How To Give A vCloud Air Virtual Machine Internet Access

vCloud_Air

The most common initial task that I get asked for help on is connecting a newly deployed virtual machine in vCloud Air from the catalog to the internet so you can install other packages or update the operating system.  This post is probably long overdue considering the number of times I have explained the fairly simple process to people so finally I have taken a moment to explain it here.  This process will apply to both subscription and OnDemand provided in OnDemand you have purchased a public IP, where subscription accounts include them already.

There is a few basic assumptions here.  First is that you have access to a subscription to vCloud Air, and that you know how to configure basic NAT and Firewall rules.  By design vCloud Air comes with a default routed network for every new customer and we will assume that is the one you are using for your connectivity.  This is easy because all default routed networks are deployed for s new customer with the same NAT P address range so it works for screen shots well.  Also by design there is NO firewall or NAT rules in the Edge Gateway and everything is allowed as you determine.  This is also a good thing, since there is no assumptions on what you as a consumer want to do.  We will also assume you have deployed your virtual machine and it’s been assigned an IP address it simply cannot get out to the internet yet.

In order to get a virtual machine to “see” the internet it’s composed of a minimum of three things

  • Either Use Gateway DNS or configure your own
  • A source NAT rule (SNAT)
  • A firewall rule

NOTE: All default routed networks use 192.168.109.0

The difference is simple really.  The Source NAT rule just applies the outgoing NAT information to the packets exiting the firewall.  However, having the SNAT rule does not allow the traffic to be allowed out of the network, that’s the firewall rule.  So in effect if you do one and not the other, you still will not have internet access from your machine.  You have two ways to create these rules either in the vCloud Air interface or the vCloud Director Interface.

Ensuring DNS Configuration

Although all default routed networks are deployed with a static IP pool range and machines will get an IP there is no DNS configured on the Organization network Properties.  You will need to check/edit this using the manage advanced gateway settings to get you to the vCloud Director Interface.  Simply highlight and rick click the Default Routed network, and select Edit Properties

vca_DNS

 

Here you can either check the option to use the gateway DNS, or better yet assign your own DNS servers.  Bear in mind if you have already deployed an AD server on the same network, you can use that here as well.  Another note is if machines are already deployed they will need to be shutdown and restarted to pick up this change since the setting is not DHCP it is part of the static IP setting.  This option is also used for DHCP on this network if you configure that in the Edge Gateway.

Creating The NAT Rule

This is pretty simple.  All you need to do is click “Add On” and select Source Nat Rule

vca_SNAT_Rule

You will need to enter the NAT source manually, and in this case I have entered the ENTIRE subnet range for 192.168.109.0/24/  You will also see a  drop down where you can see any Public IP addresses you have available to NAT externally on.  It really does not matter which one you use, you can use the same one for all your Source NAT rules if you like

vca_SNAT_Rule_Dialog

Once updated you can see here the Source Nat rule is in place.  It is okay that it is an ANY:ANY rule because you are still going to control any access into or out of the environment from the firewall rules.  If you did have more public IP addresses, you could do specific SNAT and DNAT rules to support 1:1 mappings but for this purpose I want to focus on just getting your new virtual machine on the internet.

vca_SNAT_Rule_complete

Creating The Firewall Rule

This is actually quite simple.  Assuming you just want to allow ANY traffic from the INTERNAL side of the Edge Gateway to the EXTERNAL side you can do this in one rule.  Again you can get more finite and complex as you wish but since we are looking in this case to allow all machines on the subnet to access internet outbound we can use a single rule.  Again click “Add One” and below you will see the configuration.

vca_FW_Rule

Once you save this you will be allowing any protocol from all INTERNAL sources to all EXTERNAL sources.  At this point you should be able to get to the internet.

Summary

To review there is 3 basic things you need to make sure a virtual machine you deploy in a brand new vCloud Air environment can reach the internet.

  1. Configure the Organization Network DNS
  2. Apply a Source NAT (SNAT) rule
  3. Apply a firewall rule

I hope this helps people as they are experimenting with vCloud Air.  I know this one question has come up a lot, so maybe this will prevent people from struggling with it.

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.

4 comments

  1. Is it possible to leverage the “use Gateway DNS” setting? There appears to be no way to configure the relay on the Edge Gateway.

    • Yes if you use that you will only get “Internet” DNS resolution. I am not sure where they ultimately point upstream, but checking the box should also work. I think most people prefer to use Google DNS or OpenDNS or other assigned internet DNS they are comfortable with, that’s all but should work either way.

  2. Well, the settings are working and I have the internet access using vCloud Air Virtual Machine.

Leave a Reply

Your email address will not be published. Required fields are marked *