Hello,
I would like to create a virtual private cloud but without using a routed network and the associated vEdge. My idea was to have the following:
1) An external network with internet access
2) A private network backed by an isolated netpool.
3) A linux machine which act as the server: 2 nics - one connected to an external network and the other to the internal.
4) To ensure that all vms that will be deployed in the private network get the proper gateway (the above server) I tried to set up the internal ip of my server to be the same as the private network gateway.
Step 4 fails because it seems that a vm cannot have the ip of the network gateway it's connected to.
So my question is how do you actually deploy a gateway for a private org network (as I said I don't want to use vShield Edege)?
Is there any workaround to achieve this? One solution would be to simply assign another internal IP to the server and them manually guest-customize the vms and set their gateway to the respective IP. However, this seems awkward and I would like to know if there are other solutions.
Thanks
Possible idea:
Provider Network (External Network - vlan 10 ) This network has access to internet / whatever else you want to allow access to via gateway device
Org Network - Isolated (TheNetwork - vlan 11) This network will be used to attach all VM's to.
Org Network - Direct Connected to External Network (AccessNetwork - vlan 12) This network will allow the access out for the Router Device
Router Device VM, 2 nics - attached to the 2 org networks.
Then each VM would be attached to the "TheNetwork" - each vm would have IP on the "TheNetwork" and only be able to get out via connecting gateway to the RouterDevice that has access to "AccessNetwork", because AccessNetwork is direct connected to the provider ExternalNetwork(not NAT) it will have a path out.
Hope that gets you going towards solving the goal you are after - we have done something like this in testing before but it is early, and I think I got the main points down. (Unless I missed somehting no edge devices would be needed for this as no NAT exists, just direct connections and a bridge device)
Hello cfor,
Thanks for the suggestion. In a way you rephrased with better words the solution I already have:). The problem is at this step:
Then each VM would be attached to the "TheNetwork" - each vm would have IP on the "TheNetwork" and only be able to get out via connecting gateway to the RouterDevice...
By default the VMs will geet the gateway of "TheNetwork". Ideally you would want this to be the same as the RouterDevice ip on "TheNetwork". However, for some reason vCloud does not allow The RouterDevice to get that ip even if the network is private. Because of this I will have to manually guest-customize witch custom scripts each vm that I deploy in the VPC, which is what I want to avoid.
Btw, I rephrased the question to better suite my problem
Just curious as the why (at that time) you couldn't use vShield Edge. Note that with vCD 1.5 (and vShield 5.0) Edge can also do Static Routing (on top of NAT). I wonder whether that would have been enough for you or you were using a third party router for other reasons.
Massimo.
Hello,
I have the same problematic, and could not use VSE as I need a firewall with 3 or more interfaces.
And when trying to deploy a virtual firewall through vCD, I have exactly the same issue as the one described.
Do you have any solution for that ?
Or maybe do you have a VSE with more that 2 NICs ?
Thanks by advance for your help.
Massimo Re Ferre' wrote:
Just curious as the why (at that time) you couldn't use vShield Edge. Note that with vCD 1.5 (and vShield 5.0) Edge can also do Static Routing (on top of NAT). I wonder whether that would have been enough for you or you were using a third party router for other reasons.
Massimo.
Hey Massimo,
The reasons are mainly related to license and the stateless firewall
vcduser wrote:
Hello,
I have the same problematic, and could not use VSE as I need a firewall with 3 or more interfaces.
And when trying to deploy a virtual firewall through vCD, I have exactly the same issue as the one described.
Do you have any solution for that ?
Or maybe do you have a VSE with more that 2 NICs ?
Thanks by advance for your help.
My solution was to "trick" vCloud. Basically I did the following:
This way I loose one IP from the private net, and I have a bit of inconsistency because vCloud reports a different IP for the server than it actually has. But I can live with both downsides .
Hope this helps.
Hi Velvetsky,
Thanks for the "trick" - it is a good idea !
It won't be acceptable in our environment, with operations and so on.
Hope VMWare will propose a real solution ...
Let's wait ...
Thanks for the answer.
FYI with vCD you get Edge included included in the price (w/ NAT, Static Route, Firewall, DHCP functionalities). Full Edge functionalities (previous + LB, VPN) you can buy them as an add-on. Chances are that for what you are trying to do the former set of features may be enough.
Also, I though Edge was a stateful firewall. I would need to triple check this. Where did you read it's stateless anyway?
Massimo.
Hi Massimo,
Any idea regarding my issue ? I this feasible ?
Thanks by advance.
vcduser, I can't comment on that on a public forum. What can I say? A vShield Edge device with more than 2 interfaces is being asked by a lot of people. Yes, this I can say
I suggest you contact your local VMware representative and discuss this directly with him/her. We can't answer roadmap items on this board. Sorry.
Massimo.
Hi Massimo,
I understand your point.
But until ther is a vse with more than 2 interfaces, we would like to implement our own router, but have no way to give it the default GW IP address of any network. Is there an other way to do that ?
thanks
I would just use a third party VM, connect it to 3+ vCD Internal Networks and would connect all vApps to those internal networks.
It may require a bit of thinking / testing re how it deals with vApp guest customization and IP / DG management.
Massimo.
Do I understand well, that there is no way to do it properly through vCD ?
The only solution you propose is the trick from veltvetsky where you have inconsistencies between vCD view and the "real" view ?
Or maybe I just did not get your point ?
Thanks for clarification
vcduser
I would put it in another way. vCD does allow you to deploy a fully integrated firewall solution (based on Edge) that allows you to cut complexity and management overhead. If you wish to use another third party firewall you can do so but you lose the integration piece and you have to do what you'd normally do in a traditional virtual environment (and many other clouds I have seen). What I'd add is:
I'd create an External Network.
I'd create an Org with a Direct Connect to the above External Network.
I'd deploy a third party firewall as a VM (lets' say with 4 NICs).
I'd connect one of the four NICs to the Org Network Direct Connect (I'd probably try to run the guest customization on this VM so that vCD can assign an IP on the External Network automatically).
I'd create 3 Internal Networks in the same Organization.
I'd connect those three networks to the three remaining vNICs of the firewall appliance
I'd create vApps and connect them to these three Internal Networks depending on the topology of your app.
If you don't enable guest customization on those VMs you'll just have to deal with the IP assignments etc etc. If you want to enable Guest Customization on those VMs you'd need to test if you creating an Internal Network whose IP schema can be configured to point to the IP address of your firewall appliance configured in the "Default Gateway" field of the IP schema for that Internal Network.
Does it make any sense? I am just thinking off the top of my head here so I may be missing something.
Massimo.
Massimo,
Thanks for your detailed response.
Massimo Re Ferre' a écrit:
...
If you want to enable Guest Customization on those VMs you'd need to test if you creating an Internal Network whose IP schema can be configured to point to the IP address of your firewall appliance configured in the "Default Gateway" field of the IP schema for that Internal Network....
This is exactly the question from the beginning, how to configure a VM with the IP address of the default Gateway of either an vApp / Org Newtork ?
By the normal use of vCD, I'm blocked to assign this IP address to the VM.
If I assign an other IP address from the range and then assign an other one by guest-customization - I have then inconsistencies between vCD interface and reality.
Do you see a proper way to do it ?
I can see that you may have a misalignment in the UI if you do that.
Massimo.
Edge is absolutely a stateful firewall
Massimo Re Ferre' wrote:
Also, I though Edge was a stateful firewall. I would need to triple check this. Where did you read it's stateless anyway?