VMware Cloud Community
gaadmin
Contributor
Contributor
‎10-25-2011 05:48 AM

Direct attached Org networks with firewall?

Hi All,

We're running vSphere 5, vShield 5 and vCloud Director 1.5.

I was wondering if it's possible to have an Org network direct attached to an external network, with a 2 way firewall included. I know there's the firewall option with NATed org networks, but I don't see it with direct connect ones...

TIA

Alex

0 Kudos
6 Replies
espenfjo
Contributor
Contributor
‎10-26-2011 06:45 AM

Hi,

I am also looking for solutions to this.

We dont want to do 1-to-1 NAT, or portmapping, but use public IPs on the VMs direct, but still keep using the firewall capacities of the edge.

--

Best regards

Espen

0 Kudos
_morpheus_
Expert
Expert
‎10-26-2011 10:25 AM

This isn't supported in VCD. There is no edge when an org network is directly connected to external network.

0 Kudos
espenfjo
Contributor
Contributor
‎10-26-2011 10:27 AM

Hi,

Thanks for your reply _morphues_.

I cant however see any reason for the edge working as a bridge, and applying firewall rules to the bridge interface.

Thus having traffic just passing through the edge, but still being inspected.

--

Espen

0 Kudos
admin
Immortal
Immortal
‎10-26-2011 11:34 AM

You could do this with a third party Appliance that is also a firewall.  However any firewall would still need separate interfaces to route the traffic.  Although they may not be NAT'd you still need a Virtual Router that is also a firewall device.  Look into Vyetta or some of the other firewall appliances out there, but I do not think Edge is the right fit since it is a NAT firewall.  Although you do not want to NAT you still need separate subnets to route between to force the traffic to pass inspection.  I think you can do it, just not with Edge, you will need to deploy another Appliance as part of your vApp.

0 Kudos
_morpheus_
Expert
Expert
‎10-31-2011 11:07 AM

If you're looking for an org net that's doing firewall without NAT, you can make a routed organization network without any NAT rules. The vShield Edge will route traffic that doesn't match a NAT rule. Will that meet your requirement?

0 Kudos
gaadmin
Contributor
Contributor
‎11-20-2011 07:42 PM

We have worked around this issue by wrapping a vShield edge appliance around the external network within vSphere, rather than in VCD. The only caveat is that we need a separate dVswitch port group for each VCD external network.

There's a bit of management involved in setting it up, but it allows us to have direct connected, firewalled environments in vCloud.

0 Kudos