As a newish member of the VMware vCloud Air Technical Marketing Team one cool thing I get is access to various things to play with and test. Something my whole team has access to in vCloud Air is both a Virtual Private Cloud and a Dedicated Cloud. The unique thing about VMware vCloud Air is that with a single user account you can access multiple cloud services you sign up for. In our case we have two we can deploy workloads to. What are some things to think about with this?
- These are two different vCloud Director URLs
- These are two separate vCloud Director Organizations
- Each has its own vCNS Edge Gateway, and in the case of the dedicated there could be multiple Edge Gateways configured
- Each vCNS Edge Gateway has ben assigned an external Public IP address
This means these are essentially two independent cloud environments federated by the vCloud Air user portal. Something I wanted to point out very quickly was how you can actually connect these together using the built-in VPN functionality in vCloud Director. Let’s take a very basic example of what each cloud offering might look like initially. This assume you have yet to connect them to your on premise data center.
In the image above you can see that each Virtual Data Center has a single Edge with a public IP address and a single routed network. You will also notice that each routed network is a DIFFERENT subnet. This is mandatory for the VPN to work since you cannot have the same local endpoint addresses. It’s important to note that when you deploy your vCNS Edge in vCloud Air you will always get a Default-Routed network using 192.168.109.0 and in most cases you will want to simply remove it and start clean if you are looking to do advanced networking.
Configure the VPN
This is probably the easiest thing you will ever do. Before you begin you will need a couple of things from both your VPC and your Dedicated instance.
- vCloud Director URL
- vCloud Director Organization Name
- Login Credentials – which will be the same for both if these are all under your account
The URL can be found for each cloud on the right side of the screen. It will also include the organization name in the full URL. You will need to do this for both your clouds.
Select your Edge Gateway in your vCloud organization and select the VPN tab. Once there select “Add” and you will see the following screen. Select “Use public IP” and leave the other settings to their defaults.
Select “A Network in another Organization, and then select ” Log Into Remote vCD”
Fill in the required fields for just the vCloud URL and the org that you recorded earlier from the vCloud Air portal. Use your vCloud Air credentials to connect and once you log in you will be presented with the other vCloud Organization’s networks so you can multi-select the mappings for the networks in each Organization.
Once this is done the two sites should come up with VPN between them, but if you deploy virtual machines they will still not communicate. This is because even though the VPN tunnel is up, like everything you need to apply firewall rules.
Configure the Firewall Rules
This is pretty simple provided you simply want to allow all traffic from the network on the VPC side and the Dedicated cloud side to communicate without any restrictions. In each vCNS Edge Gateway you need simple reciprocating rules, assuming you have not yet “Allowed all Outbound” connections. Using the IP Addresses shown from the diagram the rules for each vCNS Edge would look something like this on each side:
|192.168.109.0/24 : Any||192.168.201.0/24 : Any|
|192.168.201.0/24 : Any||192.168.109.0/24 : Any|
This ensures that both vCNS Edge Gateways pass source and destination traffic from either end back and forth. Personally I always write reciprocating rules just in case especially when this is a subnet to subnet VPN rule. The key is to make sure you duplicate the rule in BOTH edge gateways.
At this point you have now securely interconnected your Virtual Private Cloud to your Dedicated Cloud. It also stands to reason you can do this between multiple Dedicated Clouds or even different Virtual Data Centers in the same dedicated cloud. Finally you can even do secure VPN’s between networks on vCNS Edge devices in the same organization for encrypted communication if you require it. The bottom line is the VMware vCloud Air networking that is built on the vCloud Networking and Security products is extremely flexible to meet the connectivity needs you have. I think this connection between clouds is something many people will want to explore as they utilize multiple offerings in a single account.