Hello cfor,

Thanks for the suggestion. In a way you rephrased with better words the solution I already have:). The problem is at this step:

Then each VM would be attached to the "TheNetwork" - each vm would have IP on the "TheNetwork" and only be able to get out via connecting gateway to the RouterDevice...

By default the VMs will geet the gateway of "TheNetwork". Ideally you would want this to be the same as the RouterDevice ip on "TheNetwork". However, for some reason vCloud does not allow The RouterDevice to get that ip even if the network is private. Because of this I will have to manually guest-customize witch custom scripts each vm that I deploy in the VPC, which is what I want to avoid.

Btw, I rephrased the question to better suite my problem

Just curious as the why (at that time) you couldn't use vShield Edge. Note that with vCD 1.5 (and vShield 5.0) Edge can also do Static Routing (on top of NAT). I wonder whether that would have been enough for you or you were using a third party router for other reasons.

Massimo.

Hello,

I have the same problematic, and could not use VSE as I need a firewall with 3 or more interfaces.

And when trying to deploy a virtual firewall through vCD, I have exactly the same issue as the one described.

Do you have any solution for that ?

Or maybe do you have a VSE with more that 2 NICs ?

Thanks by advance for your help.

Massimo Re Ferre' wrote:

Just curious as the why (at that time) you couldn't use vShield Edge. Note that with vCD 1.5 (and vShield 5.0) Edge can also do Static Routing (on top of NAT). I wonder whether that would have been enough for you or you were using a third party router for other reasons.

Massimo.

Hey Massimo,

The reasons are mainly related to license and the stateless firewall

vcduser wrote:

Hello,

I have the same problematic, and could not use VSE as I need a firewall with 3 or more interfaces.

And when trying to deploy a virtual firewall through vCD, I have exactly the same issue as the one described.

Do you have any solution for that ?

Or maybe do you have a VSE with more that 2 NICs ?

Thanks by advance for your help.

My solution was to "trick" vCloud. Basically I did the following:

• create a private net with the gateway ip GW_IP
• deploy my own server with 2 nics
• let vcloud choose the ip address for the private net, which will be different than GW_IP
• 'customize' the guest customization process for the server to manually set a different IP than vCloud tells (in other words set the IP to GW_IP.

This way I loose one IP from the private net, and I have a bit of inconsistency because vCloud reports a different IP for the server than it actually has. But I can live with both downsides .

Hope this helps.

Hi Velvetsky,

Thanks for the "trick" - it is a good idea !

It won't be acceptable in our environment, with operations and so on.

Hope VMWare will propose a real solution ...

Let's wait ...

Thanks for the answer.

FYI with vCD you get Edge included included in the price (w/ NAT, Static Route, Firewall, DHCP functionalities). Full Edge functionalities (previous + LB, VPN) you can buy them as an add-on. Chances are that for what you are trying to do the former set of features may be enough.

Also, I though Edge was a stateful firewall. I would need to triple check this. Where did you read it's stateless anyway?

Massimo. 

Hi Massimo,

Any idea regarding my issue ? I this feasible ?

Thanks by advance.

vcduser, I can't comment on that on a public forum. What can I say? A vShield Edge device with more than 2 interfaces is being asked by a lot of people. Yes, this I can say

I suggest you contact your local VMware representative and discuss this directly with him/her. We can't answer roadmap items on this board. Sorry.

Massimo.

Hi Massimo,

I understand your point.

But until ther is a vse with more than 2 interfaces, we would like to implement our own router, but have no way to give it the default GW IP address of any network. Is there an other way to do that ?

thanks

I would just use a third party VM, connect it to 3+ vCD Internal Networks and would connect all vApps to those internal networks.

It may require a bit of thinking / testing re how it deals with vApp guest customization and IP / DG management. 

Massimo.

Do I understand well, that there is no way to do it properly through vCD ?

The only solution you propose is the trick from veltvetsky where you have inconsistencies between vCD view and the "real" view ?

Or maybe I just did not get your point ?

Thanks for clarification

vcduser

I would put it in another way. vCD does allow you to deploy a fully integrated firewall solution (based on Edge) that allows you to cut complexity and management overhead. If you wish to use another third party firewall you can do so but you lose the integration piece and you have to do what you'd normally do in a traditional virtual environment (and many other clouds I have seen). What I'd add is:

I'd create an External Network.

I'd create an Org with a Direct Connect to the above External Network.

I'd deploy a third party firewall as a VM (lets' say with 4 NICs).

I'd connect one of the four NICs to the Org Network Direct Connect (I'd probably try to run the guest customization on this VM so that vCD can assign an IP on the External Network automatically).

I'd create 3 Internal Networks in the same Organization.

I'd connect those three networks to the three remaining vNICs of the firewall appliance

I'd create vApps and connect them to these three Internal Networks depending on the topology of your app.

If you don't enable guest customization on those VMs you'll just have to deal with the IP assignments etc etc. If you want to enable Guest Customization on those VMs you'd need to test if you creating an Internal Network whose IP schema can be configured to point to the IP address of your firewall appliance configured in the "Default Gateway" field of the IP schema for that Internal Network.

Does it make any sense? I am just thinking off the top of my head here so I may be missing something.

Massimo.

Massimo,

Thanks for your detailed response.

Massimo Re Ferre' a écrit:

...
If you want to enable Guest Customization on those VMs you'd need to test if you creating an Internal Network whose IP schema can be configured to point to the IP address of your firewall appliance configured in the "Default Gateway" field of the IP schema for that Internal Network.

...

This is exactly the question from the beginning, how to configure a VM with the IP address of  the default Gateway of either an vApp / Org Newtork ?

By the normal use of vCD, I'm blocked to assign this IP address to the VM.

If I assign an other IP address from the range and then assign an other one by guest-customization - I have then inconsistencies between vCD interface and reality.

Do you see a proper way to do it ?

I can see that you may have a misalignment in the UI if you do that.

Massimo.

Edge is absolutely a stateful firewall

Massimo Re Ferre' wrote:

Also, I though Edge was a stateful firewall. I would need to triple check this. Where did you read it's stateless anyway?