VMware Cloud Community
TheVMinator
Expert
Expert
‎12-15-2014 02:45 PM
Jump to solution

Orchestrator and Multi-Tenancy

I am using Orchestrator in a multi-tenancy environment.  What I need to try to do is:

Set up a master orchestrator instance where I can centralize workflow execution.

Set up slave instances in the different tenant environments that I can call with the Multi-node plug-in.

The problem is that the environments are separated and can only be accessed via a vpn tunnel.

how should I set up orchestrator master and slave to communicate over the vpn?

Should I:

1.  Use a "VPN connection plugin" if there is one, to establish a connection over the vpn?
2. Use the HTTP-Rest plug-in, and give both vCO's a public IP and some time of public web interface, if that can be done securely, perhaps sticking slave vCO's in DMZ's?

3. Some other way?

Thanks for input!

0 Kudos
1 Solution

Accepted Solutions
robrtb12
Enthusiast
Enthusiast
‎01-12-2015 09:37 AM
Jump to solution

If you have an always on VPN connection to the remote/slave instances then just open Firewall ports to allow the master to communicate to the remote/slave instance.

Ports are listed on page 38 & 39:

http://pubs.vmware.com/vsphere-55/topic/com.vmware.ICbase/PDF/vcenter-orchestrator-552-install-confi...

Multi-node plugin documentation:

http://pubs.vmware.com/orchestrator-plugins/topic/com.vmware.ICbase/PDF/using-multi-node-plugin-10-g...

From what I can tell you would need the following ports opened from the master (source) to the remote/slave (destination):

  • TCP - 8230 - The main port to communicate with the Orchestrator server (JNDI port).
  • TCP - 8250 - For SSL trust (Multi-node plugin documentation - "Enable Orchestrator for Remote Workflow Execution")

View solution in original post

0 Kudos
5 Replies
TheVMinator
Expert
Expert
‎01-12-2015 07:37 AM
Jump to solution

Anyone?

0 Kudos
cdecanini_
VMware Employee
VMware Employee
‎01-12-2015 09:06 AM
Jump to solution

The multinode plug-in (in recent versions) is using the vCO REST API so you just have to make sure a master vCO can access to vCO API port.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
iiliev
VMware Employee
VMware Employee
‎01-12-2015 09:25 AM
Jump to solution

AFAIK, there is no VPN plug-in.

What use case scenarios do you want to cover? For example, do you want the master vCO to control VPN connections to slave vCOs? Eg. master vCO establishes a new VPN connection to a given slave vCO, then calls a vCO REST API to invoke a workflow on the child vCO, and then drops the VPN connection.

robrtb12
Enthusiast
Enthusiast
‎01-12-2015 09:37 AM
Jump to solution

If you have an always on VPN connection to the remote/slave instances then just open Firewall ports to allow the master to communicate to the remote/slave instance.

Ports are listed on page 38 & 39:

http://pubs.vmware.com/vsphere-55/topic/com.vmware.ICbase/PDF/vcenter-orchestrator-552-install-confi...

Multi-node plugin documentation:

http://pubs.vmware.com/orchestrator-plugins/topic/com.vmware.ICbase/PDF/using-multi-node-plugin-10-g...

From what I can tell you would need the following ports opened from the master (source) to the remote/slave (destination):

  • TCP - 8230 - The main port to communicate with the Orchestrator server (JNDI port).
  • TCP - 8250 - For SSL trust (Multi-node plugin documentation - "Enable Orchestrator for Remote Workflow Execution")
0 Kudos
TheVMinator
Expert
Expert
‎01-12-2015 10:15 AM
Jump to solution

Ok thanks.  I think that basically answers it.  I have to either have a dedicated VPN connection, or I need to create a plug-in/workflow to establish a VPN connection temporarily when the master and slave VCO need to communicate.

0 Kudos