VMware Cloud Community
0v3rc10ck3d
Enthusiast
Enthusiast
‎04-24-2013 02:18 PM

vShield Networking for Multi-tenant vCloud Deployment

Hello Everyone,

I've read  through a lot of documentation and white papers but I cant seem to find  out exactly how this works. At our datacenter we've been hosting a  multi-tenant system separated by distributed switch port-groups and  VLAN's running within vSphere.

We  are adding in some new infrastructure and will be deploying vCloud  Director but I cant seem to figure out exactly how people are  incorperating the external networking. From what I understand vShield  Edge is deployed as a software firewall, from this can we completely  bypass our existing hardware firewalls?

This is how we would like to see it if possible

Boarder  switches with BGP -> Internal network switch ports with a VLAN tag  -> Distributed switch Portgroup with the same VLAN Tag -> vShield  Edge

Is  that how it works? Can we simply bypass our firewall and use vShield  Edge as a firewall that picks up our external IP Subnet and passes out  addresses?

Thanks!

VCIX6 - NV | VCAP5 - DCA / DCD / CID | vExpert 2014,2015,2016 | http://www.vcrumbs.com - My Virtualization Blog!
0 Kudos
1 Reply
IamTHEvilONE
Immortal
Immortal
‎05-03-2013 12:30 PM

It's really up to you ... the problem is, that as soon as you assign an Organization Network to be Direct Connect - External ... anyone that can change network settings of a VM can put their VM onto that network.

In the current version of vCloud Director, you would have something like this:

Option 1 - Direct Connect External - > use physical firewalls

Option 2 - Organization Routed Network - > Edge Gateway - > Exernal Network which has exactly 2 IPs (one for the edge, one for the SNAT)

- in this case, there aren't enough IPs to support putting a VM on the external.

So the ky take away, is if you give an Organization use of a resource, they can use it as much as they are allowed to (or exists).

Just food for thought.

0 Kudos