VMware Cloud Community
marknigh
Contributor
Contributor
‎12-02-2010 10:57 AM

Edge Device Between Organization Network and External Network

Do I required to use vShield as my edge device? The reason i ask is that I would like my edge device to support a routing protocol so that we do not have to NAT between the organziation networks and the external network.

If I am not required to use vShield, can anyone suggest a good alternative that supports a firewall, routes and a routing protocol (preferable BGP).

Tags (2)
0 Kudos
10 Replies
_morpheus_
Expert
Expert
‎12-02-2010 11:12 AM

If you want VCD to do the work for you, then you need to use the vShield Edge. The alternative is to use VCD to create isolated networks and then create your own router and go into VC and manually connect it to the portgroups.

And now the disclaimers:

  • This approach is not tested or supported in any way and may void your warranty.

  • VCD will throw alerts in the UI about portgroups being modified.

  • If you stop/start your vApp, then VCD will eliminate the manual changes that you made and put it back the way it was.

manythanks
Contributor
Contributor
‎12-03-2010 02:15 PM

I see your 'pain' marknigh, It is very clear though - VSE is in the heart of VCD, you must use it for any ORG external network where you want FW,NAT or even just DHCP service, and then you must NAT all your servers 'hosted' on the cloud. of course technicaly other options might apply - like using regular port-group connected to any of your favorite FW, but it is not supported by VMware.

i saw someone that did not like VSE for various reasons (stateful failover, routing, features etc ...) but is in fact using VSE because he use VCD and then use external FW as well in-line after the VSEs so he have multiple VSE per ORG sitting on each of his external-FW 'internal' legs, but then this external FW could not 'see' the private IP used by servers on 'internal' legs of the VSE devices, so his external FW policies where only available to the external NATed network provided by VSE and many NAT rules implemented per VSE device, i told to just use a port-group (internal, external whatever) and connect it directly to external FW, but again this is not supported by VCD.

0 Kudos
mreferre
Champion
Champion
‎12-06-2010 06:08 AM

Mark,

you can by-pass vShield Edge if you want to.

Just do the magic at the infrastructure level with your security devices of choice and import all Portgroups into vCD as External Networks. Alternatively you can use a virtual instance of those devices (say F5, Vyatta, etc) and do the magic within the vApp you are deploying.

There are a few (supported) ways available to by-pass the usage of Edge as you can see. What you are losing is the end-to-end integrated self-service capabilities that vCD provides out of the box (UI or API).

Massimo.



Massimo Re Ferre'

VMware vCloud Architect

twitter.com/mreferre

www.it20.info

Massimo Re Ferre' VMware vCloud Architect twitter.com/mreferre www.it20.info
0 Kudos
manythanks
Contributor
Contributor
‎12-06-2010 12:16 PM

agree , it can be done easily with any network type on VCD rather then the 'external-route/NAT' one

0 Kudos
mreferre
Champion
Champion
‎12-06-2010 01:10 PM

agree , it can be done easily with any network type on VCD rather then the 'external-route/NAT' one

You could have said that in the first place without ranting (again) against Edge.



Massimo Re Ferre'

VMware vCloud Architect

twitter.com/mreferre

www.it20.info

Massimo Re Ferre' VMware vCloud Architect twitter.com/mreferre www.it20.info
0 Kudos
manythanks
Contributor
Contributor
‎12-06-2010 01:17 PM

but this guy wanted to use it, just get his requirements along with it ....

0 Kudos
marknigh
Contributor
Contributor
‎12-07-2010 07:19 PM

Thanks all. I do wish that vShield supported a routed only and not a NAT-routed interface.

I have some customers who would like to connect to our Data Center via a private MPLS circuit and not over the INternet so I don't think they will want to NAT to their applications. For these customers, we are going to setup all the networks as directed networks and put in a router/firewall between them.

Thanks again for your help.

0 Kudos
mreferre
Champion
Champion
‎12-09-2010 05:14 AM

Thanks Mark.

Your concern is understood and there are some discussions about similar scenarios for future versions of the product.

Massimo.



Massimo Re Ferre'

VMware vCloud Architect

twitter.com/mreferre

www.it20.info

Massimo Re Ferre' VMware vCloud Architect twitter.com/mreferre www.it20.info
0 Kudos
RiteshA
Contributor
Contributor
‎04-21-2012 10:01 AM

Massimo,

Any plans to allow 3rd party (Fortinet, Checkpoint etc) virtual firewalls to be part of VCD as a VSE replacement?

It's not about VSE but some of the customer may want to use and manage their HW counterparts. It just makes sense.

Hard to justify Honda parts in Toyota car, not a statement about one being better over the other..

Thanks

Ritesh

0 Kudos
mreferre
Champion
Champion
‎04-23-2012 12:44 AM

Ritesh, you know I can't comment publicly on future product features. I can say this was a request we have heard loud and clear.

Massimo.

Massimo Re Ferre' VMware vCloud Architect twitter.com/mreferre www.it20.info
0 Kudos