How To Use VPN to Connect Multiple vCloud Air Clouds

vCloud Air-Powered

As a newish member of the VMware vCloud Air Technical Marketing Team one cool thing I get is access to various things to play with and test.  Something my whole team has access to in vCloud Air is both a Virtual Private Cloud and a Dedicated Cloud.  The unique thing about VMware vCloud Air is that with a single user account you can access multiple cloud services you sign up for.  In our case we have two we can deploy workloads to.  What are some things to think about with this?

  • These are two different vCloud Director URLs
  • These are two separate vCloud Director Organizations
  • Each has its own vCNS Edge Gateway, and in the case of the dedicated there could be multiple Edge Gateways configured
  • Each vCNS Edge Gateway has ben assigned an external Public IP address

This means these are essentially two independent cloud environments federated by the vCloud Air user portal.  Something I wanted to point out very quickly was how you can actually connect these together using the built-in VPN functionality in vCloud Director.  Let’s take a very basic example of what each cloud offering might look like initially.  This assume you have yet to connect them to your on premise data center.

vCloud Air_VPC_DC_Net

In the image above you can see that each Virtual Data Center has a single Edge with a public IP address and a single routed network.  You will also notice that each routed network is a DIFFERENT subnet.  This is mandatory for the VPN to work since you cannot have the same local endpoint addresses.  It’s important to note that when you deploy your vCNS Edge in vCloud Air you will always get a Default-Routed network using 192.168.109.0 and in most cases you will want to simply remove it and start clean if you are looking to do advanced networking.

Configure the VPN

This is probably the easiest thing you will ever do.  Before you begin you will need a couple of things from both your VPC and your Dedicated instance.

  • vCloud Director URL
  • vCloud Director Organization Name
  • Login Credentials – which will be the same for both if these are all under your account

The URL can be found for each cloud on the right side of the screen.  It will also include the organization name in the full URL.  You will need to do this for both your clouds.

vchs_vcd_urlSecondly you will want to click on one of the gateway and select Manage Advanced Gateway Settings to access the vCD user interface

vchs_manage_vcdOnce you are connected to the vCloud Director native UI, you can easily configure the VPN.

Select your Edge Gateway in your vCloud organization and select the VPN tab.  Once there select “Add” and you will see the following screen.  Select “Use public IP” and leave the other settings to their defaults.

vchs_vpn_config

Select “A Network in another Organization, and then select ” Log Into Remote vCD”

vcloud_connection

Fill in the required fields for just the vCloud URL and the org that you recorded earlier from the vCloud Air portal.  Use your vCloud Air credentials to connect and once you log in you will be presented with the other vCloud Organization’s networks so you can multi-select the mappings for the networks in each Organization.

Once this is done the two sites should come up with VPN between them, but if you deploy virtual machines they will still not communicate.  This is because even though the VPN tunnel is up, like everything you need to apply firewall rules.

vchs_connected_vpn

Configure the Firewall Rules

This is pretty simple provided you simply want to allow all traffic from the network on the VPC side and the Dedicated cloud side to communicate without any restrictions.  In each vCNS Edge Gateway you need simple reciprocating rules, assuming you have not yet “Allowed all Outbound” connections.  Using the IP Addresses shown from the diagram the rules for each vCNS Edge would look something like this on each side:

SourceDestination
192.168.109.0/24 : Any192.168.201.0/24 : Any
192.168.201.0/24 : Any192.168.109.0/24 : Any

This ensures that both vCNS Edge Gateways pass source and destination traffic from either end back and forth.  Personally I always write reciprocating rules just in case especially when this is a subnet to subnet VPN rule.  The key is to make sure you duplicate the rule in BOTH edge gateways.

Summary

At this point you have now securely interconnected your Virtual Private Cloud to your Dedicated Cloud.  It also stands to reason you can do this between multiple Dedicated Clouds or even different Virtual Data Centers in the same dedicated cloud.  Finally you can even do secure VPN’s between networks on vCNS Edge devices in the same organization for encrypted communication if you require it.  The bottom line is the VMware vCloud Air networking that is built on the vCloud Networking and Security products is extremely flexible to meet the connectivity needs you have.  I think this connection between clouds is something many people will want to explore as they utilize multiple offerings in a single account.

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.

4 comments

  1. Hi Chris,
    great post, well described but one thing that ruins the perfect image is that you provide example of setting up firewall. I think it was actually less typing :22 than :Any and the example would be flawless. 🙂

    Cheers
    Pior

Leave a Reply

Your email address will not be published. Required fields are marked *