Private vCenter IP and Replication

escapem2 · ‎04-20-2014

hi guys

We have a datacenter and one partner wants to replicate their VMs using Vmware Replication....of course we for security reason won't publish our vCenter IP so our partner can connect the Vmware replication appliance...

so what is the way to go NAT vCenter IP so our partner can see vCenter IP as it is in their on Network?

let's says partner Network

10.10.10.x

Their vCenter and Vmware Replication: 10.10.10.20 and 10.10.10.21

our DataCenter Network is 192.168.10.x and our vCenter is 192.168.10.11 and ESXi 12 - 13 and 14.

so Network team makes a NAT for our vCenter like 10.10.10.30 so our partner can replicate?

is that possible? is that the way to go? will replication work? any workaround or recommendation?

thanks a lot

rh5592 · ‎04-21-2014

I don't think NAT is supported. See this KB VMware KB: The vSphere replication status appears as Not Active on a virtual machine configured for ...

Regards. ================================================= "If found useful, kindly mark answers Correct or Helpful " http://rh5592.com =================================================

escapem2 · ‎04-21-2014

well so far this looks pretty convincing

If NAT is used in the VR environment, all VR components must be excluded from the NAT. All VR components must be able to communicate with each other using either internal addresses or external addresses.

escapem2 · ‎04-21-2014

now I wonder how Vmware provides Disaster Recovery as a Service.... I mean how they handle this security issues

well any ideas how to manager/overcome this issue guys? another way to connect to our vCenter from our partner without compromising out environment?

thanks a lot

GMCON · ‎04-21-2014

When using DR as a service or vCHS you can extend your own layer 2 and layer 3 networks into that cloud so there is technically no need for NAT as you are normally using a VPN tunnel of some sort to connect the two. That is what you would probably have to do to get yours working is have a VPN between your partner and yourself or you would end up having to set up your device in a DMZ providing a public IP to it with the right firewall rules to allow only your vCenter to connect.

rh5592 · ‎04-22-2014

Yes. Most of the time it is VPN between the two parties with all firewall rules configured to only allow the required access.

Regards. ================================================= "If found useful, kindly mark answers Correct or Helpful " http://rh5592.com =================================================

mvalkanov · ‎04-22-2014

Hi escapem2,

vCHS DR as a Service uses a separate component to tunnel vSphere Replication traffic.

I'm not aware of a good solution for replicating using VR between vCenter inventories when the vCenter at the target site is shared between tenants.

You might be able to pair the VR appliances using FQDN for the vCenters (see VirtualCenter.FQDN value at vCenter settings) and some NAT rules, however, the tenant will still see information all VR servers and all datastores at the target vCenter inventory.

Regards,

Martin

escapem2 · ‎04-23-2014

thanks guys for all the recommendations

escapem2 · ‎05-23-2014

guys

again on this topic I found some information below, is still the same issue how can I have multiple tenants, customers, partners to replicate to my DC not incurring in security breaches, if any has ideas let me know,

Someone told add an vNIC in the tenant vlan....but that's not the way to go

http://ibmsolutionstore.com/store/techgate-plc/disaster-recovery-as-a-service-vmware-srm-replication...

Now you can protect your customers' individual virtual machines on your VMware cloud, by replicating them to the Techgate DRaaS platform, powered by VMware's Site Recovery Manager

How it works:

1. Site Recovery Manager is installed on your customers' vSphere in-house or hosted Private Cloud, protecting your selected business-critical virtual machines.

2. A recovery VM failover environment is being configured at Techgate’s DRaaS platform to enable replication of the virtual machines as low as every 15minutes!