Hi All,
We're running vSphere 5, vShield 5 and vCloud Director 1.5.
I was wondering if it's possible to have an Org network direct attached to an external network, with a 2 way firewall included. I know there's the firewall option with NATed org networks, but I don't see it with direct connect ones...
TIA
Alex
Hi,
I am also looking for solutions to this.
We dont want to do 1-to-1 NAT, or portmapping, but use public IPs on the VMs direct, but still keep using the firewall capacities of the edge.
--
Best regards
Espen
This isn't supported in VCD. There is no edge when an org network is directly connected to external network.
Hi,
Thanks for your reply _morphues_.
I cant however see any reason for the edge working as a bridge, and applying firewall rules to the bridge interface.
Thus having traffic just passing through the edge, but still being inspected.
--
Espen
You could do this with a third party Appliance that is also a firewall. However any firewall would still need separate interfaces to route the traffic. Although they may not be NAT'd you still need a Virtual Router that is also a firewall device. Look into Vyetta or some of the other firewall appliances out there, but I do not think Edge is the right fit since it is a NAT firewall. Although you do not want to NAT you still need separate subnets to route between to force the traffic to pass inspection. I think you can do it, just not with Edge, you will need to deploy another Appliance as part of your vApp.
If you're looking for an org net that's doing firewall without NAT, you can make a routed organization network without any NAT rules. The vShield Edge will route traffic that doesn't match a NAT rule. Will that meet your requirement?
We have worked around this issue by wrapping a vShield edge appliance around the external network within vSphere, rather than in VCD. The only caveat is that we need a separate dVswitch port group for each VCD external network.
There's a bit of management involved in setting it up, but it allows us to have direct connected, firewalled environments in vCloud.