How To Use VPN to Connect Multiple vCloud Air Clouds

vCloud Air-Powered

As a newish member of the VMware vCloud Air Technical Marketing Team one cool thing I get is access to various things to play with and test.  Something my whole team has access to in vCloud Air is both a Virtual Private Cloud and a Dedicated Cloud.  The unique thing about VMware vCloud Air is that with a single user account you can access multiple cloud services you sign up for.  In our case we have two we can deploy workloads to.  What are some things to think about with this?

  • These are two different vCloud Director URLs
  • These are two separate vCloud Director Organizations
  • Each has its own vCNS Edge Gateway, and in the case of the dedicated there could be multiple Edge Gateways configured
  • Each vCNS Edge Gateway has ben assigned an external Public IP address

This means these are essentially two independent cloud environments federated by the vCloud Air user portal.  Something I wanted to point out very quickly was how you can actually connect these together using the built-in VPN functionality in vCloud Director.  Let’s take a very basic example of what each cloud offering might look like initially.  This assume you have yet to connect them to your on premise data center.

vCloud Air_VPC_DC_Net

In the image above you can see that each Virtual Data Center has a single Edge with a public IP address and a single routed network.  You will also notice that each routed network is a DIFFERENT subnet.  This is mandatory for the VPN to work since you cannot have the same local endpoint addresses.  It’s important to note that when you deploy your vCNS Edge in vCloud Air you will always get a Default-Routed network using 192.168.109.0 and in most cases you will want to simply remove it and start clean if you are looking to do advanced networking.

Configure the VPN

This is probably the easiest thing you will ever do.  Before you begin you will need a couple of things from both your VPC and your Dedicated instance.

  • vCloud Director URL
  • vCloud Director Organization Name
  • Login Credentials – which will be the same for both if these are all under your account

The URL can be found for each cloud on the right side of the screen.  It will also include the organization name in the full URL.  You will need to do this for both your clouds.

vchs_vcd_urlSecondly you will want to click on one of the gateway and select Manage Advanced Gateway Settings to access the vCD user interface

vchs_manage_vcdOnce you are connected to the vCloud Director native UI, you can easily configure the VPN.

Select your Edge Gateway in your vCloud organization and select the VPN tab.  Once there select “Add” and you will see the following screen.  Select “Use public IP” and leave the other settings to their defaults.

vchs_vpn_config

Select “A Network in another Organization, and then select ” Log Into Remote vCD”

vcloud_connection

Fill in the required fields for just the vCloud URL and the org that you recorded earlier from the vCloud Air portal.  Use your vCloud Air credentials to connect and once you log in you will be presented with the other vCloud Organization’s networks so you can multi-select the mappings for the networks in each Organization.

Once this is done the two sites should come up with VPN between them, but if you deploy virtual machines they will still not communicate.  This is because even though the VPN tunnel is up, like everything you need to apply firewall rules.

vchs_connected_vpn

Configure the Firewall Rules

This is pretty simple provided you simply want to allow all traffic from the network on the VPC side and the Dedicated cloud side to communicate without any restrictions.  In each vCNS Edge Gateway you need simple reciprocating rules, assuming you have not yet “Allowed all Outbound” connections.  Using the IP Addresses shown from the diagram the rules for each vCNS Edge would look something like this on each side:

Source Destination
192.168.109.0/24 : Any 192.168.201.0/24 : Any
192.168.201.0/24 : Any 192.168.109.0/24 : Any

This ensures that both vCNS Edge Gateways pass source and destination traffic from either end back and forth.  Personally I always write reciprocating rules just in case especially when this is a subnet to subnet VPN rule.  The key is to make sure you duplicate the rule in BOTH edge gateways.

Summary

At this point you have now securely interconnected your Virtual Private Cloud to your Dedicated Cloud.  It also stands to reason you can do this between multiple Dedicated Clouds or even different Virtual Data Centers in the same dedicated cloud.  Finally you can even do secure VPN’s between networks on vCNS Edge devices in the same organization for encrypted communication if you require it.  The bottom line is the VMware vCloud Air networking that is built on the vCloud Networking and Security products is extremely flexible to meet the connectivity needs you have.  I think this connection between clouds is something many people will want to explore as they utilize multiple offerings in a single account.

About Chris Colotti

Chris is currently a Principal Architect at VMware and also serves as a strategic advisor to the VCDX Program. Previous to his eight plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spend a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. He now spends his time working on various Global Services programs within his group and he still is involved with conducting VCDX Workshops. In his spare time he helps his wife Julie run her decorated apparel business as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years. Now he spreads both the word of technology and fitness along with the Team Beachbody Business through his blogs.

4 comments

  1. Hi Chris,
    great post, well described but one thing that ruins the perfect image is that you provide example of setting up firewall. I think it was actually less typing :22 than :Any and the example would be flawless. 🙂

    Cheers
    Pior

Leave a Reply

Scroll To Top
%d bloggers like this: