networks at a more detailed level. The Virtual Private Cloud OnDemand Web UI provides single sign-on access to vCloud Director.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide What to do next See “Default Setup for Gateways and Networks,” on page 8 in this guide for information about the settings for routed and isolated networks. Add a Network to a Virtual Data Center You can add more isolated or routed networks to virtual data centers. Routed networks can be added only to virtual data centers that have a gateway. This topic provides the steps to add a network for a virtual data center by using vCloud Air.
Chapter 2 About Managing Gateways and Networks 6 Click Add Network. View and Edit Gateway Details You can view a list of the gateways in your Virtual Private Cloud OnDemand service. You can configure details to make workloads available on the Internet. Prerequisites Verify that you have network administrator privileges. Verify that you are familiar with gateway configuration. See Managing Edge Gateways in the vCloud Director Administrator’s Guide.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide Add a Network to a Gateway You can view a list of the networks added to a gateway. For each network, you can view the default gateway IP address, IP range, and the number of virtual machines attached to it and the number of public IP addresses allocated to the gateway. Prerequisites Verify that you have network administrator privileges. Procedure 1 If necessary, click the expand icon ( ) to display the Virtual Data Centers pane.
Chapter 2 About Managing Gateways and Networks 3 Click the Networks tab. 4 For the network you want to delete, click the drop-down arrow ( ) and select Delete Network. A dialog appears reminding you to disconnect all the virtual machines from the network before deleting it. 5 Click Yes. The network is deleted and a confirmation message appears at the top of the Virtual Private Cloud OnDemand page.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide 7 Depending on which type of NAT rule you want to create, click one of the following options: Option Description SNAT A source NAT rule changes the source IP address and, optionally, port of outgoing packets. When you create an SNAT rule in Virtual Private Cloud OnDemand, by default the port and protocol are set to “any.” To change the default port and protocol settings for an SNAT rule, edit the settings in vCloud Director.
Chapter 2 About Managing Gateways and Networks Allocate Public IP Addresses Allocate public IP addresses to a gateway only when you create virtual machines that need to be accessible through the Internet; for example, you want to assign a public IP address to Web server. When you allocate public IP addresses, they are reserved for that gateway. Virtual Private Cloud OnDemand offers resource pool-based pay-as-you-go service, which includes charges for public IP addresses allocated for your gateways.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide 26 VMware, Inc.
Network Security and Secure Access 3 Virtual Private Cloud OnDemand provides features and functions to ensure network security and secure access to your resources in the cloud.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide The following products and solutions are supported with Virtual Private Cloud OnDemand and work together to provide network security for Virtual Private Cloud OnDemand. Figure 3‑1.
Chapter 3 Network Security and Secure Access About Firewall Rules You configure all networking security policies on the gateway by creating firewall rules. Virtual Private Cloud OnDemanddoes not require configuring security groups like other cloud providers. You configure firewall rules to manage the traffic flowing in and out of your Virtual Private Cloud OnDemand cloud. Additionally, you can configure firewall rules to secure network traffic between interfaces on a gateway.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide 6 Complete the following settings to configure the rule: Option Description Name Enter a name for the rule. Settings (Optional) Select Enable this to enable the rule for the gateway. NOTE Selecting the Log network traffic for this exception option is unnecessary because you cannot access firewall logging data in Virtual Private Cloud OnDemand at this time.
Chapter 3 Network Security and Secure Access Create an IPsec VPN connection by using Virtual Private Cloud OnDemand and vCloud Director. Create an SSL VPN (Data Center Extension) connection by using vCloud Connector. Related Information n See Create a VPN Tunnel to a Remote Network in vCloud Director Administrator’s Guide for information. n See the VMware Blog article How To Use VPN to Connect Multiple vCloud Air Clouds for more information.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide Using vCloud Director, you configure an IPsec VPN connection for Virtual Private Cloud OnDemand as part of configuring gateway services. When you configure an IPsec VPN connection between sites, you configure the connection from the point of view of your current location.
Chapter 3 Network Security and Secure Access Set up an IPsec VPN Connection to a Remote Site This procedure provides the steps to create an IPsec VPN connection between Virtual Private Cloud OnDemand and a remote site. In this procedure, you configure the Virtual Private Cloud OnDemand side of the connection. You use vCloud Director to configure the IPsec VPN connection. You configure an IPsec VPN connection as part of configuring gateway services in vCloud Director.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide Option Description Local Endpoint From the drop-down list, select the network that is the local endpoint for the connection. The local endpoint specifies the network in Virtual Private Cloud OnDemand on which the gateway transmits. Typically, the external network is the local endpoint. Local ID Enter the local ID, which is the public IP address of the gateway.
Chapter 3 Network Security and Secure Access See the following use cases for using Data Center Extension with Virtual Private Cloud OnDemand: n When you have licenses tied to MAC addresses n Your virtual machine applications have dependencies on IP addresses or MAC addresses n You lack DNS control, which prevents DNS updates n To avoid invalidating existing security rules or the need to re-configure access control lists Data Center Extension has the following requirements.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide 36 VMware, Inc.
Network Connectivity for Virtual Machines 4 When deploying a virtual machine from Virtual Private Cloud OnDemand, the virtual machine is created without a network. A virtual machine without a network is isolated from communicating with other virtual machines and servers both in and outside of the service. When you create a virtual machine, you have the choice of assigning the virtual machine to a routed network or to an isolated network. An isolated network does not have Internet connectivity.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide Connect a Virtual Machine to a Network You can connect virtual machines to isolated networks or routed networks in your virtual data center. To get connectivity to the Internet and to use networking services such as NAT, firewall, or load balancing, connect virtual machines to a routed network. When you connect a virtual machine to a network, it is assigned an IP address from the network’s predefined private IP address range.
Chapter 4 Network Connectivity for Virtual Machines 6 Set the new network assignments: n Select a new network for the virtual machine. n Deselect a network to disconnect the virtual machine from it. 7 When selecting more than one network for the virtual machine, specify the virtual machine’s primary network by clicking the Primary NIC option for that network. By default, the primary network is set to the first network you selected for the virtual machine. 8 Click Save.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide 40 VMware, Inc.
Index A G add networks 20 allocation, public IP addresses 25 antivirus appliances 17 gateways adding networks 22 allocating public IP addresses 25 compact configuration 8 default IP address 8 default setup 8 DNS servers 16 high availability 8 interfaces 8 IP addresses 15 links to advanced management 21 load balancer 15 local ID 31 networking services 12 viewing 21 VPN connections 31 glossary 5 B bandwidth 8 C CIDR, firewall rules 29 D Data Center Extension 34 default firewall setup 29 isolated networ
vCloud Air - Virtual Private Cloud OnDemand Networking Guide virtual machines 37 virtual machines using 38 IP range, See IP Ranges IP Ranges 11 IPsec encryption 33 overview 31 setup 33 setup overview 31 IPsec VPN, overview 30 isolated networks DHCP 14 security 27 P layer 2 networking 34 load balancer 15 local endpoints 31 local ID 31 peer networks 31 peer IP addresses 31 pool servers 15 ports firewall rules 29 NAT 23 UDP 33 primary NIC 39 public IP addresses allocating 11 limits 25 public IP adresses, a
Index DHCP 37 editing networks 38 virtual servers 15 virtual data centers deleting networks 22 viewing networks 19 Virtual Private Cloud OnDemand service, security 27 virtualization 7 VMware Tools 37 VPN enabling 33 overview 30 setup 33 vSphere 7 X XVLAN 7, 8 VMware, Inc.
vCloud Air - Virtual Private Cloud OnDemand Networking Guide 44 VMware, Inc.
