barnette08
Expert
Expert

vApp Fencing (unchecked all)

One of our  developers asked me the other day if he unselected, both NAT and Firewall...is there still any other fencing functionality?  I told him that I was pretty sure that, if unselecting all options he is essentially just creating a non-fenced vApp.  However, after over thinking this I started wondering if there was still any MAC or SID isolation going on, since NAT really just deals with IP.  Again, I could be over thinking this but I'm curious to hear all the expert thoughts on this.  Thanks!

0 Kudos
6 Replies
IamTHEvilONE
Immortal
Immortal

So let's make sure we get some terms straight.

"Fencing" is when you have a Direct External Network assigned to the vApp, and you want to isolate it.  A vApp network is similar, but the internal addresses differ from the external addresses.

In both cases and Edge device is deployed for isolation purposes.

If you disable FW/NAT, then the edge functions as a pure gateway.  This means you could setup some static route to say that a specific network or IP range exists behind the external IP of the Edge device.  This is more useful in the case of a vApp Network or Routed Organization Network.

barnette08
Expert
Expert

right, so if he is trying to fence a directly connected organization network, but is unchecks FW/NAT an edge device is still deployed.  It just doesn't server any isolation functionality.

0 Kudos
IamTHEvilONE
Immortal
Immortal

Direct External Organization Network without Fencing means that the VM is placed directly onto the network port group ... no isolation, and just like any other VM in vSphere.

0 Kudos
barnette08
Expert
Expert

I understand how they work, I guess what me and this developer were trying to figure out was if it made sense to even allow a customer to select a "Fenced vApp", but then allow them to remove both NAT and FW.  He was trying to determine if we should just default them both in our customer portal, or if we should give them to option to deselect them like in the vCD UI.

0 Kudos
IamTHEvilONE
Immortal
Immortal

I think that's more about what's the most common configuration to reduce the number of clicks the client needs to perform on average.

0 Kudos
_morpheus_
Expert
Expert

If the network is fenced and NAT is disabled (or NAT is enabled but there are no NAT rules), then you have no connectivity to the outside network. The only reason to do this would be to have a vApp that's been cloned and you want the clone to be on an isolated network but you don't want to go through the trouble of creating an isolated vApp net and connecting the VM NICs to it.

0 Kudos