VMware Cloud Community
conraddel
Contributor
Contributor
Jump to solution

VAPP network edge firewall device not available ?

Hi there Guys

I am hoping somebody can help me with this one. We are setting up a POC for our company to prove the Business value of VCloud director (VDC1.5). We have set up everything but we are having one last issue with VAPP networks. According to our understanding, one can place an Vshield edge device between a VAPP network and the organization network.

We have set up scenario like this, but we are unable to active the Firewall option, as the option stays grayed out as per the attached screenshot.

If we turn on the DHCP service, the edge firewall VM is created, but even then the firewall option in the VCD interface stays grayed out.

Reply
0 Kudos
1 Solution

Accepted Solutions
nirvy
Commander
Commander
Jump to solution

Firewall/Routing options will only become available when your vApp Network is 'patched' to an organisation network.  You can configure this by going into your vApp's Networking tab and selecting an organisation network from the Connection drop-down list.  Without configuring a connection, your vApp network is only availble inside your vApp and only has DHCP capabilities from the edge device.

View solution in original post

Reply
0 Kudos
8 Replies
nirvy
Commander
Commander
Jump to solution

Firewall/Routing options will only become available when your vApp Network is 'patched' to an organisation network.  You can configure this by going into your vApp's Networking tab and selecting an organisation network from the Connection drop-down list.  Without configuring a connection, your vApp network is only availble inside your vApp and only has DHCP capabilities from the edge device.

Reply
0 Kudos
conraddel
Contributor
Contributor
Jump to solution

Hi there Nirvy

Ok I see what you mean. But there is one more thing that I do not understand. You talk about the vApp network being patched into the organization network. Based on what you explained to me and what I see is happening I understand the following

A VM in a vApp must have a nic in the attached to the vApp network for traffic to other VM's in the vApp. Then if a VM in a vApp needs to speak to a VM in another vApp it must have a nic attached to the organization network, and this nic can be protected by the Edge Firewall

It never seems as iff the Edge device acts as a bridge between the vApp network and the orgainisation network ?

Reply
0 Kudos
JayhawkEric
Expert
Expert
Jump to solution

You can have one NIC do it all, depending on your security needs.  If you are trying to create a vAPP where the VM's within it can talk to each other and can talk out to other VM's in other vApps but have a firewall on it you'll want to setup an Organizaional Network of Direct type and connect it from your Network Pool to your External network.  When creating your vAPP you'll then create a vAPP network with all your firewall/DHCP settings and then connect that to your organization network.  This creates a "fenced" configuration to the point it can be cloned a lot of times but the VM's can still talk to all other VM's on ports you specified, using their "public IP's."

VCP5-DV twitter - @ericblee6 blog - http://vEric.me
nirvy
Commander
Commander
Jump to solution

Sort of, the Edge device provides Layer 3 and up services, so it won't bridge exactly.  Take a look at this awesome diagram and you will see how many options you have!

http://www.hypervizor.com/diags/Diagram-VMware-vCloud-Director-Networking-Architecture-v1-0.pdf

As eric said, you wouldn't need to multi-home your VMs with one nic on the vApp network and one on an org net or anything like that!

JayhawkEric
Expert
Expert
Jump to solution

I love that PDF.  I have it posted on my wall and was the one that helped me finally understand VCD networking.

VCP5-DV twitter - @ericblee6 blog - http://vEric.me
Reply
0 Kudos
sakibpavel
Enthusiast
Enthusiast
Jump to solution

Nice pdf.

Sakibpavel 
Reply
0 Kudos
_morpheus_
Expert
Expert
Jump to solution

Your vApp network is not connected to an organization network. Open the vApp, go to networking tab, and change the Connection to something other than None

Reply
0 Kudos
conraddel
Contributor
Contributor
Jump to solution

Thank you to all of you for your assistance. I have managed to figure it out (finally) with all of your help!

Reply
0 Kudos