VMware Networking Community
tantis14
Contributor
Contributor

HCX L2 extension to cloud with hair pinning at on-prem

  1. Is it possible to extend VLAN for HCX if customer has hair pinning due to security reasons? If no, what options we have?
Reply
0 Kudos
5 Replies
ChrisFD2
VMware Employee
VMware Employee

Can you explain a little more please, or if possible post a diagram? 

Regards,
Chris
VCIX-DCV 2023 | VCIX-NV 2023 | vExpert *** | CCNA R&S
Reply
0 Kudos
mmoubarak
Contributor
Contributor

Hair-pinning to security device? kindly share more info.

Reply
0 Kudos
t0mzukowski
VMware Employee
VMware Employee

Yes, that is the default behavior in HCX.  The default gateway for all VMs connected to the extended network remains on-prem.

battybishop
Hot Shot
Hot Shot

As @t0mzukowski says this is the default behaviour for HCX and this is clear in the documentation.

Please can you explain if your scenario is different or clarify what your concerns are?

Reply
0 Kudos
Sasidhar1234
Enthusiast
Enthusiast

Hair Pinning : 

Hair Pinning is a default behavior due to the L2 extension from On-Prem to VMC. Consider the example where the VMC migrated VMs in Web and App tier wants to communicate each other, the traffic traverses all the way towards On-prem router gateway and comes back to cloud gateway creating hair pinning.

This can be eliminated enabling MON feature in HCX. Routing advertisements are limited to NSX-T Tier-1 routing boundaries.

Sasidhar1234_0-1710516337991.png

 

 

Tags (3)
Reply
0 Kudos