VMware Cloud Community
mcfadyenj
Hot Shot
Hot Shot
‎09-19-2011 04:51 AM
Jump to solution

fenced networks

hi all,

new to vCD trying to sort out networking.

I have an environment that presents routable vlan ip's to our production / test networks.

i.e.

VLAN xx is accessible from both PROD / TEST networks.

As such I believe my servers in the vApps should have external addresses using VLAN xx IP address and the internals I am not too worried what they are.

Currently all attempts to get this to work I am getting the same segments on both internal / external addressed of the deployed vApp Servers.

Can someone advise what the correct network pool / org networks should be?

My thoughts tell me I should be using a ROUTED INTERNAL network. (I could be way off track here).

ps. there is no requirement for this to be published to the internet based users it is only required internally.(hence my thoughts on internal networks).

0 Kudos
1 Solution

Accepted Solutions
VMSE
VMware Employee
VMware Employee
‎09-19-2011 06:14 AM
Jump to solution

Hi,

The reason why your vApps have the same IP range as the external subnet is likely because they are direct connect. This has the advantage that a 1:1 NAT will be automatically configured for each VM in the vApp - just as LabManager used to do. The disadvantage is that it is using your "real" addresses as opposed to some private addresses.

If you use Routed Org Network - then this will give you the ability to define private addresses for the inside of the network and not use External Addresses. If this is for a test/development lab scenario - then you should probably have a network config where you have a routed external Org network with a TS/RDP host inside. Configure the firewall on the vShield Edge external routed network to allow RDP to this one server. This will act as a single common TS/RDP server for the Project and then you can have multiple fenced vApps inside this routed network that would have automatically generated 1:1 NAT. This would allow for duplication of vApps within the project with duplicate IP's etc.. while still allowing users access via the TS/RDP jump box to all labs within the Project.

View solution in original post

0 Kudos
4 Replies
VMSE
VMware Employee
VMware Employee
‎09-19-2011 06:14 AM
Jump to solution

Hi,

The reason why your vApps have the same IP range as the external subnet is likely because they are direct connect. This has the advantage that a 1:1 NAT will be automatically configured for each VM in the vApp - just as LabManager used to do. The disadvantage is that it is using your "real" addresses as opposed to some private addresses.

If you use Routed Org Network - then this will give you the ability to define private addresses for the inside of the network and not use External Addresses. If this is for a test/development lab scenario - then you should probably have a network config where you have a routed external Org network with a TS/RDP host inside. Configure the firewall on the vShield Edge external routed network to allow RDP to this one server. This will act as a single common TS/RDP server for the Project and then you can have multiple fenced vApps inside this routed network that would have automatically generated 1:1 NAT. This would allow for duplication of vApps within the project with duplicate IP's etc.. while still allowing users access via the TS/RDP jump box to all labs within the Project.

0 Kudos
mcfadyenj
Hot Shot
Hot Shot
‎09-19-2011 02:16 PM
Jump to solution

hi thanks for your response. I am doing exactly as you stated using this for a test / dev environment.

i need the fencing as described to use real addresses on the externals and privates on the internals as you explained.

I am also aware of the jump box requirements, i have yet to find the firewall config to set this up (not too important as this point however).

I do have a direct link to the management network and routed internals to vsphere vlan id networks. (which are visible to prod / test clients) so I want the vsphere vlan id's to be on my test lab external address.

so should i be using a vCD external routed (I dont think so) or vCD routed internals (I believe this is the correct option) as I do not present vCD to internet based users only users within my corporate environment and only for testing purposes.

0 Kudos
_morpheus_
Expert
Expert
‎09-19-2011 02:56 PM
Jump to solution

If the VM NIC in a vApp is attached to an organization network, you have the option to make the vApp fenced or unfenced. Unfenced means that the VM NIC is directly connected to the portgroup of the organization network. Fenced means that the VM NIC is connected to the portgroup of an isolated vApp network with a vShield Edge doing NAT. The IP subnet inside the fenced network will be the same as the IP subnet outside the fenced network. This works using proxy-ARP.

If you want the vApp to have different IP subnet inside the network, then you need to create a vApp network and configure the vApp network to be routed to the organization network. Then the VM NIC should be connected to the vApp network.

VMSE
VMware Employee
VMware Employee
‎09-19-2011 02:58 PM
Jump to solution

IT doesn't really matter whether your users are internal or external - you will have an external routed network with fenced internal vapps.