3rd Party Networking Devices In vCloud Air • Chris Colotti's Blog

3rd Party Networking Devices In vCloud Air

Something that has come up over the past few months since going live with VMware vCloud Air is the question of ‘Direct Internet Access’.  What I mean by this is some customers would like to give virtual machines the Public IP’s made available in vCloud Air instead of going through the vCloud Networking and Security Edge Gateway.  Another question has been if we can remove the Edge and use something else in its place.  The simple answer to both of these specific questions is that you cannot do them directly.  However, like anything else you can get creative in your solution to get you something that works for you.  In fact Massimo and I were just discussing this today.

In the past I have shown how you can create VPN connections and even the customer Direct Connections to vCloud Air.  These would each utilize the vCNS Edge Gateway as the end point.  However, in the case of the VPN itself, or something you might want to load balance with an F% or other appliance you can in fact do something interesting.  We know you get an Edge Gateway with either a default-routed network, and you can create more.  We also know you get 2 Public IP addresses with your Virtual Private Cloud account depending on the offering.  Below is an image of something you could do to provide something interesting.

3rd_party_devices

What Massimo and I were discussing is although you need to have a vCNS Edge in place to pass the traffic, you can in effect make it “transparent” except for a few NAT rules and even disable the firewall completely.  It truly then becomes nothing more than pass through gateway and you can do whatever you like behind it.  We see that the Load Balanced Network and the VPN Network are masked to /32 to only allow a single address on that network.  The two public IP’s are then assigned a single Any:Any Destination NAT and the firewall in the Edge is Disabled.  This effectively means now it is transparently passing the traffic to the two 3rd part devices where you can use those to control the rest of the rules using vCloud Air Isolated Networks.

Essentially you get what you want using your own appliances to control the traffic, if you wanted to.  I would argue that on the VPN side the Edge itself is full IPsec and very easy to set up, but the point is people are asking for ways to use other virtual appliances, so this is just one simple, quick example.  When I get my bigger lab setup this may very well be a use case we expand on showing some more detail.

About Chris Colotti

Chris is currently a Principal Architect at Cohesity. In his role he spends the majority of his time supporting Cohesity events and creating outward facing content. He also acts as an active interface between the field and engineering/product management as customer zero in the TAG production lab. Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.

Leave a Reply

Your email address will not be published. Required fields are marked *